Network Security Essentials Lab Book - (En - US)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 46

Training

Network Security Essentials


Lab Book
WatchGuard Fireboxes

Guide Revised For: Fireware v12.5.5/12.6.2


Revision Date: August 2020
About This Guide
The Network Security Essentials Lab Book will help you prepare for the Network Security Essentials certification exam.
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Guide revised: 8/18/2020

Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information


Copyright © 2020 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of in the
United States and other countries. This product is covered by one or more pending patent applications.
All other trademarks and trade names are the property of their respective owners.
Complete copyright, trademark, and licensing information can be found in the Copyright and Licensing Guide, available
online at http://www.watchguard.com/help/documentation/.
Printed in the United States.

Address
About WatchGuard
505 Fifth Avenue South
WatchGuard® Technologies, Inc. is a global leader in network security, Suite 500
providing best-in-class Unified Threat Management, Next Generation Seattle, WA 98104
Firewall, secure Wi-Fi, and network intelligence products and services
to more than 75,000 customers worldwide. The company’s mission is
to make enterprise-grade security accessible to companies of all types Support
and sizes through simplicity, making WatchGuard an ideal solution for
Distributed Enterprises and SMBs. WatchGuard is headquartered in www.watchguard.com/support
Seattle, Washington, with offices throughout North America, Europe, U.S. and Canada +877.232.3531
Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. All Other Countries +1.206.521.3575
For additional information, promotions and updates, follow WatchGuard
on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company
page. Also, visit our InfoSec blog, Secplicity, for real-time information Sales
about the latest threats and how to cope with them at
www.secplicity.org. U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895

2 WatchGuard Technologies, Inc.


Contents

How to Use this Lab Book 4


Lab Exercise 1: Initial Configuration 6
Lab Exercise 2: Help 8
Lab Exercise 3: Backup and Restore 9
Lab Exercise 4: Connect to the Dimension Server 10
Lab Exercise 5: Connect to WatchGuard Cloud 11
Lab Exercise 6: Routing 13
Lab Exercise 7: Routing to Another Device 15
Lab Exercise 8: Link Monitor and SD-WAN 18
Lab Exercise 9: Traffic Management 20
Lab Exercise 10: Packet Filters 22
Lab Exercise 11: Proxies 24
Lab Exercise 12: Subscription Services 27
Lab Exercise 13: Active Directory 31
Lab Exercise 14: Authentication 33
Lab Exercise 15: Mobile VPNs 35
Lab Exercise 16: BOVPNs 38
Lab Exercise 17: Fireware Web UI 41
Lab Exercise 18: Dimension Logs and Reports 43
Lab Exercise 19: WatchGuard Cloud Logs and Reports 44
Lab Exercise 20: Log Notifications and Scheduled Reports 45

Network Security Essentials Lab Book 3


How to Use this Lab Book
The Network Security Essentials Lab Book is a companion to the Network Security Essentials Study Guide and
includes lab exercises that help you learn how to set up and configure a Firebox.

We recommend that you enroll in the Network Security Essentials course in the WatchGuard Learning Center, watch
the Fireware Essentials videos, and read the Study Guide before you complete the lab exercises in this book.

If you are unfamiliar with basic concepts of networking and network security, we also recommend that you complete the
Network Basics and Network Security Basics sections of the course, available in the WatchGuard Learning Center.

Document Conventions
This document uses these formatting conventions to highlight specific types of information:

Objectives: These are the objectives of the lab exercise.

Prerequisites: These are prerequisites that you must complete before you start the lab exercise.

This is a caution. Read carefully. There is a risk that you could lose data, compromise system
integrity, or impact device performance if you do not follow instructions or recommendations.

This is a note. It highlights important or useful information, as well as where you can find more
information on a topic.

Requirements
To complete the lab exercises, you must have access to an environment that meets these requirements:

n Internet connectivity
n WatchGuard Firebox
n Windows computer to manage the Firebox
n WatchGuard System Manager

4 WatchGuard Technologies, Inc.


Some exercises have additional requirements. To complete these lab exercises, your environment must meet these
additional requirements:

n Lab Exercises 4 and 18 require WatchGuard Dimension.


n Lab Exercises 5, 12, 19, and 20 require a Basic or Total Security Suite license for your primary WatchGuard
Firebox.
n Lab Exercises 7 and 16 require a second WatchGuard Firebox or a third-party router or firewall.
n Lab Exercise 13 requires a Windows Server configured as an Active Directory Domain Controller.

Perform the exercises in this book in a lab environment. The configurations described in the
exercises could deny legitimate traffic in a production environment.

WatchGuard System Manager


With the exception of Lab Exercise 17: Fireware Web UI, the exercises include instructions for WatchGuard System
Manager (WSM) only. You can use Fireware Web UI without instructions to complete all of the exercises.

Before you begin, download and install the latest version of WatchGuard System Manager from
https://software.watchguard.com.

Log Messages
During the lab exercises, you review Traffic Monitor log messages in Firebox System Manager (FSM) or Fireware Web
UI.

For more information on log messages, see Device Log Messages (Traffic Monitor) in WatchGuard Help Center.

To show more descriptive log messages, in Fireware System Manager, select the Traffic
Monitor tab. Right-click the page and select Settings. Select the Show Log Field Names
check box.

Network Security Essentials Lab Book 5


Lab Exercise 1: Initial Configuration
Objectives: After you complete this lab exercise, you will be able to set up the Firebox with the Quick
Setup Wizard and create a management user. You will know how to back up and save a configuration file
to the Firebox.

Prerequisites: Before you begin, make sure that the Firebox is reset to factory-default settings. For
information on how to reset a Firebox, see Reset a Firebox in WatchGuard Help Center.

Connect the Firebox Cables and Confirm a DHCP IP Address


1. Connect interface 0 (external) on the Firebox to your network for Internet connectivity.
2. Connect interface 1 (internal) on the Firebox to your management computer.
3. Connect the Firebox to a power source and turn it on.
4. Confirm that the management computer has a DHCP IP address in the 10.0.1.0/24 network.

Configure the Firebox


1. Open WatchGuard System Manager.
2. Select Tools > Quick Setup Wizard. Click Next.
3. Select Yes, my device is ready to be discovered.
The Firebox must be in a factory-default state and connected to your computer to be discovered. You might need to
select the Network Interface that the Firebox is connected to.
4. In the Name text box, type a unique name for the Firebox.
5. Configure the external interface with settings for the Firebox to have Internet connectivity on your network.
6. Configure the internal trusted interface to use the default network 10.0.1.1/24, and then select the Enable DHCP
server on internal interfaces check box.
7. Select Use this DNS server information and configure public DNS servers such as 1.1.1.1, 8.8.8.8, or
208.67.222.222.

The Firebox tries to use the external interface to automatically retrieve your feature key from
WatchGuard. If the Firebox does not have Internet connectivity, you can manually paste your
feature key in the text box when prompted. For information on where to find the feature key, see
Manually Add or Remove a Feature Key in WatchGuard Help Center.

8. After you configure the feature key, accept all default settings for the subscription services, log server,
management server, and remote management.

6 WatchGuard Technologies, Inc.


9. Specify passphrases for the status and admin user accounts.
10. Review the settings and complete the wizard.

Create a User
When the wizard is complete, log in to the Firebox and create a user.

1. In WatchGuard System Manager, select File > Connect to Device.


2. Connect to the device:
n IP Address or Name: 10.0.1.1
n User Name: status
n Passphrase: <specified in the Quick Setup Wizard>

3. Select your Firebox.


4. To open Policy Manager, select Tools > Policy Manager.
5. Select File > Manage Users and Roles.
6. Log in with admin credentials.
n Administrator User Name: admin
n Administrator Passphrase: <specified in the Quick Setup Wizard>

7. Click Add and create a Device Monitor user with a unique user name and passphrase. Click OK.

Save and Back Up the Configuration


When you enable the option to always create a backup, Policy Manager automatically saves a backup copy of the
configuration when it overwrites a previously saved configuration file.

Create a backup image and save the configuration file to the management computer.

1. Open Policy Manager.


2. Select File > Save > As File and save the configuration to the file system.
By default, the file is saved in the Documents\My WatchGuard\configs\ directory on the management computer. If you
save a configuration file to a different location, that location becomes the new default.
3. Select File > Save > Always Create a Backup.
4. Select File > Save > As File and save your configuration a second time.
This step overwrites the configuration file you saved in Step 2.
5. Open the directory where you saved the configuration file and make sure that the file you saved and the backup
copy are both present.
For each saved configuration file, Policy Manager automatically saves a file named <configname>_lic.tgz. This is an
archive file that contains the feature key. You can extract this file with 7zip, WinRAR, or another file compression
program.

Fireware Web UI does not automatically save a backup of the Firebox configuration.

Network Security Essentials Lab Book 7


Lab Exercise 2: Help
Objectives: After you complete this exercise, you will be able to view different context-sensitive help
topics from Policy Manager and Firebox System Manager.

View Version Information in WatchGuard System Manager


In WatchGuard System Manager, you can view the version of Fireware installed on the Firebox and the version of
WatchGuard System Manager installed on the management computer.

1. Open WatchGuard System Manager and connect to your Firebox.


2. When the Firebox connects, on the Device Status tab, look at the Firebox name to see the Firebox model and
currently installed version of Fireware OS.
3. To see the version of WatchGuard System Manager on your computer, select Help > About WatchGuard.

View Help in Policy Manager


1. In WatchGuard System Manager, select your Firebox.
2. Open Policy Manager.
3. Select Help > Help Contents.
4. Review the help page that opens.
5. In Policy Manager, double-click the Ping firewall policy.
The Edit Policy Properties dialog box appears.
6. Click Help.
7. Review the help page that opens.

View Help in Firebox System Manager


1. In WatchGuard System Manager, select your Firebox.
2. Select Tools > Firebox System Manager.
3. In Firebox System Manager, select Help > Firebox System Manager Help.
4. Review the help page that opens.
5. In Firebox System Manager, select Tools > Diagnostic Tasks.
6. In the Diagnostic Tasks dialog box, press F1.
7. Review the help page that opens.

To explore all Fireware Help, see Fireware Help in WatchGuard Help Center.

8 WatchGuard Technologies, Inc.


Lab Exercise 3: Backup and Restore
Objectives: After you complete this exercise, you will be able to upgrade and back up your Firebox, add
a new firewall policy, and then restore the backup image you created.

Prerequisites: To complete this exercise, you must have the latest version of Fireware OS installed on
your management computer. You can download the latest version from https://software.watchguard.com. 

Back Up, Upgrade, and Restore a Firebox Configuration


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Click File > Upgrade and log in with admin credentials.
If you ran the Fireware OS .EXE installer, the default path is to the location of the latest installed upgrade image file.
4. After the Firebox reboots, select File > Backup and Restore and log in with admin credentials.
In the Backup and Restore dialog box, you see that Policy Manager created a backup image compatible with the old
version of Fireware during the upgrade process.
5. To create a new backup image compatible with the current version of Fireware, click Create. Click OK.
When the backup is complete, close the Backup and Restore dialog box.
6. Create a Ping policy with default settings.
a. Select Edit > Add Policy.
b. Expand the Packet Filters folder.
c. Select Ping and click Add Policy.
d. To create the policy with default settings, click OK.
7. To apply the changes to the Firebox, select File > Save > To Firebox and log in with admin credentials.
8. Restore the backup image to the Firebox.
a. Select File > Backup and Restore.
b. Log in with admin credentials.
c. Select the backup image you created in Step 5.
d. Click Restore.
9. To refresh the policy list, close and open Policy Manager.
10. Make sure that the Ping 1 policy you created in Step 6 was removed

For more information on upgrades and backup images, see Upgrade Fireware OS or
WatchGuard System Manager and Save a Firebox Backup Image in WatchGuard Help Center.

Network Security Essentials Lab Book 9


Lab Exercise 4: Connect to the Dimension
Server
Objectives: After you complete this exercise, you will be able to configure your Firebox to log to a
Dimension server. In Lab Exercise 18, you will review the logs your Firebox generates from your traffic
and the reports available in Dimension.

Prerequisites: To complete this exercise, you must have a running Dimension server in your environment.
For more information, see Install WatchGuard Dimension in WatchGuard Help Center.

Connect to the WatchGuard Dimension Server


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Select Setup > Logging.
4. In the Dimension or WSM Log Server settings, select the Send log message to these Dimension or WSM
Log Servers check box.
5. Click Configure.
6. Click Add.
7. In the Log Server Address text box, type the IP address or FQDN of your Dimension server.
8. Type the Authentication Key you configured in the Dimension Setup Wizard. Click OK.
9. Click OK and close the Logging Setup dialog box.
10. Select File > Save > To Firebox and log in with admin credentials.
11. In WatchGuard System Manager, open Firebox System Manager.
12. On the Front Panel tab, in the Detail section, review the Log Server status.
When successfully connected, the status shows the IP address of your Dimension server.
13. To find the log server status, click the Status Report tab and press Ctrl+F, In the Find text box , search for Log
Configuration.
When the Firebox is connected to your Dimension server, the status for First Log Server Instance is Connected.
14. To make sure that the Firebox is sending log messages to Dimension, log in to the Dimension server.
15. On the Home page (Devices tab), make sure that Yes appears in the Logging column for your Firebox.

For more information on how to connect to a Dimension server, see Add a Dimension or WSM
Log Server in WatchGuard Help Center.

10 WatchGuard Technologies, Inc.


Lab Exercise 5: Connect to WatchGuard Cloud
Objectives: After you complete this exercise, you will be able to configure your Firebox to log to
WatchGuard Cloud. In Lab Exercise 19, you will review the logs your Firebox generates from the traffic
and the reports available in WatchGuard Cloud.

Prerequisites: To use WatchGuard Cloud, your Firebox must be licensed with a Basic or Total Security
Suite license.

If you have a Service Provider account in WatchGuard Cloud, you must first allocate your
Firebox to your Subscriber account and then log in to your Subscriber account to continue with
the lab exercise. For more information, see Firebox Allocation and WatchGuard Cloud for
Service Providers in WatchGuard Help Center.

Connect to WatchGuard Cloud


1. Go to https://cloud.watchguard.com and log in to your WatchGuard Cloud Subscriber account.
2. Select Monitor > Fireboxes.
3. Click Add Device.
4. From the list, select the Firebox you want to add to WatchGuard Cloud.

If your Firebox does not appear in the list, it is not activated or allocated to your account, or
does not have a Basic or Total Security Suite license.

5. Copy the Verification Code that appears.


6. Open WatchGuard System Manager and connect to your Firebox.
7. Open Policy Manager.
8. Select Setup > WatchGuard Cloud.
9. Select the Enable WatchGuard Cloud check box.
10. Select File > Save > To Firebox and log in with admin credentials.
11. During the save process, paste the Verification Code you copied in Step 5.
12. In WatchGuard System Manager, open Firebox System Manager .

Network Security Essentials Lab Book 11


13. In the Detail section, make sure that the WG Cloud status is Connected.
14. Log in to WatchGuard Cloud.
15. Select Monitor > Fireboxes.
16. From the Device Manager list, select your Firebox.
17. On the Device Summary page, make sure that the Firebox status is Connected.

For more information on how to connect to WatchGuard Cloud, see Add a Firebox to
WatchGuard Cloud in WatchGuard Help Center.

12 WatchGuard Technologies, Inc.


Lab Exercise 6: Routing
Objectives: After you complete this exercise, you will be able to view the routing table on your Firebox,
configure a new Optional interface, and add a static route to redirect network traffic to a new destination.

Configure Interface 2 on the Firebox


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Firebox System Manager.
3. Select the Status Report tab and press Ctrl+F.
The Find text box appears.
4. To view the Firebox routing table, search for IPv4 routes.
5. Open a Windows command prompt and type ping 8.8.4.4 -t and press Enter.
Confirm you receive a response. Allow the ping command to continue in the background.
6. In Firebox System Manager, select the Traffic Monitor tab.
7. In the filter text box, type icmp and press Enter.
8. Make sure that the ping traffic is allowed and note the destination interface.
9. Open Policy Manager.
10. Select Network > Configuration.
11. Configure interface 2 with these settings:

Interface Name: DMZ

Interface Type: Optional

IP Address: 192.168.10.1/24

12. Select Disable DHCP. Click OK.


13. Close the Network Configuration window.

Add a Static Route to Redirect Traffic


1. Select Network > Routes.
2. Click Add and create a new static route with these settings:

Destination Type: Host IPv4

Route To: 8.8.4.4

Gateway: 192.168.10.200

Metric: 1

Network Security Essentials Lab Book 13


3. Close the Setup Routes window.
4. Select File > Save > To Firebox and log in with admin credentials.
5. Confirm that the ping command you started in Step 5 of the previous procedure now fails.
6. In Firebox System Manager, select the Traffic Monitor tab.
7. In the filter text box, type icmp and press Enter.
Confirm that the ping traffic is still allowed and note that the destination interface has changed.
8. Select the Status Report tab and review the IPv4 Routes.
Note the new routes for 192.168.10.0 and 8.8.4.4.

For more information on static routes, see Add a Static Route and Read the Route Tables in
WatchGuard Help Center.

14 WatchGuard Technologies, Inc.


Lab Exercise 7: Routing to Another Device
Objectives: After you complete this exercise, you will be able to configure interfaces and static routes
on two Fireboxes to enable a site-to-site connection between them, and you will be able to make sure
that the two Fireboxes can route traffic between the two trusted networks.

Prerequisites: You must have a second WatchGuard Firebox or third-party device available to route traffic
to. If you are using a second WatchGuard Firebox you need its feature key. If you use a third-party device,
you are responsible for the configuration.

In this lab exercise, you configure the primary and secondary Firebox with these IP addresses and set up static routes:

Interface Primary Firebox Secondary Firebox

Trusted interface 1 10.0.1.1/24 10.0.20.1/24

Trusted interface 3 10.0.100.1/24 10.0.100.2/24

You then connect the Fireboxes through interface 3 and make sure that they can communicate.

Configure the Secondary Firebox


1. Make sure that the secondary Firebox is in a factory-default state.

For information on how to reset a Firebox, see Reset a Firebox in WatchGuard Help Center.

2. Connect your management computer to interface 1 on the secondary Firebox.


3. Open WatchGuard System Manager.
4. Select File > Connect to Device.
In this exercise, we do not use the Quick Setup Wizard.
5. Log in to the Firebox with these credentials:

IP Address or Name: 10.0.1.1

User Name: status

Passphrase: readonly
6. Open Policy Manager.
7. Select Setup > Feature Keys.
8. Click Import and paste your feature key for the secondary Firebox in the text box.

Network Security Essentials Lab Book 15


9. Select Network > Configuration and configure interface 1 with these settings:

Interface Name: Trusted

Interface Type: Trusted

IP Address: 10.0.20.1/24

10. Select the Use DHCP Server check box.


11. Add an Address Pool that starts at 10.0.20.100 and ends at 10.0.20.200.
12. Configure interface 3 with these settings:

Interface Name: Site to Site

Interface Type: Optional

IP Address: 10.0.100.2/24

13. Select the Disable DHCP check box. Click OK.


14. Select Network > Routes.
15. Click Add and configure a rule with these settings:

Destination Type: Network IPv4

Route To: 10.0.1.0/24

Gateway: 10.0.100.1

Metric: 1

16. Select File > Save > To Firebox and log in with admin credentials for the secondary Firebox.
The default admin passphrase is readwrite.

Configure the Primary Firebox


1. Connect your management computer to interface 1 on the primary Firebox.
2. Open WatchGuard System Manager and connect to the primary Firebox.
3. Open Policy Manager.
4. Select Network > Configuration and configure interface 3 with these settings:

Name: Site to Site

Interface Type: Optional

IP Address: 10.0.100.1/24

5. Select the Disable DHCP check box.


6. Select Network > Routes.
7. Click Add and configure a rule with these settings:

Destination Type: Network IPv4

16 WatchGuard Technologies, Inc.


Route To: 10.0.20.0/24

Gateway: 10.0.100.2

Metric: 1

8. Select File > Save > To Firebox and log in with admin credentials for the primary Firebox.

Connect the Fireboxes


1. Use an Ethernet cable to connect interface 3 on the primary Firebox to interface 3 on the secondary Firebox.

To complete this exercise with a third-party device instead of a secondary Firebox, on


the third-party device, configure the WAN with 10.0.100.2/24, the default gateway as
10.0.100.1, and the LAN with 10.0.20.1/24. Connect the WAN port to interface 3 on your
Firebox.

2. Make sure that the management computer is connected to interface 1 on the primary Firebox.
3. Open a Windows command prompt and type ping 10.0.20.1 and press Enter.
4. To test the routes, type tracert 10.0.20.1 and press Enter.
5. In WatchGuard System Manager, connect to both Fireboxes.
6. Open Firebox System Manager for each Firebox.
7. In Firebox System Manager, select the Traffic Monitor tab for each Firebox.
8. In the filter text box, type icmp to view your test traffic. Press Enter.
9. To review the Firebox routing table on each Firebox, select the Status Report tab.
a. Press Ctrl+F.
b. Search for IPv4 Routes.

For more information on static routes, see Add a Static Route and Read the Route Tables in
WatchGuard Help Center.

Network Security Essentials Lab Book 17


Lab Exercise 8: Link Monitor and SD-WAN
Objectives: After you complete this lab exercise, you will be able to configure link monitor targets for
your interfaces, review SD-WAN measurements to measure packet loss, latency, and jitter, and
configure an SD-WAN action so that all outbound pings leave through the DMZ interface.

Prerequisites: This exercise uses the DMZ interface you configured in Lab Exercise 6.

Configure Link Monitor Targets


1. On the management computer, open a Windows command prompt.
2. To continuously send a ping, type ping 1.1.1.1 -t and press Enter.
Allow the command to run in the background.
3. Open WatchGuard System Manager and connect to your Firebox.
4. Open Policy Manager.
5. Select Network > Configuration > Link Monitor.
6. Below the Monitored Interfaces list, click Add and select your external interface.
Policy Manager adds a target to ping your gateway by default.
7. In the Settings section, click Add.
n Add a probing target to ping 8.8.8.8.
n Add a probing target to send a DNS query to 1.1.1.1 for watchguard.com.
n Add a probing target to send a TCP probe to the watchguard.com domain using port 80.

8. In the Settings section, select your configured DNS probe to measure loss, latency, and jitter.
9. Below the Monitored Interfaces list, click Add and select your DMZ interface.
You configured the DMZ interface in Lab Exercise 6.
10. Select the Next hop check box and type 192.168.10.2 in the text box.

Configure an SD-WAN Action


1. Select the SD-WAN tab.
2. Click Add.
3. Type DMZ in the Name box.
4. Select the Include check box for the DMZ interface.
5. Click OK and close the Network Configuration window.
6. In the policy list, double-click the Ping policy.
The Edit Policy Properties dialog box appears.
7. Select the Route outbound traffic using check box.
SD-WAN Based Routing is selected by default.

18 WatchGuard Technologies, Inc.


8. From the SD-WAN action drop-down list, select the DMZ SD-WAN action you created previously.
9. Select File > Save > To Firebox and log in with admin credentials.

Review the Traffic and Statistics


1. In the Windows command prompt window, inspect the output of the continuous ping command.
The command prompt shows that the ping requests time out. This is expected because the SD-WAN action in
the Ping policy routes the ping requests to the DMZ interface.
2. Open Firebox System Manager.
3. Click the Traffic Monitor tab.
4. In the filter text box, type icmp and press Enter.
The ICMP traffic is denied because all gateways in the SD-WAN action are down. The traffic tries to leave through the
DMZ interface but the DMZ link monitor probe is not responsive.
5. Select the SD-WAN tab.
6. Right-click the graph and select Settings.
7. Change the Performance Metric to Latency and make sure that all of the available interfaces are added to the
Show list.
The graph updates in real time based on the refresh interval.

After you complete this exercise, you are unable to ping successfully. At the end of the
exercise, remove the SD-WAN action from your Ping policy to allow ping traffic to route as
expected.

For more information on Link Monitor and SD-WAN, see Configure Link Monitor and About SD-
WAN in WatchGuard Help Center.

Network Security Essentials Lab Book 19


Lab Exercise 9: Traffic Management
Objective: After you complete this lab exercise, you will be able to enable Traffic Management,
configure Traffic Management actions, and apply them to firewall policies to restrict the bandwidth for
connections.

Test Your Bandwidth


1. Open a speed test website such as https://speedof.me/.
2. Test the bandwidth for traffic through the Firebox.

Enable Traffic Management


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Select Setup > Global Settings.
4. Select the Networking tab.
5. To enable Traffic Management, select the Enable all traffic management and QoS features check box. Click
OK.

Create and Apply Actions to Restrict Bandwidth


1. Select Setup > Actions > Traffic Management.
2. Click Add and create a new action with these settings:

Name: 500 Kbps

Type: All Policies

Maximum bandwidth: 500 Kbps

3. Click OK and create a second action with these settings:

Name: 1 Mbps

Type: All Policies

Maximum bandwidth: 1 Mbps

4. Close the Traffic Management Actions dialog box.

20 WatchGuard Technologies, Inc.


5. Edit the Outgoing policy.
a. Double-click the Outgoing policy.
b. In the Edit Policy Properties dialog box, select the Advanced tab.
c. In the Traffic Management Actions section, from the Forward drop-down list, select the 500 Kbps
action.
d. From the Reverse drop-down list, select the 1 Mbps action.
6. Edit the HTTP-proxy policy.
a. Double-click the HTTP-proxy policy and select the Advanced tab
b. In the Traffic Management Actions section, from the Forward drop-down list, select the 500 Kbps
action.
c. From the Reverse drop-down list, select the 1 Mbps action.
7. Edit the HTTPS-proxy policy.
a. Double-click the HTTPS-proxy policy and select the Advanced tab
b. In the Traffic Management Actions section, from the Forward drop-down list, select the 500 Kbps
action.
c. From the Reverse drop-down list, select the 1 Mbps action.
8. Select File > Save > To Firebox and log in with admin credentials.
9. Open Firebox System Manager.
10. Select the Traffic Management tab to observe how the actions are applied to the traffic.
11. Open a speed test website such as https://speedof.me/ and test the bandwidth for traffic through the Firebox.
Verify that the upload and download speeds are restricted by Traffic Management.

After you complete this lab exercise, to return to full bandwidth, disable Traffic Management
and QoS in the Global Settings > Networking tab.

For more information on Traffic Management, see About Traffic Management and QoS in
WatchGuard Help Center.

Network Security Essentials Lab Book 21


Lab Exercise 10: Packet Filters
Objectives: After you complete this lab exercise, you will be able to disable the Outgoing packet filter
policy, edit the DNS packet filter policy to only allow users to reach specific DNS servers, and create
new packet filter policies to prevent users from opening a site such as www.example.com.

Disable the Outgoing Packet Filter Policy


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Right-click the Outgoing policy and select Disable policy.
4. Select File > Save > To Firebox and log in with admin credentials.

Edit the DNS Packet Filter Policy


Edit the DNS packet filter policy to only allow DNS requests to specific DNS servers.

1. In Policy Manager, double-click your DNS packet filter policy.


2. Remove Any-External from the To list.
3. Below the To list, click Add
4. Click Add Other.
5. From the Choose Type drop-down list, select Host IPv4.
6. In the Value text box, type the IP address of a DNS server you configured on the Firebox during the Quick Setup
Wizard.

To view the DNS servers configured on the Firebox, select Network > Configuration
> WINS/DNS.

7. To add the other DNS servers configured on the Firebox, repeat the previous steps.
8. Select File > Save > To Firebox and log in with admin credentials.
9. To make sure that you still have Internet access, open a web browser window and go to www.example.com
and other websites.
If you are unable to reach the Internet, inspect the Traffic Monitor logs.

Add Packet Filter Policies to Deny Connections


Add packet filter policies to deny HTTP and HTTPS connections to a specific site, in this case, *.example.com.

22 WatchGuard Technologies, Inc.


1. Open Policy Manager.
2. Select Edit > Add Policy.
3. Expand the Packet Filters folder and select HTTP.
4. Click Add Policy.
5. In the Name text box, type HTTP Deny.
6. From the HTTP connections are drop-down list, select Denied (send reset).
Only select the send reset option when you want to deny internal connections. We do not recommend that you send a
reset for denied external connections.
7. Remove Any-External from the To list.
8. Below the To list, click Add.
9. Click Add Other.
10. From the Choose Type drop-down list, select FQDN.
11. Type *.example.com in the Value text box.
12. Add an HTTPS packet filter policy with the name HTTPS Deny, and repeat steps 6 – 11 to configure this policy
to deny HTTPS connections to *.example.com.
13. Select File > Save > To Firebox and log in with admin credentials.

Test the Configuration and Review Log Messages


1. Open a web browser window and go to http://www.example.com and other websites.
The website does not open but other websites open successfully.
2. Go to https://www.example.com.
The website does not open using HTTPS. If the website opens, it might be cached. Open it in a private browser
window or a different web browser.
3. Open WatchGuard System Manager.
4. Open Firebox System Manager.
5. To review the logs from your tests, select the Traffic Monitor tab.
6. In the filter text box, type http and press Enter.
7. To review other traffic that might be denied as an Unhandled Internal Packet because of the disabled
Outgoing policy, in the filter text box, type deny and press Enter.

For more information on packet filters, see Add Policies to Your Configuration in WatchGuard
Help Center.

Network Security Essentials Lab Book 23


Lab Exercise 11: Proxies
Objectives: After you complete this lab exercise, you will be able to configure an HTTP-proxy to deny
traffic based on the URL and configure an HTTPS-proxy with content inspection. You will also be able to
import the Firebox proxy authority certificate to your management computer and browse to any URLs
that contain "example".

To successfully complete this exercise, your Firebox must not be behind another firewall that
decrypts and inspects HTTPS content.

Configure an HTTP-Proxy to Deny Traffic


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Delete the HTTP Deny and HTTPS Deny packet filters that you created in Lab Exercise 10.
Right-click each packet filter policy and select Delete.
4. Double-click the HTTP-proxy policy.
5. From the Proxy action or Content action drop-down list, make sure that Default-HTTP-Client is selected.

6. To edit the action, click next to the Proxy action or Content action drop-down list.
7. In the HTTP Request section of the Categories list, select URL Paths.
8. To add a new pattern that matches URLs that contain "example", in the Pattern text box, type *example* and
click Add.
9. In the Actions to take section, from the If matched drop-down list, select Deny.
10. Next to the If matched and None matched drop-down lists, select the Log check boxes.
11. Select File > Save > To Firebox and log in with admin credentials.

Test the HTTP-Proxy


1. Open a web browser window and go to www.example.com.
The proxy denies the connection. If the www.example.com website opens, it might be cached. Open it in a
private browser window or a different web browser.
2. Go to Google or another search engine website, and search for the word example. Test whether the proxy
denies the connection.
Google uses HTTPS. It is not blocked by the HTTP-proxy. To decrypt and inspect HTTPS traffic to apply your
rule, you must enable Content Inspection in the HTTPS-proxy.

24 WatchGuard Technologies, Inc.


Enable Content Inspection in the HTTPS-Proxy
1. Double-click the HTTPS-proxy policy.
2. From the Proxy action drop-down list, make sure that Default-HTTPS-Client is selected.

3. To edit the action, click next to the Proxy action drop-down list.
4. In the Content Inspection settings, in the Action to take if no rule above is matched section, select the
Inspect action.
5. From the Proxy action drop-down list, select the Default-HTTP-Client proxy action you configured in the
previous procedure.
6. Select the Log check box for the Action.
7. Click OK. When prompted to enable automatic CA updates, click Yes.
8. Select File > Save > To Firebox and log in with admin credentials.

At this point in the exercise, your web browser displays a certificate error when you try to
connect to any HTTPS website. You will resolve this in the next section of the exercise.

Import the Proxy Authority CA Certificate


For content inspection to work without certificate warnings, your management computer must trust the current Proxy
Authority CA certificate on the Firebox.

1. Open a web browser and go to http://10.0.1.1:4126/.


The Firebox Certificate Portal appears.
2. To download the current Proxy Authority CA certificate, click Download .
3. Open the certificate and install it in your Trusted Root Certification Authorities store.

If you use the Firefox browser, you must configure Firefox to use the Windows certificate store.
To open the Firebox settings, in the Firebox URL bar, type About:Config. Search for
security.enterprise_roots.enabled. Set this parameter to True.

4. To reload the certificates, close and open the web browser.


5. Go to www.google.com or another search engine website and search for the word example.
The proxy denies the connection. If it is not denied or you receive a certificate warning, it might be cached. Open
it in a private browser window or a different web browser.
6. Go to other websites that contain example in the URL.

Network Security Essentials Lab Book 25


7. Open Firebox System Manager and select the Traffic Monitor tab.
8. Review the logs for your connection tests.

For more information about the HTTP and HTTPS-proxies, see About the HTTP-Proxy and
About the HTTPS-Proxy in WatchGuard Help Center.

In this exercise you download and install the Proxy Authority certificate from the Firebox. For a
production environment, we recommend that you replace the Firebox’s default Proxy Authority
certificate with a CA certificate signed by an internal certificate authority that is already trusted
by the computers on the network. For more information, see the CA Certificate section in Use
Certificates for the HTTPS-Proxy in WatchGuard Help Center.

26 WatchGuard Technologies, Inc.


Lab Exercise 12: Subscription Services
Objective: After you complete this lab exercise, you will be able to configure these subscription services
to protect your users: Application Control, Intrusion Prevention Services, Botnet Detection, Geolocation,
Gateway AntiVirus, Reputation Enabled Defense, WebBlocker, DNSWatch (TSS), IntelligentAV (TSS),
APT Blocker (TSS), and Data Loss Protection (TSS). You will also be able to download the EICAR test
file to safely demonstrate that the Firebox denies malware when subscription services are enabled.

Prerequisites: To enable the subscription services, your Firebox must have a Basic or Total Security
Suite (TSS) license.

Configure Subscription Services


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Update signatures for Application Control, Botnet Detection, Data Loss Protection, Gateway AntiVirus, and
IntelligentAV, Intrusion Prevention Services (IPS):
a. Select Subscription Services > Application Control.
b. Click Update Server.
The Update Server dialog box shows all settings for services with automatic updates.
c. In the Automatic Update settings, make sure that automatic updates are enabled for all services.

4. Configure Application Control:

a. Select Subscription Services > Application Control.


b. Select the Global action and click Clone
A new Global.1 action is created.
c. Click Select by Category.
d. Select the Peer-to-peer networks check box and set the action to Drop. Click OK.
e. Select Show only configured applications and review which applications are dropped. Click OK.
f. Select the Policies tab and apply the Global.1 action to the HTTP-proxy, HTTPS-proxy, and DNS
policies.

5. Configure IPS:

a. Select Subscription Services > Intrusion Prevention.


b. Make sure that the Enable Intrusion Prevention check box is selected.
c. Select the Policies tab and make sure that IPS is enabled for the HTTP-proxy, HTTPS-proxy, and
DNS policies.

6. Configure Botnet Detection:

a. Select Subscription Services > Botnet Detection.


b. Make sure that the Block traffic from suspected botnet sites check box is selected.

Network Security Essentials Lab Book 27


7.  Configure Geolocation:
a. Select Subscription Services > Geolocation.
b. Select the Global action and click Clone.
c. In the Global.1 action, select the Map tab.
d. To unlock country selection, click the Lock icon.
e. To block Germany, Russia, and China, click those countries on the map. Click OK.
You can also select the countries to block on the Country List tab.
f. Select the Policies tab and apply the Global.1 action to your HTTP-proxy, HTTPS-proxy, and DNS
policies.
8. Configure Gateway AntiVirus:
a. Double-click the HTTP-proxy policy.
b. From the Proxy Action drop-down list, make sure that the Default-HTTP-Client proxy action is
selected.
c. Click next to the Proxy action or Content action drop-down list.
d. From the Categories list, select Gateway AV.
e. Make sure that the Enable Gateway AntiVirus check box is selected.
f. In the HTTP Request section of the Categories list, select URL Paths.
g. In the Actions to take section, from the If matched drop-down list, make sure that Deny is selected.
h. In the None matched drop-down list, make sure that AV Scan is selected.
i. In the HTTP Response section of the Categories list, select Content Types.
j. Make sure that both the If matched and None matched actions are set to AV Scan.
k. In the HTTP Response section of the Categories list, select Body Content Types.
l. Make sure that both the If matched and None matched actions are set to AV Scan.
9.  Configure Reputation Enabled Defense:
a. Double-click the HTTP-proxy policy.
b. From the Proxy action drop-down list, make sure that the Default-HTTP-Client proxy is selected.
c. Click next to the Proxy action or Content action drop-down list.
d. Select Reputation Enabled Defense and make sure that the Immediately deny URLs that have a
bad reputation check box is selected.
10.  Configure WebBlocker:
a. Select Subscription Services > WebBlocker > Configure.
b. Edit the Default-WebBlocker action.
c. On the Categories tab, click and drag to select the four Social Web categories in the list.
d. From the Quick Action drop-down list, select Deny.
e. In the Search text box, start to type Advertisements. Select the Advertisements subcategory and
change the action to Deny.
f. In the Search text box, start to type Computer security.
g. Select the Computer security subcategory and change the action to Deny. Click OK.
h. Select the Policies tab. Make sure that Default-HTTP-Client and Default-HTTPS-Client proxy actions
include the Default-WebBlocker action.
11.  Configure DNSWatch:
This service requires TSS.
a. Select Subscription Services > DNSWatch.
b. Select the Enable DNSWatch check box.
c. From the drop-down list, select Enforce on all Trusted, Optional, and Custom interfaces.
12.  Configure IntelligentAV:
This service requires TSS and a Firebox M Series, Firebox Cloud, or FireboxV device.

28 WatchGuard Technologies, Inc.


a. Select Subscription Services > IntelligentAV.
b. Make sure that the Enable IntelligentAV check box is selected.
13.  Configure APT Blocker:
This service requires TSS.
a. Select Subscription Services > APT Blocker.
b. Make sure that the Enable APT Blocker check box is selected. Click OK.
c. Double-click the HTTP-proxy policy.
d. From the Proxy action drop-down list, make sure that the Default-HTTP-Client proxy action is
selected.
e. Click next to the Proxy action or Content action drop-down list.
f. From the Categories list, select APT Blocker and make sure that the Enable APT Blocker check box
is selected.
14. Configure Data Loss Prevention:
This service requires TSS.
a. Select Subscription Services > Data Loss Protection.
b. Select the Enable Data Loss Protection check box.
c. Select the Policies tab, and select the HTTP-proxy.
d. From the Select Sensor drop-down list, select PCI Audit Sensor. Click OK.

The PCI Audit Sensor sends a log message when the Firebox detects a data loss
violation, but it does not prevent data loss. To prevent data loss, clone the PCI Audit
sensor and configure the actions to Drop or Block.

15. To enable the services in the Firebox, select File > Save > To Firebox and log in with admin credentials.

Download the EICAR File


1. Open Firebox System Manager and click the Traffic Monitor tab.
2. Review the logs that have been generated. To see the denied traffic, in the filter text box, type deny. Press
Enter.
3. Open a web browser and go to http://2016.eicar.org/85-0-Download.html.
4. Try to download the eicar.com test file over both HTTP and HTTPS.
The proxy denies the connection and informs you of the reason. You can also see a deny log in the Traffic Monitor.
5. Based on the information in the logs, disable the subscription service that denied the file connection.
6. Save your configuration to the Firebox and try to download the EICAR file again.
7. Continue to disable services until you can successfully download the EICAR file over both HTTP and HTTPS.
8. To see statistics about your connection attempts, in Firebox System Manager, click the Subscription Services
tab.

Network Security Essentials Lab Book 29


For a more difficult challenge, re-enable all the subscription services you disabled and try to
download the EICAR file again. When a subscription service denies the connection, configure
an exception for that service until you can download the EICAR test file successfully with all of
the subscription services enabled.

Additional Resources
For more information about subscription services, go to the WatchGuard Security Portal or WatchGuard Knowledge
Base, or see the Manage Security Services topic in WatchGuard Help Center.

30 WatchGuard Technologies, Inc.


Lab Exercise 13: Active Directory
Objective: After you complete this lab exercise, you will be able to configure your Firebox to use an
Active Directory (AD) server for user authentication, configure a bypass packet filter that applies only to
authenticated users in an AD group, and successfully log in to the Firebox as an AD user in the group.

Prerequisites: To complete this exercise, your network environment must have a Windows Server
configured as an Active Directory Domain Controller. This exercise uses the proxies configured in Lab
Exercise 11.

Add an Active Directory Server to Your Firebox for Authentication


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Select Setup > Authentication > Authentication Servers > Active Directory.
4. Click Add.
The Active Directory Domain Setup Wizard appears.
5. Type your AD domain name.
6. Type the Server address of your AD domain controller.
The Firebox will use this address to connect to your server.
7. Complete the setup wizard.
8. Select Setup > Authentication > User and Groups.
9. Click Add and type the name of a security group in your Active Directory environment.
The group name is case-sensitive.

Configure a Bypass Packet Filter for the AD Group


1. In Policy Manager, select Edit > Add Policy.
2. Expand the Packet Filters folder.
3. Select HTTP and click Add Policy.
4. In the Name text box, type HTTP Allow.
5. In the From list, remove Any-Trusted.
6. Below the From list, click Add.
7. Click Add User.
8. From the Type drop-down lists, select Firewall and Group.
9. Select the group you added in Step 9 of the previous procedure.
10. In the To list, remove Any-External.
11. Below the To list, click Add.

Network Security Essentials Lab Book 31


12. Click Add Other.
13. From the Choose Type drop-down list, select FQDN.
14. In the Value text box, type example.com. Click OK.
15. On the Properties tab, click Logging.
16. Select the Send a log message check box. Click OK.
17. On the Policy Manager window, select Setup > Authentication > Authentication Settings.
18. On the Firewall Authentication tab, from the Default authentication server on the authentication page
drop-down list, select your AD domain. Click OK.
19. Select File > Save > To Firebox and log in with admin credentials.

Log In to the Firebox as an AD User


1. Open a web browser and go to www.example.com.
The proxies configured in Exercise 11 deny the request.
2. Open a web browser and go to the Authentication page on the Firebox at https://10.0.1.1:4100/.
Bypass the certificate warning.
3. On the Authentication page, log in with an AD user in the AD group you added in Step 9 of the first procedure.
4. After you successfully authenticate, go to www.example.com.
The HTTP Allow packet filter allows the request.
5. Open Firebox System Manager.
6. To review the logs from your tests, click the Traffic Monitor tab and in the filter text box, type http. Press
Enter.
7. To see active authentication sessions, select the Authentication List tab.

For more information on how to add Active Directory server, see Configure Active Directory
Authentication in WatchGuard Help Center.

32 WatchGuard Technologies, Inc.


Lab Exercise 14: Authentication
Objectives: After you complete this lab exercise, you will be able to configure policies for authenticated
users and enable the Firebox to automatically redirect users to the authentication page.

Prerequisites: This lab exercise uses the proxy actions you configured in Lab Exercise 11.

Configure Outbound Policies to Require User Authentication


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Create a new user and user group in the local Firebox-DB internal authentication database:
a. Select Setup > Authentication > Authentication Servers.
b. On the Firebox-DB tab, in the Users section, click Add.
c. Type a Name and Passphrase. Click OK.
d. In the User Groups section, click Add.
e. Type a group name and move the user you added in Step c to the Member list for this group. Click OK.

4. Configure the HTTP-proxy policy:


a. Double-click the HTTP-proxy policy.
b. Remove Any-Trusted and Any-Optional from the From list.
c. Below the From list, click Add.
d. Click Add User.
e. From the Type drop-down lists, select Firewall and Group
f. Select the group you added in Step 3.

If you completed Lab Exercise 13, you can also select the Active Directory group you created.

5. Configure the HTTPS-proxy policy:

a. Double-click the HTTPS-proxy policy


b. Remove Any-Trusted and Any-Optional from the From list.
c. Below the From list, click Add.
d. Click Add User.
e. From the Type drop-down lists, select Firewall and Group.
f. Select the group you added in Step 3.

Network Security Essentials Lab Book 33


If you completed Lab Exercise 13, you can also select the Active Directory group you created.

6. Select Setup > Authentication > Authentication Settings.


7. Select the Automatically redirect users to the authentication page check box.
8. Select File > Save > To Firebox and log in with admin credentials.
9. To test the automatic redirect, open a web browser and go to http://www.example.com while you are not
authenticated to the Firebox.
Your web browser automatically redirects to the Firebox Authentication page. For the Firebox to redirect web traffic to
the Authentication page, unauthenticated port 80 and 443 traffic must not match any firewall policies and must be
denied as an Unhandled Internal Packet.

In Firebox System Manager, on the Authentication List tab, you can see the list of currently
authenticated users, and you can log off a user to end a session.

10. When your browser redirects to the authentication page, bypass the certificate warning and log in as a user in the
Firebox-DB or Active Directory group you configured in your policies.
After you log in, the proxies then process your traffic and deny access to example.com based on the rules configured
in Lab Exercise 11.
11. Go to other websites to make sure you have Internet connectivity.
12. Open Firebox System Manager and select the Traffic Monitor tab.
13. Review the log messages and note src_user= at the end of a log message when the user is authenticated.
You can also filter the logs for your user name.

For more information on automatic redirect, see Set Global Firewall Authentication Values in
WatchGuard Help Center.

34 WatchGuard Technologies, Inc.


Lab Exercise 15: Mobile VPNs
Objectives: After you complete this lab exercise, you will be able to configure the IKEv2 mobile VPN on
your Firebox and add an HTTP-proxy policy to protect your VPN clients. You will then be able to install
the IKEv2 VPN profile on your management computer and successfully connect to your Firebox with the
IKEv2 VPN.

Prerequisites: This lab exercise uses the proxy actions you configured in Lab Exercise 11 to deny
connections to www.example.com and the Firebox-DB group you configured in Lab Exercise 13.

This lab exercise provides instructions for the IKEv2 mobile VPN with Windows 8 or 10. If you
run Windows 7, you can use the SSL VPN. For information on how to manually install the
IKEv2 VPN profile, see Configure Windows Devices for Mobile VPN with IKEv2 in
WatchGuard Help Center.

Configure the IKEv2 Mobile VPN on your Firebox and Add an HTTP-proxy
Policy
1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Select VPN > Mobile VPN > IKEv2.
4. Configure these settings in the wizard:
a. Add the trusted IP address of your Firebox, 10.0.1.1, as the server address for client connections.
b. Accept the warning that appears. Click Next.
The warning appears because in this exercise you specify the trusted IP address. In a production
environment, you would specify the address of an external interface to enable mobile VPN connections to
your network.
c. Select Firebox-DB as your authentication server. Click Next.
d. Select the Firebox-DB group you added in Lab Exercise 13. Click Next.
The group you select is automatically added to the IKEv2-Users group.
e. Select the default virtual IP address pool subnet. Click Next.
f. Click Finish.
5. Double-click the Allow IKEv2-Users policy that the wizard created.
6. On the Properties tab, click Logging.
7. Select the Send a log message check box. Click OK.
8. Select Edit > Add Policy.

Network Security Essentials Lab Book 35


9. Create an HTTP-proxy policy with these settings:
a. In the Name text box, type HTTP-proxy-IKEv2.
b. In the From list, remove Any-Trusted.
c. Below the From list, click Add.
d. Click Add User.
e. From the Type drop-down lists, select Firewall and Group.
f. Select the IKEv2-Users group. Click OK.
g. From the Proxy action or Content action drop-down list, select the Default-HTTP-Client action. Click
OK.
10. Select File > Save > To Firebox and log in with admin credentials.

Install the IKEv2 VPN Profile


1. In Policy Manager, select VPN > Mobile VPN > Get Started.
2. In the IKEv2 section, click Client Profile.
3. Click Download and log in with admin credentials.
4. Download the VPN profile.
5. Open the .tgz archive you downloaded in Step 4 and extract the Windows_8.1_10 folder.

The .tgz file downloads to the Documents\My WatchGuard folder by default. You can
extract the file with 7zip, WinRAR, or another file compression program.

6. To install the VPN profile on the management computer, run WG IKEv2.bat inside the Windows_8.1_10 folder.
This adds the WG IKEv2 VPN connection to the list of network connections on this computer.

Connect to Your Firebox with IKEv2 VPN


1. On the management computer, in the Windows notifications, click the Network Connections icon.
2. Locate the WG IKEv2 connection that was created and connect with your Firebox-DB user.

You must successfully connect to the VPN to continue this lab exercise.

3. While connected to the IKEv2 VPN, open a web browser and go to www.example.com and other websites.
The www.example.com website does not open. Other websites open successfully. If the www.example.com website
opens, it might be cached. Open it in a private browser window or a different web browser.
4. Open Firebox System Manager and select the Traffic Monitor tab. In the filter text box, type ikev2 to view the
traffic for your VPN connection logs. Press Enter.

36 WatchGuard Technologies, Inc.


For more information about IKEv2 VPN, see Mobile VPN with IKEv2 in the WatchGuard Help
Center.

Network Security Essentials Lab Book 37


Lab Exercise 16: BOVPNs
Objectives: After you complete this lab exercise, you will be able to connect your secondary
WatchGuard Firebox to your primary Firebox through both the DMZ and Site-to-Site interfaces. You will
then be able to build a BOVPN virtual interface to your secondary WatchGuard Firebox over the DMZ
interface and configure static routes to fail over from the Site-to-Site interface to the BOVPN.

Prerequisites: To complete this exercise, you must have a second WatchGuard Firebox or a third-party
device that can support a route-based VPN. If you use a third-party device, you are responsible for the
configuration. This exercise uses the interfaces and routes you configured in Lab Exercise 6and Lab
Exercise 7. It assumes the two Fireboxes have a site-to-site connection through interface 3. It assumes
that you have disabled the SD-WAN action in the Ping policy you configured in Lab Exercise 8.

Configure Your Secondary Firebox


1. Connect your management computer to interface 1 on the primary Firebox.
2. Open WatchGuard System Manager and connect to your secondary Firebox at 10.0.100.2.
3. Open Policy Manager.
4. Select Network > Configuration and configure interface 2 with these settings:

Name: DMZ

Interface Type: Optional

IP Address: 192.168.10.2/24

5. Select the Disable DHCP check box. Click OK.


6. Select VPN > BOVPN Virtual Interfaces.
7. Click Add.
8. Select Use Pre-Shared Key and type a value.
9. To define a new gateway endpoint pair, in the Gateway Endpoints section, click Add.
10. In the Local Gateway section, from the Interface IP Address, select the DMZ interface.
11. In the IP Address text box, type:
192.168.10.2
12. In the Remote Gateway section, select the DMZ interface and type 192.168.10.1 in the IP Address text
box. Click OK.
13. Select the VPN Routes tab.
14. Click Add and create a route with these settings:

Type: Network IPv4

Route To: 10.0.1.0/24

38 WatchGuard Technologies, Inc.


Metric: 2
15. Select File > Save > To Firebox and log in with admin credentials for your secondary Firebox.

Configure Your Primary Firebox


1. Open WatchGuard System Manager and connect to your primary Firebox at 10.0.1.1.
2. Open Policy Manager.
3. Select VPN > BOVPN Virtual Interfaces.
4. Click Add.
5. Type the Pre-Shared Key you created in Step 8 of the previous procedure.
6. In the Gateway Endpoints section, click Add.
7. Define a new gateway endpoint pair.
8. In the Local Gateway section, select the DMZ interface and type 192.168.10.1 in the IP Address text box.
9. In the Remote Gateway section, select the DMZ interface and type 192.168.10.2 in the IP Address text
box. Click OK.
10. On the VPN Routes tab, click Add.
11. Create a route with these settings:

Type: Network IPv4

Route To: 10.0.20.0/24

Metric: 2
12. Select File > Save > To Firebox and log in with admin credentials.

Connect Your Fireboxes and Test the Failover


1. Connect your primary and secondary Fireboxes with an Ethernet cable through interface 2.
The Fireboxes are now connected through both interfaces 2 and 3.
2. Open Firebox System Manager for your primary Firebox.
3. Select the Front Panel tab and expand Branch Office VPN Tunnels.
4. Expand your new BOVPN, BovpnVif.1 and review the statistics.
5. Open a Windows command prompt on your management computer.
6. To test the connectivity, type ping 10.0.20.1 -t and press Enter.
The ping command routes over the lower metric route through interface 3.
7. Disconnect the Ethernet cable in interface 3 on your primary Firebox.
8. Inspect the ping command.
The command might time out a few times but then begins to respond over the higher metric route through interface 2.
9. In Firebox System Manager, click the Traffic Monitor tab.
10. In the filter text box, type icmp and press Enter.
You can see that the destination interface changed when you disconnected interface 3.

Network Security Essentials Lab Book 39


For more information on BOVPN virtual interfaces, see Configure a BOVPN Virtual Interface in
WatchGuard Help Center.

40 WatchGuard Technologies, Inc.


Lab Exercise 17: Fireware Web UI
Objectives: After you complete this lab exercise, you will be able to log in to the Web UI, save a copy of
your configuration file, and then view the configuration report, FireWatch, and Policy Checker. If you
completed Lab Exercise 13, you will also be able to run the LDAP connectivity tester.

Review the Firebox Configuration File in Fireware Web UI


1. Open a web browser and go to https://10.0.1.1:8080.
2. Log in with admin credentials.
3. Review the information on the Front Panel.
4. From the navigation menu, select System > Configuration File.
5. Click Download the Configuration File.
6. To view the configuration report, click Firebox Configuration Report.
The configuration report opens in a new browser tab.
7. To review information about the active connections on your Firebox, select Dashboard > FireWatch.
8. To see a table of active connections on the external interface, select the Interface (Out) tab. In the 0-External
box, click View connections.
9. Select the Source tab. In the management computer IP address box, click Filter.
This filters the FireWatch page to show information for your IP address only.

View Policy Checker


1. From the navigation menu, select Firewall > Firewall Policies.
2. Below the policy list, click Show Policy Checker.
3. If necessary, click the lock at the top of the page to make changes.
4. Specify these settings in Policy Checker:

Interface: Trusted

Protocol: TCP

Source IP: 10.0.1.2

Destination IP: 10.0.1.1

Source Port: 1234

Destination Port: 8080
5. Click Run and review the results.
6. To test other possible connections, change the variables.

Network Security Essentials Lab Book 41


Run the LDAP Connectivity Tester
If you completed Lab Exercise 13, you can now test the connection.

1. From the navigation menu, select Authentication > Servers.


2. Click Test Connection for LDAP and Active Directory.
3. From the Authentication Server drop-down list, select your AD domain.
4. Type a valid Username and Password.
5. Click Test Connection.
6. Review the results.

Additional Information
For more information, see these topics in WatchGuard Help Center:

FireWatch

Use Policy Checker to Find a Policy

Test Server Connection

42 WatchGuard Technologies, Inc.


Lab Exercise 18: Dimension Logs and Reports
Objectives: After you complete this exercise, you will be able to log in to your Dimension server and
review the log messages and reports that have been generated for traffic passing through the Firebox.

Prerequisite: For the reports to include data, you must complete Lab Exercise 4 to set up logging to
Dimension.

Review Dimension Log Messages and Reports


1. Log in to your Dimension server.
2. On the Devices tab, select the Firebox that is logging to Dimension.
The Executive Dashboard opens.
3. To see how many days of logs are contained on the server for this Firebox, in the top left, select the Start box.
The dates and times you specify in these text boxes affect the information you see in all reports and views.
4. To see a high-level view of the traffic allowed through the Firebox, review the information on the Executive
Dashboard.
5. In the Top Clients table, click the entry for your management computer.
6. Select Security Dashboard and review the information on traffic that the Firebox has blocked.
7. Select FireWatch and compare it to the FireWatch information in the Fireware Web UI in Lab Exercise 17.
8. To filter FireWatch for your computer, on the FireWatch Source tab, locate the box for your management
computer and click Filter.
9. To see a graphical representation of how traffic is flowing through the firewall policies, select Policy Map.
Click the ribbons to filter the view.
10. To view all the logs collected by Dimension, select Log Manager.
11. To view the reports for an IP address, select Per Client Reports > Summary and type the IP Address of your
management computer.

For more information on Dimension tools, see Use Dimension Tools in WatchGuard Help
Center.

Network Security Essentials Lab Book 43


Lab Exercise 19: WatchGuard Cloud Logs and
Reports
Objectives: After you complete this lab exercise, you will be able to log in to WatchGuard Cloud and
review the log messages and reports that have been generated for traffic passing through the Firebox.

Prerequisites: To use WatchGuard Cloud, your Firebox must have a Basic or Total Security Suite license.
For the reports to include data, you must complete Lab Exercise 5 to set up logging to WatchGuard Cloud.

View WatchGuard Cloud Log Messages and Reports


1. Log in to your WatchGuard Cloud Subscriber account.
2. Select Monitor > Fireboxes.
3. From the Device Manager list, select your Firebox.
4. Select Dashboards > Executive Dashboard. To see a high-level view of the traffic allowed through the
Firebox., review the information on the Executive Dashboard .
5. To only view the reports for the management computer, in the Executive Dashboard Top Clients table, click the
IP address of your management computer.
6. To review data on blocked traffic, select Dashboards > Security Dashboard.
7. To review how the subscription services have protected your network, select Dashboards > Subscription
Dashboard.
8. To see FireWatch in WatchGuard Cloud, select Monitor > Fireboxes > Dashboards > FireWatch.
Compare this view to the view you saw in Dimension and the Fireware Web UI in Lab Exercises 16 and 17.
9. To see how traffic is flowing through your firewall policies, select Dashboards > Policy Map.
Click the ribbons to filter the view.
10. To filter FireWatch for your computer, select Dashboards > FireWatch > Source tab. Locate the box for your
management computer and click Filter.
11. To view a graph of the bandwidth passed through the Firebox interfaces, select Health > Interface Summary.
From the drop-down list, select an interface.
12. To view the reports for your management computer, select Per Client Reports and type the IP address of your
management computer in the Host text box.

For more information about WatchGuard Cloud reports, see WatchGuard Cloud Device
Reports List in WatchGuard Help Center.

44 WatchGuard Technologies, Inc.


Lab Exercise 20: Log Notifications and
Scheduled Reports
Objectives: After you complete this lab exercise, you will be able to configure the HTTP-proxy policy to
send an alarm notification. You will then be able to configure WatchGuard Cloud to send you an email
notification when a device alarm log is received. You will also be able to schedule and send the
Executive Summary report for your Firebox.

Prerequisites: To use WatchGuard Cloud, your Firebox must have a Basic or Total Security Suite license.
For data to be available in the scheduled reports, you must have completed Lab Exercise 5 to set up
logging to WatchGuard Cloud. You will also need an email address to receive the notifications and reports.

Configure the HTTP-proxy Policy to Send an Email Alarm


1. Open WatchGuard System Manager and connect to your Firebox.
2. Open Policy Manager.
3. Double-click the HTTP-proxy.
4. From the Proxy action drop-down list, make sure that Default-HTTP-Client is the selected proxy action.

5. Click next to the Proxy action or Content action drop-down list.


6. In the HTTP Request section of the Categories list, select URL Paths.
You can see the *example* rule you created in Lab Exercise 11.
7. Next to the If matched drop-down list, select the Alarm check box.
8. Select the Proxy and AV Alarms category.
9. Select the Send notification check box.
10. Select the Email check box.
11. Select File > Save > To Firebox and log in with admin credentials.

Configure WatchGuard Cloud to Send an Email for Device Alarm Logs


1. Log in to your WatchGuard Cloud Subscriber account.
2. Select Administration > Notifications.
3. From the navigation menu, select Rules.
4. Click Add Rule and configure a rule with these settings:

Name: Device Alarm

Notification Source: Devices

Notification Type: Device Alarms

Network Security Essentials Lab Book 45


Delivery Method: Email

Frequency: Send All Alerts

Subject: Device Alarm

Recipients: <your email address>


5. Go to the www.example.com website.
The proxy denies the connection. You will receive an email to notify you that the Firebox denied the connection.

6. In WatchGuard Cloud, select Administration > Scheduled Reports.


7. Click Add Scheduled Report and configure this report:
a. In the Schedule Name text box, type Executive Summary.
b. Type a Description.
c. Select the check boxes for your Firebox and individual Fireboxes in the list.
d. Select the Executive Summary check box.
e. Specify the Frequency as Run Now.
f. Make sure that the Start Date and End Date cover the previous 24 hours.
g. Select your Time Zone.
h. In the Report Recipients text box, type your email address.
i. Click Save Report.
After you save the report, you will receive the report by email. Review the report information.
8. Select Administration > Scheduled Reports, and then click the name of your Executive Summary report to
view the details.
9. Download a copy of the report.

For more information on notifications and scheduled reports, see Configure Rules for Firebox
Events and Schedule WatchGuard Cloud Reports in WatchGuard Help Center.

46 WatchGuard Technologies, Inc.

You might also like