WatchGuard Technologies WatchGuard Firebox SOHO Uživatelský manuál Strana 1

WatchGuard SOHO and SOHO | tcWatchGuard®SOHO User GuideSOHO and SOHO|tc version 5.0

10WatchGuard® Limited Hardware WarrantyThis WatchGuard Limited Hardware Warranty (the "Warranty") applies to the enclosed WatchGuard hardwar

Step-by-step instructions for configuring a SOHO VPN tunnel100Obtaining the VPN upgradeIf you purchased a WatchGuard SOHO and would like to purchase t

User Guide 5.0 101Frequently asked questionsdevice. To set up multiple VPN tunnels, you will need to have at least one WatchGuard Firebox configured w

Frequently asked questions102How do I connect three or four offices together?To connect more than two offices together, WatchGuard recommends designat

User Guide 5.0 103MUVPN ClientsHow do I enable a VPN Tunnel?Full instructions for enabling a VPN tunnel can be found online at:http://www.watchguard.c

View the VPN Statistics104

User Guide 5.0 105CHAPTER 9 ResourcesTroubleshootingThe following information is offered to help overcome any minor difficulties that might occur when

Troubleshooting106 NOTEYou can also reboot by removing the power source for ten seconds, and then restoring power.What do the ON and MODE lights sign

User Guide 5.0 107Troubleshootingavailable. The first year of service is free with purchase of the SOHO. To register your SOHO:1 With your Web browser

Troubleshooting108DSL router, the NAT feature of the DSL router should be set for bridge-only mode.How do I install a SOHO using a Macintosh?The proce

User Guide 5.0 109TroubleshootingHow can I see the MAC address of my SOHO?A MAC (Medium Access Control) address is a unique number used to identify th

User Guide 5.0 11OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE HARDWARE PRODUCT (INCLUDING, BUT NOT LIM

Troubleshooting110How do I change to a static trusted IP address?Before you can use a static IP address, you must have a base Trusted IP address and s

User Guide 5.0 111Troubleshooting3 Enable the checkbox labeled Enable WebBlocker. Enter a Full Access password, and an Inactivity Timeout (in minutes)

Troubleshooting1123 Beneath the Protocol Settings fields, select either TCP Port, UDP Port or Protocol from the drop list.The Custom Service page refr

User Guide 5.0 113Troubleshooting• The same authentication method for each end (MD-5 or SHA-1).How do I set up my SOHO for VPN Manager Access?This req

Contacting Technical support114Contacting Technical supportOnline Documenting and In-Depth FAQsWatchGuard maintains an extensive knowledge base consis

User Guide 5.0 115Bblocked sitesin WebBlocker96BrowserNetscape 4.0disabling HTTP proxy31Browsers, supported 28CCables, required 27Cabling, new SOHO 32

116HHTTP proxydisabling30IICQ, enable with SOCKS 71ICQ, IRC, AOL Messenger 72Incoming servicecreating custom65Informationcopyright12patent 12Installat

User Guide 5.0 117MMacintosh, setting TCP/IP 29Manual installation 28Masquerading 21NNetworkprivate network default factory settings22Network Address

118adding pre-configured 64creating custom incoming 65Services, introduction 21SOCKS 71and ICQ 72and IRC 72SOCKS and AOL Messenger 72Static IP address

12Copyright and Patent InformationCopyright © 1999-2001 WatchGuard Technologies, Inc. All rights reserved.WatchGuard and LiveSecurity are either regis

User Guide 2.4 13Table of ContentsCHAPTER 1 Introduction ...17Registration and Identification Informatio

14Configuring Your Trusted Network ...47Configuring Static Routes ...49View the Network Stat

User Guide 5.0 15Configuring the SOHO WebBlocker ...88WebBlocker categories ...93Searching

16

User Guide 5.0 17CHAPTER 1 IntroductionWelcomeCongratulations on purchasing the ideal solution for providing secure access to the Internet–the WatchGu

Registration and Identification Information18Registration and Identification InformationOnce you have installed and configured your SOHO following the

User Guide 5.0 19How does a firewall work?these dangers. As is illustrated in the image below, the SOHO physically seperates your trusted network from

2

How does information travel on the internet?20How does information travel on the internet?Each packet of information transported over the Internet mus

User Guide 5.0 21How does the SOHO process this information?How does the SOHO process this information?ServicesA service is the combination of protoco

The SOHO Home Page—System Status22The SOHO Home Page—System Status The System Status page is effectively the home page of the SOHO. A variety of info

User Guide 5.0 23The Default Factory SettingsFirewall SettingsAll incoming services are blocked.An outgoing service allowing all outbound traffic.None

Rebooting a WatchGuard SOHO24The Base Model SOHOThe base model SOHO comes with a ten seat license, that is ten computers have access to the Internet t

User Guide 5.0 25Rebooting a WatchGuard SOHO• Send an FTP command to the remote SOHO device. Use an FTP application to connect to the SOHO device, the

Rebooting a WatchGuard SOHO26

User Guide 5.0 27CHAPTER 2 Getting StartedBefore you beginPre-installation checklistBefore installing your new WatchGuard SOHO please ensure that you

The Installation Process28• An operational Internet connection. Setup of your SOHO requires access to the Internet. If your connection does not work,

User Guide 5.0 29The Installation ProcessDetermine your current TCP/IP settingsFor your reference, record the computer’s current TCP/IP settings in th

User Guide 5.0 3Using this guideThis guide assumes that you are familiar with your computer’s operating system. If you have questions about navigating

The Installation Process303 Exit the TCP/IP configuration screen. NOTEIf you are connecting more than one computer to the trusted network behind the

User Guide 5.0 31The Installation ProcessWith the HTTP proxy enabled, the browser automatically points itself to Web pages located on the Internet, an

The Installation Process325 Verify that the Direct Connection to the Internet option is enabled.6Click OK to save the settings.Internet Explorer 5.0/5

User Guide 5.0 33The Installation Process1 Complete the “Pre-installation checklist” on page 27.2 Shut down your computer and unplug the power from yo

The Installation Process346 Attach the power cord to the SOHO and plug it into an outlet.7 Restart your computer.8 For information on the factory defa

User Guide 5.0 35The Installation Processexist on the network and communicate with each other, but only the first ten which attempt to access the Inte

The Installation Process36

User Guide 5.0 37CHAPTER 3 Setting Up Your SOHO NetworkThe configuration instructions in this chapter assume that you are using Windows 98/ME. If this

Configuring Your External Network38method to distribute IP addresses is to use Dynamic Host Configuration Protocol (DHCP). When you connect your compu

User Guide 5.0 39Configuring Your External Network3 Scroll through the list of installed network components. Double-click the TCP/IP network component

4Certifications and NoticesFCC CertificationThis device has been tested and found to comply with limits for a Class A digital device, pursuant to Part

Configuring Your External Network404 If “Obtain an IP Address Automatically” is selected, your computer is configured for dynamic DHCP. If “Obtain an

User Guide 5.0 41Configuring Your External NetworkConfiguring the SOHO External network for static addressingIf you are assigned a static address, the

Configuring Your External Network426 Save the changes.7 On most platforms, click OK until the Control Panel window closes. 8 Shut down and reboot the

User Guide 5.0 43Configuring Your External Network4 From the Configuration Mode drop list, select Manual Configuration.5 Enter the TCP/IP settings you

Configuring Your External Network44ISP to see if they use PPPoE. If you cannot find this information, contact your ISP and ask. You will need your PPP

User Guide 5.0 45Configuring Your External Network5 Enter the PPPoE login name supplied by your ISP.6 Enter the PPPoE password supplied by your ISP7Cl

Configuring Your External Network46Release and renew the IP configurationRegardless of what type of addressing your computer used originally, it will

User Guide 5.0 47Configuring Your Trusted NetworkConfiguring Your Trusted NetworkOut of the box, the SOHO automatically uses DHCP to assign addresses

Configuring Your Trusted Network483 Enter the IP address and the Subnet Mask in the appropriate fields.4 Disable the checkbox labeled Enable DHCP Serv

User Guide 5.0 49Configuring Static Routes(LAN). You can also mix computers with different operating systems on your network and they will pass traffi

User Guide 5.0 5Taiwanese NoticeVCCI Notice Class A ITE

View the Network Statistics503Click the Add button.4 From the Type drop list, select either a Host or Network.5 Enter the IP address and the Gateway o

User Guide 5.0 51View the Network StatisticsFollow these instructions to view this page:1 With your Web browser, go to the SOHO System Status page usi

View the Network Statistics52

User Guide 5.0 53CHAPTER 4 Your Administrative OptionsThe SOHO Administration page allows you to configure access to the unit, update the firmware fro

The System Security Page54depth in the SOHO Remote Monument Guide located on our Web site:http://help.watchguard.com/documentation/default.aspSetting

User Guide 5.0 55The System Security PageFollow these steps to setup the SOHO System Passphrase:1 With your Web browser, go to the SOHO System Status

Setting up VPN Manager Access567 Enter the System Passphrase again to confirm it in the appropriate field.8Click the Submit button.Setting up VPN Mana

User Guide 5.0 57Setting up VPN Manager Access3 Enable the checkbox labeled Enable VPN Manager Access.4 Enter the Status Passphrase in the appropriate

Update Your Configuration from a Non-Windows Platform58Update Your Configuration from a Non-Windows PlatformIf you are managing your SOHO from a compu

User Guide 5.0 59Redeeming your SOHO upgrade certificatesthese software options is stored within the SOHO. Once you have purchased an upgrade option

6Declaration of Conformity

Redeeming your SOHO upgrade certificates60Upgrade certificatesSeat LicensesThe SOHO can be upgraded to provide for more seats than are available with

User Guide 5.0 61View the Configuration FileView the Configuration FileFrom this configuration page, you can view your SOHO configuration file as it a

View the Configuration File62

User Guide 5.0 63CHAPTER 5 Configuring Your Firewall SettingsFirewall settingsThe WatchGuard SOHO enables you to customize what is allowed both incomi

Configuring Incoming and Outgoing Services64by the SOHO firewall. You can, however, selectively open your network to certain types of Internet connect

User Guide 5.0 65Configuring Incoming and Outgoing Services2 Locate the pre-configured service you wish to define, such as FTP, Web, or Telnet, then

Configuring Incoming and Outgoing Services66custom service using either a TCP port, UDP port or specifying an IP protocol. You can also create a custo

User Guide 5.0 67Blocking External Sites3 Beneath the Protocol Settings fields, select either TCP Port, UDP Port or Protocol from the drop list.The Cu

Blocking External Sites68Follow these steps to configure blocked sites:1 From the navigation bar on the left side, select Firewall => Blocked Sites

User Guide 5.0 69Firewall Options5Click the Submit button.Firewall OptionsThe SOHO firewall feature includes a few rule settings which are less specif

User Guide 5.0 7WatchGuard® End-User License AgreementIMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWAREThis WatchGuard End-User License

Firewall Options70Ping requests received on the External NetworkYou can configure the SOHO to deny all ping packets which it may receive on the exter

User Guide 5.0 71Firewall OptionsDenying FTP access to the Trusted Network interfaceYou can configure the SOHO to deny FTP access to Trusted interface

Firewall Options72• SOHO supports SOCKS version 5 only.• It is a limited version of SOCKS and does not support authentication, nor does it support Dom

User Guide 5.0 73Firewall Options• For the SOCKS proxy, enter the URL or IP address of the SOHO trusted network. The default IP address is 192.168.111

Creating a virtual DMZ74Follow these steps:1 Enable the checkbox labeled Log All Allowed Outbound Access.2Click the Submit button.Creating a virtual D

User Guide 5.0 75Creating a virtual DMZ3 Enable the checkbox labeled Enable pass through address.4 Enter the IP address to the pass through machine in

Creating a virtual DMZ76

User Guide 5.0 77CHAPTER 6 What is Logging?Logging is the act of recording “events” that occur at the SOHO interfaces. An event is any single activity

Setting a WatchGuard Security Event Processor log host78The log messages may include time synchronizations between the SOHO and the WatchGuard Key Ser

User Guide 5.0 79Setting a WatchGuard Security Event Processor log host3 Enable the checkbox labeled Enable WatchGuard Security Event Processor Loggin

84. LIMITED WARRANTY. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE P

Setting a Syslog Host80Setting a Syslog HostThe SOHO can also be configured to transmit log entries to a Syslog host.Follow these steps to setup a Sys

User Guide 5.0 81Setting the System Time4 Enter the IP address of the Syslog server in the appropriate field.In our example, 206.253.208.100.5Click th

Setting the System Time82If you have decided to use the WatchGuard Time Server:3 Enable the option labeled Get Time From WatchGuard Time Server.Or, if

User Guide 5.0 83Setting the System Time• Enable the checkbox labeled Set to GMT.If you want to have your log messages sync with your computer:• Click

Setting the System Time84

User Guide 5.0 85CHAPTER 7 WatchGuard SOHO WebBlockerWatchGuard SOHO WebBlocker is an optional feature of the WatchGuard SOHO and SOHO|tc that provide

How WebBlocker works86site, the SOHO queries the WatchGuard database and determines whether or not to block the site. The SOHO considers the following

User Guide 5.0 87Purchasing and enabling SOHO WebBlockerUsersThis feature allows you to create an individual user account, with a unique username and

Configuring the SOHO WebBlocker88Configuring the SOHO WebBlockerUse the WatchGuard SOHO Configuration pages to enable WebBlocker, create a full access

User Guide 5.0 89Configuring the SOHO WebBlocker3 Enable the checkbox labeled Enable WebBlocking.4 Enter the full access password.The full access pass

User Guide 5.0 9SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY.5. UNITED STATES GOVERNMENT RESTRICTED RIGHTS.

Configuring the SOHO WebBlocker90Create WebBlocker Groups and UsersFollow the instructions below to create WebBlocker Groups. If you wish to use a gl

User Guide 5.0 91Configuring the SOHO WebBlocker4Click the Submit button.A new Groups page appears indicating the configuration changes have been acce

Configuring the SOHO WebBlocker926 Enter a unique User name and Passphrase (remember to confirm the Passphrase). Use the Group drop down list to assi

User Guide 5.0 93WebBlocker categoriesWebBlocker categoriesWebBlocker relies on a URL database, the CyberNOT list, a service of CyberPatrol. The WebB

WebBlocker categories94measures. Topic includes groups that advocate violence as a means to achieve their goals. It also includes pages devoted to “ho

User Guide 5.0 95WebBlocker categoriesof maiming, bloody figures, and indecent depiction of bodily functions.Violence/ProfanityPictures or text exposi

Searching for blocked sites96adult personals, and sites devoted to selling pornographic CD-ROMs and videos.Full NudityPictures exposing any or all por

User Guide 5.0 97CHAPTER 8 Configuring Virtual Private NetworkingThis chapter describes an optional feature of the WatchGuard SOHO: Virtual Private Ne

What you will need98What you will need• One WatchGuard SOHO with VPN and an IPSec-compliant device. NOTEWhile you can create a SOHO to SOHO VPN, you

User Guide 5.0 99What you will needIP Address Table (example):Item Description Assigned ByExternal IP AddressThe IP address that identifies the SOHO t