Network Security Essentials Lab Book - (En - US)
Network Security Essentials Lab Book - (En - US)
Network Security Essentials Lab Book - (En - US)
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Address
About WatchGuard
505 Fifth Avenue South
WatchGuard® Technologies, Inc. is a global leader in network security, Suite 500
providing best-in-class Unified Threat Management, Next Generation Seattle, WA 98104
Firewall, secure Wi-Fi, and network intelligence products and services
to more than 75,000 customers worldwide. The company’s mission is
to make enterprise-grade security accessible to companies of all types Support
and sizes through simplicity, making WatchGuard an ideal solution for
Distributed Enterprises and SMBs. WatchGuard is headquartered in www.watchguard.com/support
Seattle, Washington, with offices throughout North America, Europe, U.S. and Canada +877.232.3531
Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. All Other Countries +1.206.521.3575
For additional information, promotions and updates, follow WatchGuard
on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company
page. Also, visit our InfoSec blog, Secplicity, for real-time information Sales
about the latest threats and how to cope with them at
www.secplicity.org. U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
We recommend that you enroll in the Network Security Essentials course in the WatchGuard Learning Center, watch
the Fireware Essentials videos, and read the Study Guide before you complete the lab exercises in this book.
If you are unfamiliar with basic concepts of networking and network security, we also recommend that you complete the
Network Basics and Network Security Basics sections of the course, available in the WatchGuard Learning Center.
Document Conventions
This document uses these formatting conventions to highlight specific types of information:
Prerequisites: These are prerequisites that you must complete before you start the lab exercise.
This is a caution. Read carefully. There is a risk that you could lose data, compromise system
integrity, or impact device performance if you do not follow instructions or recommendations.
This is a note. It highlights important or useful information, as well as where you can find more
information on a topic.
Requirements
To complete the lab exercises, you must have access to an environment that meets these requirements:
n Internet connectivity
n WatchGuard Firebox
n Windows computer to manage the Firebox
n WatchGuard System Manager
Perform the exercises in this book in a lab environment. The configurations described in the
exercises could deny legitimate traffic in a production environment.
Before you begin, download and install the latest version of WatchGuard System Manager from
https://software.watchguard.com.
Log Messages
During the lab exercises, you review Traffic Monitor log messages in Firebox System Manager (FSM) or Fireware Web
UI.
For more information on log messages, see Device Log Messages (Traffic Monitor) in WatchGuard Help Center.
To show more descriptive log messages, in Fireware System Manager, select the Traffic
Monitor tab. Right-click the page and select Settings. Select the Show Log Field Names
check box.
Prerequisites: Before you begin, make sure that the Firebox is reset to factory-default settings. For
information on how to reset a Firebox, see Reset a Firebox in WatchGuard Help Center.
The Firebox tries to use the external interface to automatically retrieve your feature key from
WatchGuard. If the Firebox does not have Internet connectivity, you can manually paste your
feature key in the text box when prompted. For information on where to find the feature key, see
Manually Add or Remove a Feature Key in WatchGuard Help Center.
8. After you configure the feature key, accept all default settings for the subscription services, log server,
management server, and remote management.
Create a User
When the wizard is complete, log in to the Firebox and create a user.
7. Click Add and create a Device Monitor user with a unique user name and passphrase. Click OK.
Create a backup image and save the configuration file to the management computer.
Fireware Web UI does not automatically save a backup of the Firebox configuration.
To explore all Fireware Help, see Fireware Help in WatchGuard Help Center.
Prerequisites: To complete this exercise, you must have the latest version of Fireware OS installed on
your management computer. You can download the latest version from https://software.watchguard.com.
For more information on upgrades and backup images, see Upgrade Fireware OS or
WatchGuard System Manager and Save a Firebox Backup Image in WatchGuard Help Center.
Prerequisites: To complete this exercise, you must have a running Dimension server in your environment.
For more information, see Install WatchGuard Dimension in WatchGuard Help Center.
For more information on how to connect to a Dimension server, see Add a Dimension or WSM
Log Server in WatchGuard Help Center.
Prerequisites: To use WatchGuard Cloud, your Firebox must be licensed with a Basic or Total Security
Suite license.
If you have a Service Provider account in WatchGuard Cloud, you must first allocate your
Firebox to your Subscriber account and then log in to your Subscriber account to continue with
the lab exercise. For more information, see Firebox Allocation and WatchGuard Cloud for
Service Providers in WatchGuard Help Center.
If your Firebox does not appear in the list, it is not activated or allocated to your account, or
does not have a Basic or Total Security Suite license.
For more information on how to connect to WatchGuard Cloud, see Add a Firebox to
WatchGuard Cloud in WatchGuard Help Center.
IP Address: 192.168.10.1/24
Gateway: 192.168.10.200
Metric: 1
For more information on static routes, see Add a Static Route and Read the Route Tables in
WatchGuard Help Center.
Prerequisites: You must have a second WatchGuard Firebox or third-party device available to route traffic
to. If you are using a second WatchGuard Firebox you need its feature key. If you use a third-party device,
you are responsible for the configuration.
In this lab exercise, you configure the primary and secondary Firebox with these IP addresses and set up static routes:
You then connect the Fireboxes through interface 3 and make sure that they can communicate.
For information on how to reset a Firebox, see Reset a Firebox in WatchGuard Help Center.
Passphrase: readonly
6. Open Policy Manager.
7. Select Setup > Feature Keys.
8. Click Import and paste your feature key for the secondary Firebox in the text box.
IP Address: 10.0.20.1/24
IP Address: 10.0.100.2/24
Gateway: 10.0.100.1
Metric: 1
16. Select File > Save > To Firebox and log in with admin credentials for the secondary Firebox.
The default admin passphrase is readwrite.
IP Address: 10.0.100.1/24
Gateway: 10.0.100.2
Metric: 1
8. Select File > Save > To Firebox and log in with admin credentials for the primary Firebox.
2. Make sure that the management computer is connected to interface 1 on the primary Firebox.
3. Open a Windows command prompt and type ping 10.0.20.1 and press Enter.
4. To test the routes, type tracert 10.0.20.1 and press Enter.
5. In WatchGuard System Manager, connect to both Fireboxes.
6. Open Firebox System Manager for each Firebox.
7. In Firebox System Manager, select the Traffic Monitor tab for each Firebox.
8. In the filter text box, type icmp to view your test traffic. Press Enter.
9. To review the Firebox routing table on each Firebox, select the Status Report tab.
a. Press Ctrl+F.
b. Search for IPv4 Routes.
For more information on static routes, see Add a Static Route and Read the Route Tables in
WatchGuard Help Center.
Prerequisites: This exercise uses the DMZ interface you configured in Lab Exercise 6.
8. In the Settings section, select your configured DNS probe to measure loss, latency, and jitter.
9. Below the Monitored Interfaces list, click Add and select your DMZ interface.
You configured the DMZ interface in Lab Exercise 6.
10. Select the Next hop check box and type 192.168.10.2 in the text box.
After you complete this exercise, you are unable to ping successfully. At the end of the
exercise, remove the SD-WAN action from your Ping policy to allow ping traffic to route as
expected.
For more information on Link Monitor and SD-WAN, see Configure Link Monitor and About SD-
WAN in WatchGuard Help Center.
Name: 1 Mbps
After you complete this lab exercise, to return to full bandwidth, disable Traffic Management
and QoS in the Global Settings > Networking tab.
For more information on Traffic Management, see About Traffic Management and QoS in
WatchGuard Help Center.
To view the DNS servers configured on the Firebox, select Network > Configuration
> WINS/DNS.
7. To add the other DNS servers configured on the Firebox, repeat the previous steps.
8. Select File > Save > To Firebox and log in with admin credentials.
9. To make sure that you still have Internet access, open a web browser window and go to www.example.com
and other websites.
If you are unable to reach the Internet, inspect the Traffic Monitor logs.
For more information on packet filters, see Add Policies to Your Configuration in WatchGuard
Help Center.
To successfully complete this exercise, your Firebox must not be behind another firewall that
decrypts and inspects HTTPS content.
6. To edit the action, click next to the Proxy action or Content action drop-down list.
7. In the HTTP Request section of the Categories list, select URL Paths.
8. To add a new pattern that matches URLs that contain "example", in the Pattern text box, type *example* and
click Add.
9. In the Actions to take section, from the If matched drop-down list, select Deny.
10. Next to the If matched and None matched drop-down lists, select the Log check boxes.
11. Select File > Save > To Firebox and log in with admin credentials.
3. To edit the action, click next to the Proxy action drop-down list.
4. In the Content Inspection settings, in the Action to take if no rule above is matched section, select the
Inspect action.
5. From the Proxy action drop-down list, select the Default-HTTP-Client proxy action you configured in the
previous procedure.
6. Select the Log check box for the Action.
7. Click OK. When prompted to enable automatic CA updates, click Yes.
8. Select File > Save > To Firebox and log in with admin credentials.
At this point in the exercise, your web browser displays a certificate error when you try to
connect to any HTTPS website. You will resolve this in the next section of the exercise.
If you use the Firefox browser, you must configure Firefox to use the Windows certificate store.
To open the Firebox settings, in the Firebox URL bar, type About:Config. Search for
security.enterprise_roots.enabled. Set this parameter to True.
For more information about the HTTP and HTTPS-proxies, see About the HTTP-Proxy and
About the HTTPS-Proxy in WatchGuard Help Center.
In this exercise you download and install the Proxy Authority certificate from the Firebox. For a
production environment, we recommend that you replace the Firebox’s default Proxy Authority
certificate with a CA certificate signed by an internal certificate authority that is already trusted
by the computers on the network. For more information, see the CA Certificate section in Use
Certificates for the HTTPS-Proxy in WatchGuard Help Center.
Prerequisites: To enable the subscription services, your Firebox must have a Basic or Total Security
Suite (TSS) license.
5. Configure IPS:
The PCI Audit Sensor sends a log message when the Firebox detects a data loss
violation, but it does not prevent data loss. To prevent data loss, clone the PCI Audit
sensor and configure the actions to Drop or Block.
15. To enable the services in the Firebox, select File > Save > To Firebox and log in with admin credentials.
Additional Resources
For more information about subscription services, go to the WatchGuard Security Portal or WatchGuard Knowledge
Base, or see the Manage Security Services topic in WatchGuard Help Center.
Prerequisites: To complete this exercise, your network environment must have a Windows Server
configured as an Active Directory Domain Controller. This exercise uses the proxies configured in Lab
Exercise 11.
For more information on how to add Active Directory server, see Configure Active Directory
Authentication in WatchGuard Help Center.
Prerequisites: This lab exercise uses the proxy actions you configured in Lab Exercise 11.
If you completed Lab Exercise 13, you can also select the Active Directory group you created.
In Firebox System Manager, on the Authentication List tab, you can see the list of currently
authenticated users, and you can log off a user to end a session.
10. When your browser redirects to the authentication page, bypass the certificate warning and log in as a user in the
Firebox-DB or Active Directory group you configured in your policies.
After you log in, the proxies then process your traffic and deny access to example.com based on the rules configured
in Lab Exercise 11.
11. Go to other websites to make sure you have Internet connectivity.
12. Open Firebox System Manager and select the Traffic Monitor tab.
13. Review the log messages and note src_user= at the end of a log message when the user is authenticated.
You can also filter the logs for your user name.
For more information on automatic redirect, see Set Global Firewall Authentication Values in
WatchGuard Help Center.
Prerequisites: This lab exercise uses the proxy actions you configured in Lab Exercise 11 to deny
connections to www.example.com and the Firebox-DB group you configured in Lab Exercise 13.
This lab exercise provides instructions for the IKEv2 mobile VPN with Windows 8 or 10. If you
run Windows 7, you can use the SSL VPN. For information on how to manually install the
IKEv2 VPN profile, see Configure Windows Devices for Mobile VPN with IKEv2 in
WatchGuard Help Center.
Configure the IKEv2 Mobile VPN on your Firebox and Add an HTTP-proxy
Policy
1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Select VPN > Mobile VPN > IKEv2.
4. Configure these settings in the wizard:
a. Add the trusted IP address of your Firebox, 10.0.1.1, as the server address for client connections.
b. Accept the warning that appears. Click Next.
The warning appears because in this exercise you specify the trusted IP address. In a production
environment, you would specify the address of an external interface to enable mobile VPN connections to
your network.
c. Select Firebox-DB as your authentication server. Click Next.
d. Select the Firebox-DB group you added in Lab Exercise 13. Click Next.
The group you select is automatically added to the IKEv2-Users group.
e. Select the default virtual IP address pool subnet. Click Next.
f. Click Finish.
5. Double-click the Allow IKEv2-Users policy that the wizard created.
6. On the Properties tab, click Logging.
7. Select the Send a log message check box. Click OK.
8. Select Edit > Add Policy.
The .tgz file downloads to the Documents\My WatchGuard folder by default. You can
extract the file with 7zip, WinRAR, or another file compression program.
6. To install the VPN profile on the management computer, run WG IKEv2.bat inside the Windows_8.1_10 folder.
This adds the WG IKEv2 VPN connection to the list of network connections on this computer.
You must successfully connect to the VPN to continue this lab exercise.
3. While connected to the IKEv2 VPN, open a web browser and go to www.example.com and other websites.
The www.example.com website does not open. Other websites open successfully. If the www.example.com website
opens, it might be cached. Open it in a private browser window or a different web browser.
4. Open Firebox System Manager and select the Traffic Monitor tab. In the filter text box, type ikev2 to view the
traffic for your VPN connection logs. Press Enter.
Prerequisites: To complete this exercise, you must have a second WatchGuard Firebox or a third-party
device that can support a route-based VPN. If you use a third-party device, you are responsible for the
configuration. This exercise uses the interfaces and routes you configured in Lab Exercise 6and Lab
Exercise 7. It assumes the two Fireboxes have a site-to-site connection through interface 3. It assumes
that you have disabled the SD-WAN action in the Ping policy you configured in Lab Exercise 8.
Name: DMZ
IP Address: 192.168.10.2/24
Metric: 2
12. Select File > Save > To Firebox and log in with admin credentials.
Interface: Trusted
Protocol: TCP
Source Port: 1234
Destination Port: 8080
5. Click Run and review the results.
6. To test other possible connections, change the variables.
Additional Information
For more information, see these topics in WatchGuard Help Center:
FireWatch
Prerequisite: For the reports to include data, you must complete Lab Exercise 4 to set up logging to
Dimension.
For more information on Dimension tools, see Use Dimension Tools in WatchGuard Help
Center.
Prerequisites: To use WatchGuard Cloud, your Firebox must have a Basic or Total Security Suite license.
For the reports to include data, you must complete Lab Exercise 5 to set up logging to WatchGuard Cloud.
For more information about WatchGuard Cloud reports, see WatchGuard Cloud Device
Reports List in WatchGuard Help Center.
Prerequisites: To use WatchGuard Cloud, your Firebox must have a Basic or Total Security Suite license.
For data to be available in the scheduled reports, you must have completed Lab Exercise 5 to set up
logging to WatchGuard Cloud. You will also need an email address to receive the notifications and reports.
For more information on notifications and scheduled reports, see Configure Rules for Firebox
Events and Schedule WatchGuard Cloud Reports in WatchGuard Help Center.