p68tzg7md3gf NetworkSecurity LocallyManaged

NETWORK SECURITY ESSENTIALS
FOR LOCALLY-MANAGED
FIREBOXES
Network Security Essentials – Local Management
 Local versus cloud management
 How to navigate this course
 Exam information
Local vs Cloud Management
Local Management Cloud Management
• Firebox is managed using • Firebox is managed using

WatchGuard System Manager or WatchGuard Cloud
Web UI
• Configuration changes are made in
• Management connections must be WatchGuard Cloud and pushed to
made to the Firebox directly the Firebox
• Full feature set • Growing feature set
This video might not include
recent product updates
Navigating the Course
Network and Security Basics Firebox Administration and Setup
Logging and Networking on the

Firewall Policies
Monitoring Firebox
Virtual Private
Security Services Certificates Authentication
Networks
• Video Course
• Lab Book
Exam
Resources • Study Guide
 Course information
 Exam information
NETWORK SECURITY BASICS
MAC Addresses
 What is a MAC address?
 Overview of types of MAC addresses
 Why is a MAC addresses needed?
 How to find the MAC address for a computer

What is a MAC Address?
 MAC stands for Media Access Control
 Unique identifier assigned to a Network Interface Card (NIC)
 Set by the manufacturer as the physical address of each NIC
 48-Bit hexadecimal address used for Layer 2 communication
00-90-7F-19-04-4A
OUI Unique
Vendor Identifier
Types of MAC Addresses
 Unicast – Unique MAC address assigned to an interface

00:90:7F:19:04:4A (Linux/Apple), 00-90-7F-19-04-4A (Windows), 0900.7F19.044A (Cisco)
 Multicast – MAC address used for applications or protocols sent from one host to many
01-00-5E-00-00-05 (Multicast Prefix)
 Broadcast – MAC address that is sent to all devices within a local network
FF-FF-FF-FF-FF-FF
Why MAC Addresses?
Locate the MAC Address
Key Takeaways MAC Addresses
 MAC address stands for Media Access Control
 Different types are Unicast, Multicast and Broadcast
 MAC addresses communication is on Layer 2
 Locate a MAC address on a host by using ipconfig / ifconfig

IP Addresses
 What is an IP address?
 Overview of IP addresses
 Overview of binary and decimal
 How to find the IP address of a computer

What is an IP Address ?
• A unique address to identify a device connected to a computer

network.
• IP stands for Internet Protocol which is a set of rules for the format of
data being sent via networks.
• Currently two IP versions exist in the global internet, IPv4 and IPv6.
192.168.125.152
2001:0db8:0000:1234:0000:0567:0008:0001
IPv4 Address
OCTET OCTET OCTET OCTET
192.168.125 .152
11000000 10101000 01111101 10011000
32-bit
IPv4 Address
Network Host
/24
192.168.125.152
255.255.255. 0
Binary
0 0 1 0 0 1 0 1
1 = on
0 = off
Binary / Decimal
35
0
3
255
1
2
128 64 32 16 8 4 2 1
0
1 1 1 1
0 0 0 1
0 0 0 1
1 1 0
Decimal / Binary
192.168.125.152
11000000
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
Decimal / Binary
192.168.125.152
11000000 10101000
128 64 32 16 8 4 2 1
1 0 1 0 1 0 0 0
Decimal / Binary
192.168.125.152
11000000 10101000 01111101
128 64 32 16 8 4 2 1
0 1 1 1 1 1 0 1
Decimal / Binary
192.168.125.152
11000000 10101000 01111101 10011000
128 64 32 16 8 4 2 1
1 0 0 1 1 0 0 0
Locate an IP in Windows
Locate an IP in Linux / MacOS
Key Takeaways IP Addresses
 Understand what an IP Address is
 Understanding IP Addressing
 Understand binary and decimal conversion
 Locate a host IP Address

ARP
 What is ARP and what is it used for?
 Making ARP visible

What is ARP?
 ARP stands for Address Resolution Protocol
 Mechanism to map MAC addresses to IP addresses in order to

communicate in a Layer 2 switch network
ARP
Wireshark / TCPDUMP
Source Destination Protocol Info
192.168.1.4? 00:0c:29:c8:52:62 ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.4? Tell 192.168.1.2
Not me!
00:0c:29:2d:f0:03 00:0c:29:c8:52:62 ARP 192.168.1.4 is at 00:0c:29:2d:f0:03
192.168.1.3/24
192.168.1.4?
Not me!
Who has
192.168.1.4
192.168.1.4?
00:0c:29:2d:f0:03
Tell 192.168.1.2
192.168.1.2/24
192.168.1.1/24
192.168.1.4?
192.168.1.4
192.168.1.2is at
00:0c:29:c8:52:62
That‘s me!
00:0c:29:2d:f0:03
Windows (cmd): arp –a

192.168.1.4/24 Linux (terminal): arp
Key Takeaways – ARP
 Understand what ARP is
 Understand how ARP works

Subnetting
 What is subnetting and why is it used?
 How to find the network and broadcast IP and usable IP address

range from an IP address and its subnet mask
IPv4 Address
Network Host
192.168.125.152
255.255.255. 0
IP Address Classes
Class A
1.0.0.0 – 126.255.255.255
Subnet: 255.0.0.0
Hosts per Subnet: 16,777,214
Class D (Multicast) Class B Class E (Experimental)

224.0.0.0 – 239.255.255.255 128.0.0.0 – 191.255.255.255 240.0.0.0 – 254.255.255.254
IPv4 addresses
Subnet: 255.255.0.0
4,294,967,296
Hosts per Subnet: 65,534
Class C
192.0.0.0 – 223.255.255.255
Subnet: 255.255.255.0
Hosts per Subnet: 254
IP Address Classes
0.0.0.0 – 0.255.255.255
Standard / Default Route
127.0.0.0 – 127.255.255.255
Localhost / Loopback
169.254.0.0 – 169.254.255.255
Link Local Addresses
255.255.255.255
Broadcast
IP Address Classes
Public Class A Private

1.0.0.0 – 126.255.255.255
Subnet: 255.0.0.0
10.0.0.0 – 10.255.255.255
Subnet: 255.0.0.0
IPv6 Class
addresses
B
128.0.0.0 – 191.255.255.255
340,282,366,920,938,463,463,374,607,431,768,211,456
Subnet: 255.255.0.0
172.16.0.0 – 172.32.255.255
Subnet: 255.255.0.0
Class C
192.0.0.0 – 223.255.255.255
Subnet: 255.255.255.0
192.168.0.0 – 192.168.255.255
Subnet: 255.255.255.0
CIDR and CIDR Notation
Class C
203.0.113.0 /24
255.255.255.0
/25 /24 /26 /25 /27 /27
Classless Inter-Domain Routing

IPv4 Subnetting
192.168.64.7 /27
255.255.255.224
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 1 192.168.64.7
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 255.255.255.224 = /27
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192.168.64.0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 192.168.64.31
Usable IP addresses = 192.168.64.1 – 192.168.64.30

IPv4 Subnetting
192.168.64.7 /23
255.255.254.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 1 192.168.64.7
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 /23 = 255.255.254.0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192.168.64.0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1 1 1 1 192.168.65.255
Usable IP addresses = 192.168.64.1 – 192.168.65.254

Takeaway – Subnetting
 Subnetting is a way to divide a network into subnetworks
 IP classes define the size of the network and host portion
 IP classes have public and private networks
 CIDR has replaced the previous classful network addressing
 How to find the network IP, broadcast IP, and the usable IP
address range from an IP address and its subnet mask
Routing
 What is routing?
 Types of routing
 Understand the logic of routing

What is Routing?
 Routing is a process that decides the path through which

traffic is sent between networks or via multiple networks
 Routing processes direct traffic based on routing tables,

which are typically seen in routers, firewalls, or intelligent
switches
Types of Routing
 Static Routing
Sends packets through a manually created path to their destination
 Default Routing
Sends all packets to the same hop unless a more specific route
entry exists for a destination
 Dynamic Routing (RIP, OSPF, BGP, EIGRP)

Automatically adjusts routes, based on conditions advertised
between routing devices
Routing
IPv4 Routes
------------
Destination
0.0.0.0
RFC1918
Gateway
Genmask
203.0.113.1
0.0.0.0
Metric Interface
10 eth0
Private address ranges
203.0.113.0 0.0.0.0 are not
255.255.255.0 0 routable
eth0
192.168.1.0 0.0.0.0
255.255.255.0 0 eth1
on the
192.168.2.0 internet 1
192.168.1.2
255.255.255.0 eth1
192.168.3.0 192.168.1.3 255.255.255.0 1 eth1
IPv4 Route Table

? IPv4 Route Table
=========================================================== 10.0.0.0/8
eth0 ===========================================================
Active Routes:
Destination Netmask Gateway Interface Metric
172.16.0.0/12 Active Routes:
Destination Netmask Gateway Interface Metric
0.0.0.0
192.168.2.0
0.0.0.0
255.255.255.0
192.168.2.1 192.168.2.2
On-link 192.168.2.2
15
271
192.168.0.0/16 0.0.0.0
192.168.2.0
0.0.0.0
255.255.255.0
192.168.2.1 192.168.2.2
On-link 192.168.2.2
15
271
eth1
192.168.2.2 255.255.255.255 On-link 192.168.2.2 271 192.168.2.2 255.255.255.255 On-link 192.168.2.2 271
192.168.2.255 255.255.255.255 On-link 192.168.2.2 271 .1 192.168.2.255 255.255.255.255 On-link 192.168.2.2 271
=========================================================== ===========================================================
Persistent Routes: Persistent Routes:
None None
.2 .1 .2 .3 .1 .2
eth1 eth0 eth0 eth1
192.168.2.0/24 192.168.1.0/24 192.168.3.0/24
IPv4 Routes IPv4 Routes

------------ ------------
Destination Gateway Genmask Metric Interface Destination Gateway Genmask Metric Interface
0.0.0.0 192.168.1.1 0.0.0.0 10 eth0 0.0.0.0 192.168.1.1 0.0.0.0 10 eth0
192.168.1.0 0.0.0.0 255.255.255.0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 0 eth1 192.168.3.0 0.0.0.0 255.255.255.0 0 eth1
192.168.3.0 192.168.1.3 255.255.255.0 1 eth0 192.168.2.0 192.168.1.2 255.255.255.0 1 eth0
Key Takeaways – Routing
 Routing is a process deciding the path of traffic being sent between

networks or via multiple networks by using routing tables
 Types of routing are Static, Default and Dynamic
 Private IP address ranges are not routable on the internet

NAT
 What is NAT and why is it needed?
 Types of NAT
What is NAT and why is it needed?
 NAT stands for Network Address Translation
 Translates IP addresses from one network to another
 Lack of available IPv4 addresses resulted in the creation of

private IP address ranges 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16 (RFC1918) which can exist on every private
LAN, but cannot be routed on the Internet
Types of NAT
 Dynamic NAT (DNAT)
 Static NAT (SNAT)
 Port Address Translation (PAT)

Dynamic NAT / PAT
Translate
Translate 192.168.1.0/24
192.168.1.0/24 to to external
external public
public IP address
IP address pool
192.168.1.0/24 NAT NAT Table

192.168.1.2
Network
Address
192.168.1.1 203.0.113.131
Translation 203.0.113.132
198.51.100.6
src: 192.168.1.2:50001 dst: 198.51.100.6:443 NAT src: 203.0.113.131:50001 dst: 198.51.100.6:443
src: 192.168.1.3:50002 dst: 198.51.100.6:443 src: 203.0.113.132:50002
203.0.113.131:50002 dst: 198.51.100.6:443
src: 192.168.1.2:50001 dst: 198.51.100.6:443 src: 203.0.113.131:50001 dst: 198.51.100.6:443

src: 192.168.1.3:50001 dst: 198.51.100.6:443 src: 203.0.113.131:50002
203.0.113.132:50001 dst: 198.51.100.6:443
192.168.1.3
PAT
PAT
Port
Address
Translation
Static NAT / PAT
Translate 203.0.113.131 for port 25 to 192.168.1.2 on port 25

Translate 203.0.113.131 for port 80 or 443 to 192.168.1.3 on port 80 or 443
192.168.1.0/24
192.168.1.1 203.0.113.131
192.168.1.2
Mail
198.51.100.6
src: 198.51.100.6:58881 dst: 64.74.121.131:25
src: 198.51.100.6:58881 dst: 192.168.1.2:25 NAT src: 198.51.100.6:58882 dst: 64.74.121.131:80
src: 198.51.100.6:58882 dst: 192.168.1.3:80
src: 198.51.100.6:58883 dst: 192.168.1.3:443 src: 198.51.100.6:58883 dst: 64.74.121.131:443
src: 198.51.100.6:58881 dst: 192.168.1.2:2525 src: 198.51.100.6:58881 dst: 203.0.113.131:25

src: 198.51.100.6:58882 dst: 192.168.1.3:8080 src: 198.51.100.6:58882 dst: 203.0.113.131:80
src: 198.51.100.6:58883 dst: 192.168.1.3:8443 PAT src: 198.51.100.6:58883 dst: 203.0.113.131:443
192.168.1.3
Web
Translate 203.0.113.131 for port 25 to 192.168.1.2 on port 2525

Translate 203.0.113.131 for port 80 or 443 to 192.168.1.3 on port 8080 or 8443
Key Takeaways NAT
 NAT stands for Network Address Translation
 Translates IP addresses from one network to another
 Dynamic NAT (DNAT)
 Static NAT (SNAT)
 Port Address Translation (PAT)

VLAN
 VLAN stands for Virtual Local Area Network
 Enables you to separate devices into different networks without re-cabling

VLAN
Default VLAN 1
Access
ports
(untagged)
VLAN
VLAN 10
VLAN 20
Max. VLANs = 4094

(2–4094)
VLAN 30
VLAN 40
VLAN
Untagged Untagged
VLAN 10 VLAN 30
VLAN 20 Trunk VLAN 40
ports
Tagged
Ethernet Frame
Dst. Src. IEEE Type Data FCS
MAC MAC 802.1Q
4 bytes
Tag Protocol Identifier TPID TCI Tag Control Information

Identifies frame as Contains information
802.1Q tagged frame such as the VLAN ID
Key Takeaways – VLAN
 VLAN stands for Virtual Local Area Network
 VLAN 1 is the standard or default VLAN
 You can configure from 2 to 4094 VLANs
 Use access ports (untagged) to connect endpoint devices, such as

computers
 Trunk ports carry multiple VLANs and tag them with VLAN IDs for
differentiation
 Not tied to a location (floor, building) when you use trunk ports
TCP vs. UDP
 TCP stands for Transmission Control Protocol
 UDP stands for User Datagram Protocol
 Applications choose how to send data, either as a

connection-oriented (TCP) or datagram-oriented (UDP)
transmission
 TCP is the most chosen option to transmit data reliably

TCP
Sequencing
3-Way Handshake
Acknowledgements
SYN
SYN-ACK
ACK
Checksum
Sending Data
Data Received
FIN
ACK
FIN
ACK
TCP
Header
Source Port Destination Port

(16 bits) (16 bits)
Sequence Number
(32 bits)
Acknowledgment Number
(32 bits)
Data Offset Reserved Flags Window Size
(4 bits) (3 bits) (9 bits) (16 bits)
Checksum Urgent Pointer
(16 bits) (16 bits)
Options/Padding
(0-320 bits)
UDP
Sending Data
Header
Source Port Destination Port

(16 bits) (16 bits)
Checksum Urgent Pointer
(16 bits) (16 bits)
Key Takeaways – TCP vs. UDP
TCP UDP
• Heavyweight (slower) • Lightweight (faster)
• Connection-oriented/ reliable • Datagram-oriented/ unreliable
• Header size is 20-60 bytes • Header size is 8 bytes
• 3-way handshake protocol • No handshake protocol
• Sequencing and acknowledgment • No sequencing and no
with error checking and recovery acknowledgment. Basic error
checking using checksums
• Rearrangement of segments
• No rearrangement of segments
• HTTP/HTTPS, SMTP, FTP
• Voice/ video calls, gaming, TV
streaming
Important Protocols
 Different applications and services require ports to communicate
 Well-known port numbers (0–1023) are permanently assigned to a

service or an application for consistency and easier troubleshooting
 Registered port numbers (1024–49151) can be registered by companies

for their applications but could be used more than once
 Dynamically assigned port numbers (49152–65535) are freely or

dynamically assigned, and are typically used as source ports for client
connections
• Dynamic Host Configuration Protocol
• UDP
DHCP • Port 67, 68
• Provides the ability to assign IP addresses and other

information to hosts on the network that are not
statically configured
• Domain Name System
• TCP/UDP
DNS
• Port 53
• Translates human-readable domain names into

routable IP addresses for locating services and devices
• Hyper Text Transport Protocol
• TCP
HTTP • Port 80
• Used to load data from websites on the World Wide

Web into a browser with commands like “GET” or
“POST”
• Hyper Text Transport Protocol Secure
• TCP
HTTPS
• Port 443
• Performs the same as HTTP but is encrypted through

SSL/TLS (Secure Socket Layer/Transport Layer Security)
• File Transfer Protocol
• TCP
• Port 20/21 (Data channel/Control channel)

FTP
• Used to transfer data between clients and servers
• Clear text unless using SSL/TLS (FTPS) or SSH File

Transfer Protocol (SFTP)
• Secure Shell
• TCP
SSH • Port 22
• Command line access to server and network equipment
• Provides a secure channel for communication

• TCP
• Port 23
Telnet
• Command line access to server and network equipment
• Unlike SSH, Telnet connections are not encrypted

• Post Office Protocol 3
• TCP
POP3
• Port 110 (not encrypted) / Port 995 (encrypted)
• Email clients connect to a server to receive and store

emails locally on the device
• Internet Message Access Protocol
• TCP
IMAP • Port 143 (not encrypted) / Port 993 (encrypted)
• Email clients connect to a server to retrieve emails, but

emails remain on the server so that multiple clients can
access them simultaneously
• Simple Mail Transfer Protocol
• TCP
SMTP
• Port 25 (optional encryption) / Port 465 (encrypted)
• Used by email clients and email servers to send emails

• Network Time Protocol
• TCP/UDP
NTP
• Port 123
• Used to synchronize clocks of computers

• Simple Network Management Protocol
• UDP
SNMP • Port 161
• Used to share information between devices, often

through a central system that identifies and monitors
devices to keep track of status changes
Key Takeaways – Important Protocols
 Ports separated into 3 ranges:

0–1024 Well-known port numbers
1024–49151 Registered port numbers
49152–65535 Dynamically assigned port numbers
 Remember the most important and used well known port protocols
Encryption
 Protects sensitive data from prying eyes
 Takes plain text data (such as an email or document) and uses a secret key to
encrypt it into an unreadable format, called cipher text
 To decrypt the data, the key is required
 Encryption keys are created by algorithms that use a series of numbers, so

the keys are random and unique
 Cryptographic systems: Symmetric and Asymmetric (public key cryptography)

Symmetric vs. Asymmetric
Symmetric Asymmetric
• Same key used for encryption and • Pair of different keys used for
decryption – shared between two or encryption and decryption
more entities
o Private key (kept safe and not shared)
• Popular algorithms used to decrypt data
o Public key (shared with others) used to

o Block Cipher
encrypt data
‣ AES (Advanced Encryption Standard)
o Both keys are mathematically related
X
‣ DES/3DES (Data Encryption Standard)
• Most popular algorithm used is RSA
o Stream Cipher (named by its inventors Rivest, Shamir
and Adleman)
‣ ChaCha20 (required in TLS 1.3)
• Processing is more demanding and
• More efficient, but not secure if an therefore mainly used to securely
unwanted entity discovers the key exchange a symmetric key
Symmetric Encryption
A B
29Pa3
Hello Hello
$#v@9
Hello Hello
60/K*
X
Secret A Secret A
X
Asymmetric Encryption (RSA)
Public A Public B
A B
29Pa3
Hello Hello
$#v@9
Hello Hello
60/K*
Private A Private B
A
Public A Public B
Diffie-Hellman Key Exchange
Secret Secret
Common
Agreed
Public secret
Owntransport
secret
base color
color
color
Perfect Forward Secrecy (PFS)

TLS (Transport Layer Security)
 Various revisions
 TLS 1.0 (replaced SSL v3) – should no longer be used due to vulnerabilities
 TLS 1.1 – not widely adopted
 TLS 1.2 – most widely used version and remains largely secure
 TLS 1.3 – made public in 2018 and brought more security and efficiency
‣ Supports only algorithms with no known vulnerabilities and using

PFS (Perfect Forward Secrecy)
TLS 1.2
ClientHello
Supported Cipher Suites
ServerHello
Chosen Cipher Suite,
Certificate, Signature,
Key Share
Certificate check
Calculates Session Key Key Share
from Server´s Key Share + Finished
own Key Share Calculates Session Key
Finished from Client´s and
own Key Share
HTTP Request
HTTP Response
TLS 1.3
ClientHello
Supported Cipher Suites,
assumed Key Agreement,
Protocol,
Key Share
ServerHello Calculates
Chosen Cipher Suite, Session Key
Key Agreement, from
Certificate (encrypted with Session Key), Client´s Key Share
Signature, and
Key Share own Key Share
Finished
Certificate
check Finished
HTTP Request
HTTP Response
Key Takeaways – Encryption
 All methods protect sensitive data
 Symmetric (secret key) encryption workflow
 Asymmetric (public key) encryption workflow with RSA algorithm
 Diffie-Hellmann (DH) key exchange workflow
 TLS v1.2 vs. v1.3 comparison
 Depending on the purpose, encryption methods are typically combined to

provide optimal security and performance
Firebox Certificates Overview
 Certificate types to import on the Firebox
 Certificate formats that the Firebox accepts
 Important tips for certificate management

Certificate Categories
Web Server Certificate Authority
• Used for most Firebox functions • Proxy Authority outbound traffic

with TLS decryption (Content
 Management access
Inspection)
 Web portals (Fireware Web UI,
 Certificate re-signing using this CA
Authentication Portal, Access Portal,
etc.) • Trusted Certificate Authorities for
 VPNs (BOVPN, mobile VPN) the Firebox
 Proxy Server inbound traffic with

TLS decryption (Content Inspection)
• Base64 encoded PEM file
 Unencrypted
Certificate  Typically requires you to import multiple files

Formats
• PFX (PKCS #12) archive file
 Encrypted with a passphrase
 Typically contains a full certificate chain

• Plan for certificate expiration
• Do not lose or distribute your private key

Important Tips
• Make sure to import the correct type of certificate to
the relevant Firebox certificate category
Key Takeaways
 Most certificates you import will be web server certificates
 PFX files are the simplest import option
 Plan your certificate deployment, and prepare for certificate expirations

Certificates
 Digital certificates are electronic documents that prove the ownership of

public keys
 Certificates include information about the public key, identity of the

owner (Subject), valid period, and a digital signature of a Certificate
Authority or CA (Issuer) that verified its correctness
 Certificates being part of a public-key infrastructure (PKI), online

authenticate users or device but also encrypt data or messages in transit
 PKI certificates are based on trust, because the signing authorities are
trusted
Certificate Signing Request (CSR)
Company Certificate Authority (CA)
Private
 Algorithm (RSA, DSA, ECC)
 Length of key (depends on algorithm)
Public
 Key Usage (Encryption and/or Signature)
CSR
Private
 Common Name (CN): Fully Qualified Domain Name (FQDN) or wildcard certificate (*.domain.tld)
RSA = Named by its inventors Ron Rivest, Adi Shamir and Leonard Adleman (1024/2048/4096/8192 bits)
 Organization (O): Company
DSA = Digital Signature Algorithm (1024/2048/4096/8192 bits)
 Locality (L): City
ECC = Elliptic Curve Cryptography (80+ bits ; 256-bit ECC = 3072-bit RSA)
 Country (C): Two-letter country code
Example through an HTTPS Connection
Asymmetric cryptography
Certificate
SSLTLS
/ TLS
Transport Layer Security
List of Certificate Private
Trusted Root
Certification
Authorities Certificate
Session Key
Session Key Session Key

Session Key
Data
Symmetric cryptography
Chain of Trust
Self-signed
Self-signed CA certificate
Root CA Certificate
Root CA name Validation/Signing
Root CA public Key
Root CA signature Intermediate CA Certificate
Issuer CA name
Issuer CA public key Validation/Signing
Chain
Root CA public key
Root CA signature End-entity Certificate
End-entity name
End-entity public key
Chain
Issuer CA public key
Issuer CA signature
Key Takeaways - Certificates
 Certificates signed by Certificate Authorities legitimize the owner that

holds the public keys
 Certificates are based on trust or a chain of trust, because the signing

authorities are trusted
 Store private keys safely and do not give them away
 Certificates contain information for domain(s), owner, issuer, and more

VPN
 VPN stands for Virtual Private Network
 Provides the ability to send data across unsafe or public networks

(Internet) through tunnels so eavesdroppers cannot read the data
 Two main types of VPN – Site-to-Site (Branch Office) and Remote Access
(Host-to-Network or Mobile VPN)
 VPN service providers provide a way to safely connect from public areas
and hide traffic on the Internet
Site-to-Site VPN (IPSec)
Phase 2 (Tunnel Configuration) or QuickMode

Contains type of encapsulation (ESP or AH),
Phase types of encryption,
1 (Gateway Configuration)
allowed networks
Set up a secure encryted channel between
the peers to negotiate Phase 2
HQ
Data IKE Phase 1

2 Tunnel Data
IKEv1
IKEv2
Main Mode Aggressive Mode
Four-way handshake
Higher performance
Six-way handshake and handshake
Three-way
contains encrypted security Less secure as sending the
No
authentication andmodes required –
authentication hash (PSK)
works with dynamic and
encryption algorithms, unencrypted
Diffie-Hellmann static
publicIPkey
peers byCommonly
default used when
exchange, PeerIDs and peers have dynamic (not
hash payloads static) IP addresses
Site-to-Site VPN (IPSec)
Tunnel Switching
HQ
VPN Tunnel Data
 Centralized (Hub and Spoke)

 Decentralized (Full Mesh)
 Hybrid (Partial Mesh)
VPN Tunnel
Remote Access (Mobile VPN)
Split Tunneling
Default-route VPN
Force all client traffic through tunnel
Common types
HQ
 L2TP
 IKEv2
VPN Tunnel  IPSec
 SSL (TLS)
Key Takeaways - VPN
 VPN stands for Virtual Private Network
 Creates tunnels to securely connect across public networks
 Two main types of VPN – Site-to-Site (Branch Office or Virtual Interface VPN)
and Remote Access (Mobile VPN)
 IPSec uses IKEv1 with Main Mode or Aggressive Mode or newer IKEv2
 Remote Access (Mobile VPN) provides different connection types, such as

IPSec, SSL (TLS), L2TP, or IKEv2
FIREBOX ADMIN & SETUP
Firebox Deployment Options Overview
 Initial deployment options
 Setup wizards
 RapidDeploy
Deployment Options
Quick Setup Wizard Web Setup Wizard Cloud-based

• Legacy option • Modern option • Includes WatchGuard
Cloud and
• Launch from the • Available on port RapidDeploy
WatchGuard System 8080 when the
Manager software Firebox is defaulted • Allows for remote
deployment of drop-
shipped Fireboxes
• Available on
WatchGuard Cloud or
watchguard.com
Setup Wizard Comparison
Quick Setup Wizard Web Setup Wizard

• Allows setup of an Optional • Provides all available setup options
interface
• Allows backup image restoration
• Required for Recovery Mode
• No initial Optional interface setup
• Has no RapidDeploy or
WatchGuard Cloud options • Has an admin login timeout
• Sometimes detects Fireboxes

slowly or not at all
• Requires a factory default and upstream DHCP
o If DHCP is not available, use USB or Web Setup Wizard
• Built-in XML configuration file backup, great for

RapidDeploy recovery after a factory default or RMA replacement
Details
• Requires manufacturing firmware v12.3.1 or higher to
deploy with RapidDeploy in WatchGuard Cloud
o Incompatible with WatchGuard Cloud Firebox

management
• Requires a factory default and upstream DHCP
o If DHCP is not available, use Web Setup Wizard
WatchGuard • Will deploy the current configuration from the cloud

Cloud Details
• Requires firmware v12.5.4 or higher to deploy with
WatchGuard Cloud
o Incompatible with local Firebox management

Key Takeaways
 Use the Web Setup Wizard for most local management setups
 Not required for cloud deployment scenarios, with DHCP internet access
 The Quick Setup Wizard can reimage Fireboxes that cannot boot normally
 RapidDeploy is versatile, can be used in conjunction with local

management options
 WatchGuard Cloud has more deployment flexibility, but cannot be used

with local management options
Recent product updates may
not be included in this video
Local Management Interfaces Overview
 WatchGuard System Manager (WSM) components
 Web UI tools
 Useful Command Line Interface (CLI) commands

Key Takeaways
 Policy Manager and Firebox System Manager (FSM) are the main tools to
use in WatchGuard System Manager (WSM)
 Diagnostic tasks are available in FSM and Fireware Web UI
 FireWatch, Policy Checker, Network Discovery, and authentication server

connection testing are available in Fireware Web UI
 The Command Line Interface (CLI) has additional diagnostic utilities

How to Connect a Device to WatchGuard Cloud
 How to add a Firebox to WatchGuard Cloud
 Benefits of a device connected to WatchGuard Cloud

Takeaways
 You can allocate a Firebox and connect it to a tier-1 or a tier-2 account
 Single pane of glass for the administration of one or many devices
 Simple method to change a locally-managed device to cloud

management
Firebox Help Overview
 Where to find help about the Firebox
 How to create a Support Case
 How Support works

Firebox Help Takeaways
 How to use Technical Search
 Watchguard.com > Select Support
 How to access the Help Center
 Press F1 in (FSM) Firebox System Manager or (PM) Policy Manager
 Select the ? Mark on any page in the Web UI
 Benefits of an online created case
 How to collect information
 Support TGZ, Support Access, Logs, and screen shots

Licensing and Activation Overview
 License options
 Firebox activation
 Feature key usage

License Options
Support Only Basic Security Total Security

• Firmware upgrades • Includes all items • Includes all items
from previous tier from previous tiers
• Support cases
• Enables the use of a • Enables the use of all
• Hardware limited set of security security features
replacements (RMAs)
features
• 30 days of log
• 24 hours of log retention in
retention in WatchGuard Cloud
WatchGuard Cloud
• Includes every new
feature released in
the license period
• When you purchase a Firebox, you receive a serial
number and may also receive a license key
o Except for Firebox Cloud Pay As You Go (PAYG)

subscriptions
Activation
• You must activate the Firebox on the watchguard.com
website before you can use Firebox features
o If the Firebox is not activated, you cannot obtain a feature

key
License Key Example
• A license key looks like this:
• WGM47201-1-011105-89BExxxx
• You can activate it for any Firebox, as long as the model matches
• The feature key unlocks all licensed features when it is
installed on the Firebox
Feature Key
• You can obtain the feature key by:
Acquisition
o Automatic feature key synchronization
o Manual feature key synchronization
o Importing the text of the feature key from watchguard.com

Feature Key Example
• The start of a feature key looks like this:

Serial Number: D0FD027999999
License ID: D0FD027999999
Name: 01-11-2021_11:23
Model: T70
Version: 2
Feature: APP_CONTROL@Oct-30-2024...
• If the Firebox is not activated or does not have a feature
key installed, there are many limitations, such as:
o Only 1 local device can have Internet access

Lack of
o Security subscription services are unavailable
Licensing
o VPNs do not function
o Limited logging and management options
o Firmware upgrades fail

• FireboxV devices do not have a valid serial number until
a feature key is installed
Special Cases
• Firebox Cloud Pay As You Go (PAYG) subscriptions
already include a feature key
Key Takeaways
 Activate the Firebox serial number or license key first
 The Firebox has very limited functionality without a feature key
 Synchronize the feature key whenever possible

Firebox Feature Key Configuration
 How to add the Feature Key
 Get Feature Key from WatchGuard.com
 Download the key from the Firebox
 Sync key with FSM
 Importance of the Feature Key
 Limited use and features without the key
 What happens when the key expires

Firebox Feature Key Takeaways
 You learned how to add a feature key three different ways:
 WatchGuard.com
 Download the key from the Firebox
 My favorite is Sync key with FSM
 You learned the importance of having a Feature Key
 Limited feature use, unable to upgrade, and only a single user
 You learned the Firebox can operate with an expired Feature Key
 WebBlocker’s default is to deny web access when subscription services expire
 The reset of the networking and policies work. They are listed as never expire in the Feature Key
 Logging to WatchGuard Cloud and Dimension will stop

Default a Firebox Overview
 Why factory default a Firebox?
 Factory default with physical access
 Default virtual devices or remote devices
 Default Firebox settings

• Lost management user passphrases
• Management access mistakenly removed
Reasons to • Network interface misconfiguration

Factory
Default
• Removing invalid files (old certificates, improper backup
image migration, etc.)
• Firebox deployed to another location or customer

• For T Series models:
 Hold Reset button while you power on the Firebox
 Release Reset button when ATTN LED blinks amber
Factory  After ATTN LED is solid amber, power-cycle the Firebox

Default –
Physical Access • For M Series models (except M440):
 Hold Reset button while you power on the Firebox
 Release Reset button when shield LED blinks green rapidly
 After shield LED is blinking red, power-cycle the Firebox

FACTORY DEFAULT – COMMAND
LINE
Factory Default State
Interfaces Credentials Policies
• All interfaces are • User admin • No inbound traffic

enabled
 Passphrase • Local management
• Interface IP readwrite access only
addresses will be • User status • No access between
10.0.x.1/24, where
 Passphrase local networks
x=interface number
readonly
• Use 10.0.1.1 to • All TCP, UDP, and
connect on interface ICMP traffic allowed
number 1 outbound
• No security services
Key Takeaways
 Default a Firebox when redeploying it, or when there are no other

options – save configuration file if you plan to restore the configuration
 Different Firebox models have different reset procedures – consult the

documentation for detailed steps
 Factory default state uses a simple configuration – different from the

configuration in the Setup Wizard
Firebox Web Setup Wizard Overview
 Web Setup Wizard demonstration
 General tips for initial deployments
 Example of initial setup without Internet access

Key Takeaways
 Gather relevant information before you start the wizard – you have 15
minutes to complete the wizard before hitting the timeout
 Do not overlap internal network with other locations or common home

network ranges
 If the Firebox does not have Internet access when you run the wizard,
you must manually import the feature key
How to upgrade your Firewall Firmware
 The three main options
 WatchGuard System Manager demo
 WebUI demo
 WatchGuard Cloud demo

Which option to chose
WSM WebUI WatchGuard Cloud
• Local update from • Can update from • Update from

Windows PC WatchGuard or local WatchGuard
device
• Can be done offline • Requires internet
• Can be done offline connection and cloud
• Updates a singular
connection
device • Singular device
update • Updates multiple
• Windows PC only devices
• Browser login
• Has more steps to • Browser login
complete • Simple to complete
• Simple to complete
Key Takeaways
 WatchGuard System Manager works well for offline upgrades
 Multiple file requirements can be more complicated to complete
 WebUI is easy to use for singular updates both online or offline
 WatchGuard cloud is easy to use multiple devices and can be scheduled
 Requires a cloud connection

Firebox Configuration and Backup Image Overview
 What is a configuration file (XML)
 Understand how to use a configuration file
 Understand what is in a configuration file
 What is a backup image (FXI)
 Understand how to use a backup image
 Understand what is in a backup image

Configuration File .XML
Included Not Included

• Policies • Feature key
• Networking • Certificates
• Firebox-DB users • Management users
• OS
Backup Image .FXI
Included Not Included

 Configuration file • Operating system (Firmware)
 Certificates
 All users
 Feature key
 Metadata
Configuration File Compared to a Backup Image
Configuration File .XML Backup Image .FXI
• Included: • Included:
• Policies • Configuration file
• Networking • Certificates
• Firebox-DB users • All users
• Not included: • Feature key
• Feature key • Metadata
• Certificates • Not included:

• Management users • OS
• OS
Takeaways
 Configuration files can be saved on any device
 You can save a configuration file on a device that runs a higher Fireware version
 For a device that runs a lower Fireware version, use the OS Compatibility or Save as Version
options
 Backup images can only be applied to the same device
 The device OS must be the same as the version of the backup image
 If you reset a device to factory-default settings, the backup images will be deleted
 You can backup and restore from WatchGuard Cloud
 The Firebox stores backup images, not WatchGuard Cloud

Role Based Administration
 Viewing admin users
 User Types
 Adding users
 Lockout Settings
 Remote Access and Support Access
 Lab: Initial Configuration

Key Takeaways
 Additional users can be added
 There are two levels of management roles on the firebox
 Lockout settings prevent brute force attacks
 Remote access is added with a VPN or opening management policies
 Support access can be easily added
 Try lab #1
System and Global Settings
 System Settings
 NTP
 Global Settings
Key takeaways
 System Settings control the device name and time zone
 NTP can allow the firebox to be an NTP server
 Global settings control the Web UI port, multiple admin logins, traffic
management, and the logon disclaimer
RapidDeploy Overview
 Purpose of RapidDeploy
 Overview of the different RapidDeploy methods
 Device requirements for RapidDeploy
 Deploy a configuration file from the cloud

• Configuration is stored in the cloud
• RapidDeploy can configure new devices automatically
RapidDeploy when they are deployed at a remote site

Basics
• No need to prepare the device at your office before you
ship it to a location
• Does not require trained IT staff at the remote site

• Simple and versatile
• Great backup configuration option
• Requires the XML configuration file to be the same

RapidDeploy
Option #1 – version, or lower, than the Fireware OS version that the
Configuration
File Firebox runs
 Use the Save as Version option in Policy Manager to set

the target version
• Formerly known as RemoteConfig

• Works well for larger deployments
RapidDeploy
Option #2 – • Integrates with an existing Management Server
Management
configuration
Server
• Supports the mass activation of up to 50 Fireboxes

• Provides a premade configuration file, with some
RapidDeploy services enabled

Option #3 –
QuickStart • Obsolete – only available on older Firebox models
• Migrate to the Configuration File option

• Similar functionality to the Configuration File option –
not supported on cloud-managed devices
RapidDeploy
Option #4 –
WatchGuard • Uses a wizard for the initial setup
Cloud
• Only available for devices that were manufactured with
Fireware v12.3.1 or higher
• The Firebox must be in a factory-default state – or use
the RapidDeploy option in the v12.5.3+ Setup Wizard
• The eth0 interface must be connected to DHCP to reach
Firebox the Internet

Preparation
 If DHCP is not available, you can use a USB drive to
configure eth0
• Connect local networks after the configuration is

received
Key Takeaways
 RapidDeploy saves time and shipping costs
 Enables any device to have a backup configuration in the cloud
 Verify the XML version before you upload a configuration file

LOGGING AND MONITORING
Firebox Logging Overview
 Firebox log settings
 Firebox internal storage
 External logging options

• A Firebox has these types of logs:
o Traffic
Firebox Log o Event

Types
o Debug/diagnostic
o Alarm/alert
o Performance/statistic
• The Firebox has limited internal storage
• Most Firebox logs are temporary
Firebox Log • Log volume affects how much log history is available
Retention
o The amount of logging enabled is a major factor
o Typically less than 20 minutes, might only be 1-3 minutes
• Highly recommended to use external log storage

• WatchGuard Cloud
Log Storage
Options • Dimension
• Third-party Syslog server

Key Takeaways
 Limited Firebox storage – logs are not stored for very long
 More logging means higher load and more storage
 WatchGuard Cloud logging is recommended – there is nothing to deploy

Firebox Logging Configuration
 How to understand the different types of logs
 How to configure logging for policies
 How to configure logging for Firebox itself
 How to understand Traffic Monitor logs versus logs for reports

Logs
Policies Firebox
• Proxies have these enabled • Firebox operations can create logs

 Both the allows and denies show in  Subscription Service update
Traffic Monitor
 Changes made to the configuration
 Logging for Reports
 User authentication
• Newly created Packet Filters must
configure
 Allow logs to show in Traffic Monitor
(TM)
 Logs to be collected for reports
 Denied traffic will show in TM and
reports
Takeaways
 You learned there are different types of logs generated by policies and the
Firebox
 The polices vary by Proxy and Packet Filters
 new packet filters do not show in Traffic Monitor or for reports
 Proxies have both enabled
 The Firebox can send logs for updates and increased log levels
 Traffic Monitor logs are great when a new policy is added or troubleshooting, but
does not need to enabled
 Logging for reports must be configured or verified to be seen in reports

Real-time Monitoring Overview
 Fireware Web UI
 WatchGuard System Manager

Key Takeaways
 Fireware Web UI and FSM provide real-time information on your Firebox
 FireWatch provides a clear view of the rate, bytes, number of

connections, and duration of connections currently flowing
 Firebox Status Report shows almost everything about the Firebox in a

single text output
 Support files help resolve cases faster

Traffic Monitor Overview
 How to find Traffic Monitor
 Enabling logging
 Filters and views
 Additional settings
 How to view a log message

Reading a Log Message
2022-04-24 20:44:15 Deny src_ip=10.0.10.2 dst_ip=89.238.73.97

pr=https/tcp src_port=60309 dst_port=443 src_intf=Trusted
dst_intf=External msg=ProxyDrop: HTTP Virus found pckt_len= ttl=
policy=(HTTPS-proxy-00) proxy_action=Default-HTTP-Client proc_id="http-
proxy" rc="594" msg_id="1AFF-0028" proxy_act="Default-HTTP-Client"
md5="44d88612fea8a8f36de82e1278abb02f" virus="EICAR-Test-File (not a
virus)" host="secure.eicar.org" path="/eicar.com.txt" geo_dst="DEU"
Key Takeaways
 Traffic Monitor shows the live logs on the Firebox
 Logging must be enabled for allowed traffic
 Search filters provide a tighter scope for troubleshooting
 To best understand log messages, break them down into individual

sections
Diagnostic Tasks Overview
 How to find diagnostic tasks
 What diagnostic tasks are available?
 Advanced arguments
Key Takeaways
 You can run diagnostic tasks from Fireware Web UI and Firebox System
Manager
 Available tasks are Ping, traceroute, DNS Lookup, and TCP Dump
 Arguments provide additional variables for troubleshooting

Logging to Dimension Overview
 What is Dimension?
 Requirements to use Dimension
 Deployment topologies
 How to configure the connection between the Firebox and Dimension
 How to configure Dimension to send reports
 How to configure Dimension to send Firebox notifications
 Overview of the Dashboard

No Logs No Crime
Front End Back End Management
• Dashboards • Built-in database • Add administrators

• Historical logging • Optional PostgreSQL • Database
database maintenance
• Notifications
• Backups
• Reports
• Database migrations
Software and Licenses
• You must have an active Standard

Support, Basic Security, or Total
Security support license
• Download Dimension software

from software.watchguard.com
• Deployed as a virtual machine on

Hyper-V or VMware
Multiple Ways to Deploy Dimension
Dimension
Users
Single Location In AWS

Hub and Spoke
• Dimension is • Scale redundancy in
on-premise • One location for all AWS
• Divide by sending • Protect with Firebox
to different regions Cloud
Key Takeaways
 You can deploy Dimension on Hyper-V or VMware in many different

topologies
 Make sure to configure Dimension for email notifications
 If configured correctly, Dimension is great way to:
 Find historical logs
 Generate reports
 Analyze data with dashboards

Logging to WatchGuard Cloud
 How to connect a Firebox to WatchGuard Cloud
 How to search for logs from the Monitor menu
 How to run reports from the Administration menu

Takeaways
 You can allocate a Firebox and connect it to a tier-1 or a tier-2 account
 Use the space bar and wildcards to build a Log Search query
 Scheduled reports have a frequency option called Run Now
 Make sure to configure your time zone

Threatsync
 What is Threatsync
 Incidents
 Policies
• Cloud based tool
• Centralizes information to one view

Threatsync
• Perfect for incident responders and administrators
• Automation allows faster remediation actions

Supported Security Solutions
Total Security Suite EDPR or EDR

Key takeaways
 Provides a quick view of the threats across multiple systems
 Incidents are events that may need more attention
 Policies can automate incident remediations

NETWORKING ON THE FIREBOX
Network Modes
 To give you the flexibility to place Fireboxes in different network

environments, there are three Network Modes:
 Mixed Routing
 Drop-In
 Bridge
Mixed Routing Mode
WatchGuard
Most common, Help Center Search
Network features Mixed Routing Mode
most flexible, and
default network mode Router VPN
203.0.113.1/24
External Interface NAT
203.0.113.254/24
Trusted Interface Optional Interface

10.10.10.254/24 192.168.10.254/24
Routing
Security features VLAN
172.16.0.0/24
Drop-In Mode
WatchGuard
Hosts keep their Help Center Search
IP addresses and Network features Drop-In Mode
default gateways Router NAT

198.51.100.1/24
External Interface VPN
198.51.100.2/24
Trusted Interface Optional Interface

198.51.100.2/24 198.51.100.2/24
Secondary IP Secondary IP
10.10.10.1/24 10.10.20.1/24
Static Routing
Security features
172.16.0.0/24
Bridge Mode
WatchGuard
Fully Transparent Help Center Search
Bridge Mode
Router
10.10.10.1/24
System and Management IP address

10.10.10.2/24
10.10.10.0/24 10.10.10.0/24
Security features
Key Takeaways – Network Modes
 Mixed Routing Mode
 Most flexible mode with all available network and security features
WatchGuard
 Each interface is configured with an individual subnet Help Center Search
About Network Modes
 Drop-In Mode
and Interfaces
 Distributes a single (usually public) subnet across all interfaces
 Most network features and all security features are available
 Bridge Mode
 Placed between an existing network and its gateway to filter and manage traffic
 Transparent in the network, with most security features but limited network features
Firebox Interfaces
 Can be configured as physical interfaces, VLANs, link aggregation, as well

as bridge interfaces
 Set up as one of these four types:
 External
 Trusted
 Optional
 Custom
Firebox Interfaces
Physical Interface
Firebox Interface Types
Multi-WAN
 External
 Connects to a network outside your organization
 Always have a default route
 Member of the Any-External alias
 Trusted
 Connects to a private LAN (local area network)
 Location for workstations, laptops and secure internal resources
 Member of the Any-Trusted alias
Network 1 Network 2
 Optional
 Connects to a mixed-trust or DMZ network
 Location for public web, FTP, and mail servers
 Member of the Any-Optional alias
 Custom
 Connects to an internal network of your organization
 Separate from the Trusted or Optional security zones
 Location for a wireless access point
 Bridge
 Combines multiple interfaces to work as a single network
 Operates as a Layer 2 switch to route traffic between the interfaces
 Apply policies (intra-bridge) in Fireware v12.7 and higher
Security Zone
Trusted, Optional, Custom
Network 1 Network 1
 VLAN
 Able to separate devices into different networks without recabling
 Not tied to locations (floor, building) using trunks
 Apply firewall policies to intra-VLAN traffic
Security Zone
External, Trusted, Optional, Custom
Tagged Trunk
Untagged port/interface
VLAN ID 10
VLAN ID 20
 Link aggregation
 Groups multiple physical interfaces to work as a single logical interface
 Increases the cumulative throughput beyond a single physical interface
 Provides redundancy for any physical link failure
Security Zone
External, Trusted, Optional, Custom, Bridge, VLAN
Firebox Interface Aliases
Any-External
Firebox
Any-Trusted
Any
Any-Optional
Key Takeaways – Firebox Interfaces
 Available types or zones are External, Trusted, Optional, and Custom
 Bridges combine multiple interfaces to work as a single network
 VLANs group devices into different networks using trunks and split
switches in multiple segments
Key Takeaways – Firebox Interface
 Link aggregation (LA) groups multiple physical interfaces to work as a

single logical interface, to primarily increase the cumulative throughput
and provide redundancy
 Default Firebox interface aliases and their meanings
WatchGuard
Help Center Search
About Network Modes
and Interfaces
Firebox Interface Configuration
 Setup of an external interface
 Add a secondary network IP address
 Setup of a trusted interface
 Enable as DHCP Server with an address pool
 How to expand available addresses in the configured network
 Review the advanced interface settings

Key Takeaways
 The Firebox always requires a default gateway IP address, either

provided through DHCP or PPPoE, or as a manually-added static IP
address
 To expand available addresses on an interface, either use a larger

network by changing the slash notation or configure a secondary network
 Using DHCP Server on the interface, you can also set a pool out of the
secondary network
 Available advanced interface settings depend on the type of interface in

use
VLAN Configuration
 How to configure VLAN networks
 How to set up Firebox interfaces to use the VLAN networks
 Review the new features available in Fireware v12.8 and higher

Key Takeaways
 VLANs should be assigned to an interface, or else they are removed
 Review your policies when you change interfaces to VLAN
 Enable the Apply firewall policies to intra-VLAN traffic to control

traffic option or the Firebox will act like a Layer 2 switch for the network
 For external VLANs with Fireware v12.8 and higher:
 Physical interface members can be set as untagged
 Possible to configure on more than one physical interface
 An interface can simultaneously belong to both External and Internal VLANs

DNS and the Firebox
 How to configure DNS
 Review the option for DNS forwarding
 Review the DNS server precedence

Key Takeaways
 The Firebox itself requires DNS servers for different features to work
 Firebox DNS settings are used when not specified elsewhere
 Mobile VPN with IKEv2, SSL, IPSec, and L2TP configurations include DNS settings
 A Firebox interface configured as a DHCP server includes DNS settings
 Use DNS forwarding to send DNS queries for domains to specific DNS servers
 Hosts must use the Firebox interface IP address as a DNS server (DHCP clients
automatically receive this configuration)
 Remember that DNS server precedence exists

Static Routing
 How to add static routes
 Destination types
 Metrics
 Review static routes in Firebox System Manager

203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.11.254/24
10.0.20.200/24
10.0.10.2/24 10.0.20.1/24
10.0.20.0/24
203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.11.254/24
10.0.20.200/24
10.0.10.2/24 10.0.20.1/24
10.0.20.0/24
Key Takeaways
 To review routes, see the Status Report in Firebox System Manager
 To make sure network and host routes work successfully in both

directions, check route and default gateway settings on participating
devices
 Use metrics to effectively combine static routes with dynamic routing and
virtual interface VPNs
Firebox NAT Overview
 NAT types on the Firebox
 Example cases for each NAT type
 What is NAT loopback?

Firebox NAT Types
Dynamic (DNAT) Static (SNAT) 1-to-1
• Rewrites one or many • Changes one IP to a • Maps one subnet to

IPs to a different IP different IP another subnet, or
binds one IP to
• Changes the SRC IP • Changes the DST IP another IP
• Often used for • Used for inbound • Changes either the
outbound traffic traffic
SRC or DST IP, based
• Most common NAT • Can combine with on direction of traffic
DNAT • Very limited use
• Available for BOVPNs
• Allows one public IP cases (primarily
to have multiple BOVPN)
servers
Dynamic NAT
Static NAT
1-to-1 NAT
• Also known as “hairpin NAT”
• Not a different type of NAT – uses SNAT or 1-to-1

NAT Loopback
• Allows local clients to communicate to a public IP that
points at a local server
• Useful when DNS records point only at a public IP

Key Takeaways
 Verify DNAT settings if Internet access fails, especially if you use a non-
RFC1918 subnet on the internal network
 SNAT is the most versatile NAT for inbound connections – enables you to
use a single public IP for multiple purposes
 Use NAT Loopback when you need local clients to reach an internal
server using its public IP address
Static NAT Configuration
 Overview of the interface setup
 Secondary IP addresses
 How to configure static NAT
 Review traffic logs in Firebox System Manager

Secondary IPs
203.0.113.11/24
203.0.113.12/24
203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.10.2/24 10.0.11.11/24
Key Takeaways
 Static NAT provides flexible options for inbound connections
 Use the primary public IP or any available secondary IP for multiple purposes
 Use NAT loopback when you need local clients to connect to an internal
server with its public IP address
Dynamic NAT Configuration
 Default dynamic NAT settings
 How to add specific dynamic NAT network rules

Secondary IPs
203.0.113.11/24
203.0.113.12/24
203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.10.2/24 10.0.11.11/24
Key Takeaways
 Most commonly known NAT type – often used for outbound traffic to the
Internet
 Default dynamic NAT settings cover RFC1918 subnets on the internal

networks
 Add dynamic NAT entries for non-RFC1918 subnets

1-to-1 NAT Configuration
 How to configure 1-to-1 NAT

203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
1-to-1 NAT
203.0.113.11/24
10.0.10.2/24 10.0.11.11/24
Key Takeaways
 1-to-1 NAT binds one IP to another IP
 Based on the direction, it changes either the destination or source IP
 Has higher precedence than dynamic NAT
 Configure policies carefully, especially when you use multi-WAN
 Use NAT loopback when you need local clients to connect to an internal
server with its public IP address
 Remember to add a separate 1-to-1 NAT entry for each additional interface
Link Monitor Overview
 What is Link Monitor?
 Recommendations for Link Monitor targets
 Features affected by Link Monitor

Link Monitor
• Servers that reliably respond to traffic
Link Monitor
Targets • ISP equipment beyond your network perimeter
• Business-dependent services
Link Monitor Protocols
Ping TCP DNS
• Works with a variety • Great option when • Recommended

of services ICMP fails option when using
public DNS servers as
• More services are • Control over port targets
starting to drop ICMP used for probes
• A query is performed,
• Might be intermittent • Opens a port, but instead of simply
sends no data
• Can get you blocked opening a port
by the target • Can get you blocked • Extremely unlikely to
by the target be blocked
• Multi-WAN
Services o Inbound traffic is not affected by “failed” status

Relying on
Link Monitor • SD-WAN
• All VPNs
Key Takeaways
 Choose a reliable target – do not use local equipment
 DNS is typically the best protocol to use, when available
 Outbound traffic and VPNs are impacted when Link Monitor fails
Link Monitor Configuration
 How to configure Link Monitor
 Types of supported interfaces
 Types of supported targets
 Review additional settings
 Review Firebox System Manager or Fireware Web UI

203.0.113.1/24
203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
203.0.113.1/24 198.51.100.1/24
203.0.113.10/24 198.51.100.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
Key Takeaways
 Link Monitor is essential for Multi-WAN and SD-WAN to work correctly
 Choose reliable targets – we recommend two targets for each interface
 Consider which protocol (Ping, TCP, DNS) will work best – we recommend DNS
 Look at live statistics in Firebox System Manager or, for longer periods,
Fireware Web UI
Multi-WAN Overview
 What is Multi-WAN?
 Multi-WAN types
 Recommendations and important notes

• Controls the external interfaces that transmit outbound
traffic
o Does not apply to VPN traffic

Multi-WAN
Basics
o Does not apply to inbound traffic
• All options implicitly include failover capability
• SD-WAN actions take precedence over Multi-WAN

Basic Multi-WAN Options
Failover Routing Table
• Current default setting • Uses ECMP to choose the shortest

path to the destination
• Only one external interface is
active at any given time • Requires dynamic routing on the
external interfaces for accurate
• Fails in top-down order, based on hop count information
the list you configure
• If dynamic routing is not used, all
• Great option when the backup interfaces are weighted equally
external interface is metered
Load-Balancing Multi-WAN Options
Round-Robin Interface Overflow
• Balances connections based on • Configure order of external

interface weights interfaces based on performance
• Weights are configurable – use • Set thresholds for each interface
available bandwidth as a guideline
• When thresholds are reached, the
bandwidth “overflows” to the next
interface in the list
Multi-WAN Failback
Gradual Immediate No Failback
• Existing connections • Connections on the • Connections open on

remain open on the failover interface the failover interface,
failover interface terminate when the even if the primary
primary interface is interface is available
• New connections go available again
through the primary
interface • Disruptive, but
prevents excess
• Useful for traffic that charges on metered
is sensitive to
connections
interruptions, such as
voice or video
• Verify that your VPNs are configured with the correct
interface information for failover purposes
Multi-WAN
Tips • BOVPN failover is independent of Multi-WAN
• Check your Link Monitor settings during deployment –

external interfaces should show “available”
Key Takeaways
 Multi-WAN affects outbound, non-VPN traffic only
 Verify the interface order, and any load-balancing parameters – defaults

are not optimal in most environments
 VPN failover options are configured separately from Multi-WAN

Multi-WAN Configuration
 Overview of the interface and Link Monitor setup
 How to configure Multi-WAN

203.0.113.1/24 198.51.100.1/24
203.0.113.10/24 198.51.100.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
Key Takeaways
 Multi-WAN affects all non-VPN outbound traffic on external networks
 VPN failover works independently
 Verify the interface order and any load balancing settings for optimal
Multi-WAN behavior
SD-WAN Overview
 What is SD-WAN?
 SD-WAN use cases
 Types of failback options

• Policy-based control of external interfaces used for
outbound traffic
SD-WAN
Basics • Ability to make exceptions to the global Multi-WAN
mode for specific types of traffic
• Metric-based failover capabilities

SD-WAN Use Cases
External Interfaces BOVPN Virtual Interfaces
• Create an exception to global • Metric-based BOVPN failover

Multi-WAN behavior
• Useful when a failover is required
• Use specific policies to prioritize for different types of links – MPLS
certain traffic types and external
• Force failovers when performance • To maintain performance
metrics are not met requirements, specific traffic types
can fail over between VPNs
• Disallow failovers, when necessary
SD-WAN Failback
Gradual Immediate No Failback
• Existing connections • Connections on the • Connections open on

remain open on failover interface the failover interface,
failover interface terminate when the even if the primary
primary interface is interface is available
• New connections go available again
through the primary
interface • Disruptive, but
prevents excess
• Useful for traffic that charges on metered
is sensitive to
connections
interruptions, such as
voice or video
• Do not forget to enable a failover interface – unless
your goal is to prevent failovers
• Make sure that you do not set metrics too low – this will
SD-WAN Tips
cause frequent failovers
• Make sure that the Link Monitor targets give accurate

results during initial configuration
Key Takeaways
 SD-WAN ignores global Multi-WAN configuration
 Failover is optional in SD-WAN
 Verify that you set metrics correctly – Link Monitor targets are key
SD-WAN Configuration
 How to configure an SD-WAN action
 Choose the SD-WAN routing method
 Include the SD-WAN interfaces
 Review the Metrics settings
 How to use the SD-WAN action in policies

Key Takeaways
 Overrides Multi-WAN settings
 SD-WAN action settings:
 Requires configured Link Monitoring interfaces
 External interfaces
 Internal interfaces
 BOVPN virtual interfaces
 Optional Metrics settings

Traffic Management - Control Bandwidth
 Why do we need to control bandwidth?
 Bandwidth control options
 Where to configure Quality of Service (QoS) and Traffic Management in

the network
• Critical and sensitive communication must stay
Why connected, for example:
Guarantee
Bandwidth?  Voice and video are sensitive to network bandwidth
 Connections to servers at a hospital are critical

• You do not want guest traffic or test networks
to saturate the available bandwidth and slow other
Why Limit
Bandwidth?
network traffic
 For example, the guest Wi-Fi is a good example of traffic

that you might decide to limit bandwidth for
Traffic Management - Methods to Control Bandwidth
Quality of Service (QoS) Traffic Management
• Traffic is prioritized based on • Set a minimum or maximum

marking, as it travels through the bandwidth on your policies
network equipment
• A benefit is that you do not need
• QoS should be configured on the the LAN equipment or knowledge
egress LAN switch ports to inform to implement QoS
the next device of the priority
• The Firebox cannot control the
• When traffic leaves the Firebox, the speed at which traffic is received
QoS markings likely will not be
honored unless you fully manage
the upstream device
Where to Configure in the Network
Traffic Management
Core switch
Distribution switch
QoS
Access switch
Key Takeaways
 Bandwidth control is important to prioritize specific traffic
 You can control bandwidth with QoS or Traffic Management
 QoS is typically configured on the internal routers and switches where

endpoint devices connect
 Traffic Management should be configured on the Firebox because ISPs often

do not honor QoS marking on external interfaces
Traffic Management Configuration Overview
 Traffic Management action terminology
 Traffic Management configuration and demo
 QoS (Quality of Service) configuration options

Traffic Management Actions
Internal External
Outbound
Inbound
Key Takeaways
 Enabling the global Traffic Management and QoS option reduces

throughput on the Firebox
 Forward and Reverse actions are always from the perspective of the
device that initiates the connection
 Traffic Management can be applied as a value per policy, a value per IP

address, or a value shared across all policies
 If you choose to enable QoS, tagging (marking) should be performed

downstream, since the Firebox can preserve tags and prioritize traffic
FIREWALL POLICIES
Stateful Firewall Overview
 How connections work
 Firebox policy fields
 Firebox connection handling

1. A client requests to open a connection to a server
o Request contains the source (SRC) IP, destination (DST) IP,

as well as the source and destination ports
Basic
Connection 2. The server responds, in order to complete the
Process
connection or form the socket
3. Packet data flows bi-directionally between the client

and server
• A Firebox policy has the following properties:
Firebox Policy o From (SRC IP)

Properties
o To (DST IP)
o Port (DST is priority, SRC is optional)

• A Firebox is a “stateful firewall”, meaning connections
are tracked after policy criteria is matched
o SRC IP, DST IP, and DST port (SRC port is not required)
Firebox • Policies do not “tell the traffic where to go”, this is

Connections
determined by the client connection request
• Firebox policies allow or deny connections
• Packets within an established connection are not

checked against the policy list
Key Takeaways
 Verify what the client is trying to connect to, check logs
 The Firebox does not decide the destination for the traffic
 After a connection is established, each packet is not evaluated against the

Firebox policy list
Aliases
 How to configure an alias
 Pre-defined alias vs User-defined alias
 Create an alias
 Nested aliases
 Use aliases in policies

Nested Aliases
Key Takeaways
 Aliases are containers to store network details
 Aliases can include a variety of details
 Nested aliases enable more organizational layers
 Use aliases in policy From and To fields

Create New Firewall Policies
 Add a policy
 Pre-defined templates
 Packet filters vs Proxies
 Custom templates
 Edit templates
Key Takeaways
 Packet filters are fast and efficient
 Proxies see more of the traffic, enabling more filters and actions
 Custom templates can allow any combination of ports and protocols
 When you edit a template, it automatically updates the policies created

from that template
Firewall Policy Configuration
 How interfaces and policies interact
 How to allow or deny traffic
 The From and To fields
 Policy field details
 Policy properties
 Policy schedules
Key Takeaways
 You can use interface aliases or custom-defined aliases in policies
 Connections can be allowed or denied
 You can include many details in the From and To fields
 Policy schedules can automatically enable and disable a policy

Firewall Policy Order
 The order the Firebox processes policies
 Hidden firewall policies
 Remove the Outgoing policy
 Reorder your policies

Key Takeaways
 Policies are processed from first to last, based on their order
 The three main hidden policies are Any From Firebox, Unhandled
Internal, and Unhandled External
 Remove the Outgoing policy to secure your network
 Auto-order mode works for most configurations
 Manual order mode enables you to reorganize policies when needed

PROXY POLICIES
Firebox Proxies
 What is a proxy?
 Which protocols can be proxied?
 Which proxy action should you use?

Packet Filter Connections
Network Layer Source and Destination IP Addresses

Transport Layer Source and Destination Ports
Proxy Connections
A Channel B Channel
Network Layer Source and Destination IP Addresses

Transport Layer Source and Destination Ports
Application Layer Data Payload
Protocols with Proxies
• HTTP • IMAP • TCP-UDP

• HTTPS • POP3 • Explicit
• SMTP • DNS
• FTP
• SIP-ALG
• H323-ALG
The Firebox enforces the standards of each protocol!

Outbound
• (Proxy)-Client
• (Proxy)-Client.Standard
• Default-(Proxy)-Client
Proxy Actions
Inbound
• (Proxy)-Server
• (Proxy)-Server.Standard
Key Takeaways
 Proxies are powerful tools that examine the data inside each packet
 Proxies are only available for specific protocols, and the Firebox enforces
the standards of those protocols
 Proxy connections use additional Firebox resources
 When you configure a new proxy policy, use the Default-(Proxy)-Client or

.Standard actions as a starting point
Firebox HTTP Proxy Overview
 Default HTTP proxy actions
 Common configuration settings
 Proxy action rule processing order

Key Takeaways
 Proxy actions offer granular control over traffic and logging
 The “.Standard” actions offer optimized defaults – avoid the legacy

templates
 Proxy rules are applied before security services

TLS Decryption Overview
 Why do we need TLS decryption and how does it work?
 Which policies can you apply TLS decryption to?
 Recommendations for TLS decryption

Packet Inspection
A Channel B Channel
Receiving packet from client Analyzing contents Sending new packet to server
TLS Decryption
A Channel B Channel
Client Hello Client Hello
Server Hello Server Hello

Public Certificate
Public
Re-signed by Firebox’s
Certificate
Private Key
Private Key
Key Exchange Key Exchange
Public Public
Certificate Certificate
Session Key Session Key

• You can enable TLS decryption only on protocol-specific
policies that can inspect packet data
• Works on inbound and outbound connections

Enable TLS
Decryption
• Clients will get certificate errors by default
• Exceptions can be made for specific domains
• Decrypting and re-encrypting adds significant CPU load

• If decryption causes slowness, try to limit the domains
or web categories that you decrypt
• Many desktop applications do not work well – they

Important Tips
typically do not use the computer certificate store
• The default exceptions list will not decrypt most

applications or sites that are known to have issues
Key Takeaways
 Certificate errors are expected by default – import a custom certificate to

the Firebox, or distribute the Firebox certificate to clients
 Works only on protocol-specific policies that can examine packet data
 Decryption creates high CPU load – scan fewer domains or categories if

load is too high on the Firebox
HTTPS Proxy Overview
 Default HTTPS proxy actions
 Common configuration settings
 Content inspection options

Key Takeaways
 Proxy actions offer granular control over traffic and logging
 Domains, protocols, and ciphers can be controlled without decrypting

HTTPS connections
 Content inspection is TLS decryption – either enable it for all HTTPS

traffic, or for only specific domains and website categories
SMTP Proxy
 When to use the SMTP proxy
 STARTTLS and SMTPS
 Configuring the SMTP proxy

When to Use the SMTP Proxy
Proxy
Inbound
Packet Filter
Outbound
STARTTLS and SMTPS
SMTP STARTTLS SMTPS
• Port 25 • Port 25 • Port 465

• Plain text • Starts as SMTP • Connection is
initiated using TLS
• Default option for • Connection is
most mail servers upgraded to use TLS • Not commonly used
Key Takeaways
 The SMTP proxy is mostly used for inbound email scanning
 Email is sent over port 25 using SMTP and STARTTLS
 Review the SMTP proxy settings for your network
 General Settings
 STARTTLS
 Attachments
 Addresses and Headers

SECURITY SERVICES
Subscription Services Overview
 What are subscription services?
 Which policies can you apply services to?
 Configuration and deployment tips

• Scan traffic for a variety of known or potential threats
• Combine different services for layered protection
Security • Your license determines available services:

Services
o Total Security – All current and future services
o Basic Security – Limited set of services
o Some services are restricted by Firebox model or memory

Subscription Service Layers
• Enable services when necessary – do not bulk-enable
services on policies that handle unrelated protocols
Implementation
Tips • Do not enable services on management policies
• Consider device load – some Firebox models do not

handle heavy service loads as well as other models
Key Takeaways
 Verify which services are available on your device
 Deploy combinations of services – keep in mind the type of policies you

are configuring
 Remember to consider device load and types of traffic you want to scan
Default Threat Protection Overview
 What is Default Threat Protection?
 When is Default Threat Protection applied?
 Components of Default Threat Protection
 Tips to adjust settings

• Applies to both internal and external traffic
• Intended to prevent basic DoS and DDoS attacks

Default
Threat
Protection • Mitigates some network misconfigurations
Basics
• Available without any specific licensing
• Does not rely on subscription services to block attacks

• The Firebox processes all components of Default Threat
Protection before policies and services:
o Default Packet Handling

Default
Threat o Blocked Sites
Protection
Operation
o Blocked Ports
• No policy-related settings can override this feature
• Able to impact built-in Firebox functions

• Designed to prevent these attacks:
o Flooding
Default
Packet o IP scans
Handling
o Port scans
o DoS/DDoS
• Can be used to manually or automatically block traffic
for IPs, subnets, and domains
• Traffic is blocked inbound and outbound for sites that

Blocked Sites
you manually add to the Blocked Sites list
• IPs that perform IP scans or port scans are

automatically added to the Blocked Sites list
• Any ports you add to the list are blocked for inbound
Blocked Ports traffic
• No policy changes can override the Blocked Ports list

• Can block legitimate traffic, if it exceeds thresholds
o Usually misconfigured equipment is the cause
Reminders • Easily forgotten, so check all logs, not only policy logs
and Tips
• Sometimes you must add critical devices to the
exceptions list
• Adjust thresholds before you disable features

Key Takeaways
 Default Threat Protection is always applied before policies and services
 Check all logs, because Traffic logs do not show Default Threat
Protection events, such as Blocked Sites
 Make exceptions for critical services or networking devices, if they are

operating normally, but still being blocked
Default Threat Protection Configuration
 Default Packet Handling
 Blocked sites
 Default settings: automatic vs. manual trigger
 Configure a permanent or temporary entry for black/white exceptions
 Blocked ports
Key Takeaways
 Types of threats identified by Default Threat Protection
 Triggers for a Block action
 Benefits of Block instead of Drop
 Traffic Monitor helps block traffic

Application Control Overview
 How does Application Control work?
 Which policies can you apply Application Control to?
 Suggestions for Application Control

Application Control Basics
• You can enable Application Control on any type of
policy

Enable
Application • You can either monitor or restrict applications
Control
• Create individual actions to allow for different
application lists per policy
• Scan engine adds some CPU load

• It is highly recommended to do a baseline before you
block any applications
Important • Some applications might use multiple protocols – keep

Notes
this in mind when you configure heavy restrictions
• Traffic must be decrypted for signatures to identify

most applications
Key Takeaways
 Works on all policy types – requires decryption for encrypted content
 Content scanning engine adds to CPU load
 Run a baseline before you lock things down

Application Control Configuration
 How to monitor applications
 Demo: Tor browser and SSLVPN browser
 Quick Setup Wizard and TLS Content Inspection configuration
 Monitored and denied applications in Dimension

Key Takeaways
 Monitor before making adjustments
 Use Application Control on all policies
 DNS, HTTP(S), and outgoing
 Content inspection is necessary to see and deny unwanted applications

Intrusion Prevention Service Overview
 How does Intrusion Prevention Service work?
 Which policies can you apply IPS to?
 Deployment tips for IPS

IPS Basics
• You can enable Intrusion Prevention Service on any
type of policy
Enable IPS • Works on inbound and outbound connections
• Exceptions for signatures can be made globally

• If scanning causes slowness, try using Fast Scan
• Use exceptions sparingly – only after you confirm

Important Tips details about the signature or system
• Keep your own systems patched to avoid issues
• Many signatures have CVEs associated with them

Key Takeaways
 Works on all policy types – requires decryption for encrypted content
 Content scanning engine adds to CPU load
 Verify details before you make any exceptions

Intrusion Prevention Service Configuration (IPS)
 Overview of configuration built by Quick Setup Wizard
 Full scan vs. Fast scan
 Enable IPS on policies
 Review Update Server settings
 Trigger dummy IPS attack and view results in the Traffic Monitor
 Add exceptions
 View signatures list and CVE numbers in security portal

Key Takeaways: IPS
 How to enable and disable IPS on policies (Global IPS menu> Policies or
edit the policy)
 Differences between Full scan and Fast scan
 Stick to Full Scan unless you need performance boost AND have other layers
performing full IPS scans
 How to check the status of the IPS signature database by going on
 FSM > Security Subscriptions tab
 How to add an exception (and when it is necessary) to find out more

about IPS signatures on the Security Portal
Botnet Detection Overview
 What is Botnet Detection?
 Which policies can you apply Botnet Detection to?
 Considerations when using Botnet Detection

• Blocks traffic to and from addresses associated with
botnet activity
Botnet
Detection • Does not use signatures, it is a list of addresses
Basics
• Almost no performance impact
• Included in the Reputation Enabled Defense license

• Simple to enable – a single check box
Enabling
Botnet • Operates on a global level, no need to configure policies
Detection
• You can make exceptions for specific addresses
• Extremely low chance of false positives
• Companies might not be aware they are on the list –

Important
Notes exceptions can be made, but we recommend not to
• If you use a public subnet on your internal network,

your own network might be blocked
Key Takeaways
 Easy to enable and has almost no Firebox load
 Globally applied – works for inbound and outbound traffic
 Very accurate, so use exceptions sparingly

Botnet Detection Configuration
 Overview of Default settings
 Demo to trigger Botnet Detection

Key Takeaways: Botnet Detection
 Botnet Detection provides an additional layer of protection for emerging

threats
 Adds the IP addresses/domains to the Blocked Sites list in the background
 How to add exceptions

Tor Exit Nodes Blocking Overview
 What is Tor Exit Node Blocking?
 Which policies can you apply it to?
 Considerations when you use this service

• Blocks traffic from addresses associated with Tor exit
nodes
Tor Exit Node
Blocking • Does not use signatures, it uses a list of addresses
Basics
• Almost no performance impact

Enable Tor Exit • Operates on a global level by default

Node Blocking
 You can disable on individual policies, if necessary

• Uses the Blocked Sites list functionality – similar to
Important Botnet Detection

Notes
• Addresses come from official Tor lists and from
Reputation Enabled Defense
Key Takeaways
 Easy to enable and has almost no Firebox load
 Works for inbound traffic from Tor exit nodes
 Exceptions should be rare

Tor Exit Node Blocking Configuration
 Enable Tor Exit Node Blocking globally
 Per-policy configuration
 Address exceptions
Key Takeaways
 Enabled globally from the Botnet Detection menu
 You can disable on individual policies
 Add exceptions from the Blocked Sites Exceptions menu

Geolocation Overview
 How does Geolocation work?
 Which policies can you apply Geolocation to?
 Deployment tips for Geolocation

• Public subnets are assigned to specific countries
• Geolocation contains a list of addresses based on this

Geolocation
country information
Basics
• Almost no performance impact – no scanning engine

• You can enable Geolocation on any type of policy

Enable
Geolocation • Create individual actions to allow for different country
lists per policy

• Do not block every country outside of your own –
Important consider hosting services and content delivery networks

Notes
• Mostly blocks low-level attacks – targeted attacks will
come from IPs in other countries
Key Takeaways
 Works on all policy types – no decryption necessary
 Very low load, almost no performance impact
 Do not block most of the world, because much of the Internet will stop
working
Geolocation Configuration
 Defaults and methodology
 Geolocation policies overview
 Configuration: Block traffic from an entire country
 Demo: Geolocation UI, logs, and reports

Key Takeaways: Geolocation
 Use lookup to check where an IP is based
 Monitor first, then take action
 Common mistake:
 AV signature updates for clients block

DNSWatch Overview
 How does DNSWatch work on the Firebox?
 Can you apply DNSWatch to policies?
 Tips for DNSWatch

• Operates on a global level, no need to configure policies
• Enforcement is optional and configurable on Firebox

Enable
DNSWatch interfaces
• You can make exceptions for specific domains –

conditional forwarding
• Almost no Firebox load

• The Firebox will use the DNSWatch resolvers for its own
traffic
• Client DNS requests sent to the Firebox interface IPs

Important
Notes will be forwarded to the DNSWatch servers – with or
without Enforcement enabled
• When you use a local DNS server, make sure to

configure it as the first DNS server on the Firebox
Key Takeaways
 Easy to enable, select a checkbox – Enforcement is optional
 Almost no CPU load on the Firebox
 Make sure to input your local DNS server on the Firebox

DNSWatch Configuration
 How to enable DNSWatch
 Review the options for DNSWatch enforcement
 Verify that DNSWatch is operational

Key Takeaways
 When you use a local DNS server, make sure to configure it as the first
DNS server in the list
 Review the interfaces to enable enforcement for selected or all interfaces
 Use conditional forwarding for specific domains and DNS servers
 Review the Firebox DNS server list and precedence

Gateway Antivirus Overview
 How does Gateway Antivirus work?
 Which policies can you apply Gateway Antivirus to?
 Useful tips for Gateway Antivirus

• You can enable Gateway Antivirus only on protocol-
specific policies

Enable GAV
• Scans full files up to the scan size limit
• Exceptions for MD5 file hashes can be made globally

• If scanning causes slowness, try to limit the file types
that you scan – do not scan full URL paths
• Use the recommended scan size limit – this is the

Important Tips
default setting on new configurations

details about the file
Key Takeaways
 Works only on protocol-specific policies – requires decryption for

encrypted content
 Scanning engine adds to CPU load – scan fewer content types if load is
too high on the Firebox
 Use the recommended scan size limits for each Firebox model
Gateway Anti-Virus Configuration
 Overview of the GAV configuration as suggested by the Quick Setup

Wizard
 Demo of GAV in action, error messages for end user and logs
 Optimization
Optimization
 GAV optimization is possible by either
 Scanning less components (URL, Content Types, Body Content Type)
 Reducing the scan size
 Reducing the GAV tasks => taking shortcuts => increasing risk of infection
 Apply any optimization only if you are confident your Endpoint solution
can compensate without impacting performance on hosts
Key Takeaways : Gateway Anti-Virus
 GAV is an essential component for network security
 Default values proposed by the QSW ensured you are more protected
from the get-go
 Optimize GAV values if you can compensate with an Endpoint AV

IntelligentAV Overview
 How does IntelligentAV work?
 Which policies can you apply IntelligentAV to?
 Recommendations when using IntelligentAV

• You can enable IntelligentAV only on protocol-specific
policies with Gateway AntiVirus enabled
• Scans full files up to the scan size limit

Enable
• Does not use signatures – uses artificial intelligence
IntelligentAV
• Exceptions for MD5 file hashes can be made globally
• Scan engine adds noticeable CPU load
• Only available on Fireboxes with 4GB or more memory

• If scanning causes slowness, try to limit the file types
that you scan – do not scan full URL paths
Deployment • Use the recommended scan size limit – this is the

Tips
default setting on new configurations

details about the file
Key Takeaways
 Works only on protocol-specific policies with Gateway AntiVirus –

requires decryption for encrypted content
 Scanning engine noticeably adds to CPU load – scan fewer content types
if load is too high on the Firebox
 Use the recommended scan size limits for each Firebox model
IntelligentAV Configuration
 IntelligentAV configuration
 IntelligentAV demo
 Error messages and logs

Key Takeaways – IntelligentAV
 Powerful network security service
 Can detect zero-day malware without sandboxing or delay
 Disabled by default (not enabled by the setup wizards)
 Only available for Firebox models with 4 GB or more of memory

APT Blocker Overview
 How does APT Blocker work?
 Which policies can you apply APT Blocker to?
 Recommendations when using APT Blocker

• You can enable APT Blocker only on protocol-specific
policies with Gateway AntiVirus enabled
• Checks files after Gateway AntiVirus and IntelligentAV

Enable APT
Blocker • Checks full files up to the scan size limit, or up to 10MB,
whichever is lower
• Does not use signatures – uses cloud sandbox testing
• PDF files are not scanned by default

• Exceptions for MD5 file hashes can be made globally for
trusted files
• Use the recommended scan size limit for your Firebox –
Deployment shared with the antivirus engines

Tips
• Set up alerts for bad files – especially important for
unknown files that you get a result for later
• For SMTP, decide if you want a delay on email with

unknown attachments
Key Takeaways
 Works only on protocol-specific policies with Gateway AntiVirus –

requires decryption for encrypted content
 No scan engine on the Firebox, so no load increase
 Set up alerts for bad files, because files that were originally unclassified
might end up being threats
APT Blocker Configuration
 APT Blocker configuration
 APT Blocker demo
 Notifications and logs

Key Takeaways – APT Blocker
 Essential network security service
 Detects and prevents zero-day malware
 Enabled by default in the setup wizards
 Provides better protection against emerging threats

WebBlocker Overview
 How does WebBlocker work?
 Which policies can you apply WebBlocker to?
 Useful tips for WebBlocker

• You can enable WebBlocker on protocol-specific
policies only
Enable • Works on outbound connections only

WebBlocker
• Scans domains on encrypted connections, or URLs on
decrypted connections
• Low performance impact on the Firebox

• A large number of exception lists can cause slowness –
use the global exception list for common exceptions
• You can also use policies to deny websites without

Important Tips
using WebBlocker to categorize them

details about the website
Key Takeaways
 Works only on protocol-specific policies – requires decryption for URL

path categorization
 Adds very little load to the Firebox – small amount of latency during
category lookups
 Add allow exceptions after you verify the website is safe

WebBlocker Configuration
 Review suggested WebBlocker configuration
 Create strict WebBlocker profile
 Demo: WebBlocker in action, including error messages and logs
 Enable TLS content inspection
 Add WebBlocker exceptions
 Methodology and troubleshooting tips

Key Takeaways: WebBlocker
 WebBlocker is a good companion to Gateway AntiVirus:
 typos, malicious websites, phishing
 default categories address most important security risks
 Cannot present Deny and Warning messages on HTTPS pages without

TLS content inspection
 Gather data first, then discuss with stakeholders
 Pair with Application Control to enhance results
 Increase cache or install on-premises WebBlocker to boost performance

spamBlocker
 Overview of the spamBlocker configuration
 Handling exceptions and troubleshooting

Troubleshooting spamBlocker
Key Takeaways – spamBlocker
 spamBlocker helps to protect you from unwanted emails and malware
 Depends on DNS servers for performance
 How to handle exceptions, if necessary
 How to report false positives and negatives
 notspam-feedback@watchguard.com for false positives
 spam-feedback@watchguard.com for false negatives

spamBlocker Configuration
 How does spamBlocker work?
 Which policies can you apply spamBlocker to?
 Useful tips for spamBlocker

• You can enable spamBlocker on protocol-specific
policies only
Enable
• Works on inbound connections only
spamBlocker
• Low performance impact on the Firebox
• Checks exceptions before filtering spam

details about the sender or domain
• Be mindful of the option to block email when the

Important Tips
spamBlocker server is down
• Do not use the option to send log messages for email

that is not spam – this will flood the logs
Key Takeaways
 Works only on protocol-specific policies – requires email policies
 Adds very little load to the Firebox – small amount of latency to submit
samples for analysis
 Add allow exceptions after you verify the sender or domain is safe
• EDR Core licenses are included in Total Security Suite
o Number of licenses depends on the Firebox model
o Licenses follow Firebox allocation in WatchGuard Cloud
EDR Core o Cannot purchase more beyond what TSS provides

Licensing
• Accounts can only have EDR Core or EPP/EDR/EPDR
o EDR Core is disabled when other Endpoint Security licenses

are active
• Endpoint Security modules are not supported

EDR Core Layered Protection
Threat Hunting Services
Anti-Exploit Technology
Contextual
Detections
Antivirus
Technologies
CERTIFICATES
Firebox Certificates Overview
 Certificate types to import on the Firebox
 Certificate formats that the Firebox accepts
 Important tips for certificate management

Certificate Categories
Web Server Certificate Authority
• Used for most Firebox functions • Proxy Authority outbound traffic

with TLS decryption (Content
 Management access
Inspection)
 Web portals (Fireware Web UI,
 Certificate re-signing using this CA
Authentication Portal, Access Portal,
etc.) • Trusted Certificate Authorities for
 VPNs (BOVPN, mobile VPN) the Firebox
 Proxy Server inbound traffic with

TLS decryption (Content Inspection)
• Base64 encoded PEM file
 Unencrypted
Certificate  Typically requires you to import multiple files

Formats
• PFX (PKCS #12) archive file
 Encrypted with a passphrase
 Typically contains a full certificate chain

• Plan for certificate expiration
• Do not lose or distribute your private key

Important Tips
• Make sure to import the correct type of certificate to
the relevant Firebox certificate category
Key Takeaways
 Most certificates you import will be web server certificates
 PFX files are the simplest import option
 Plan your certificate deployment, and prepare for certificate expirations

Firebox Web Server Certificate Overview
 Function of the Firebox web server certificate
 Why do certificate warnings appear by default?
 How to resolve the certificate warnings

Key Takeaways
 The default Firebox web server certificate is missing valid domain

information and is not signed by a trusted CA – causes browser warnings
 This certificate is used for all HTTPS web pages on the Firebox itself
 Replace this certificate with either a publicly-signed or a privately-signed

certificate
Firebox Trusted CA Certificates Overview
 Where can I find the trusted CA certificates?
 What are the trusted CA certificates used for?
 Update the trusted CA certificates

Key Takeaways
 Trusted CA certificates are filtered from the default view – you rarely have
to make changes to them
 The Firebox uses trusted CA certificates for proxy functionality
 Use the automatic update option – manually update as necessary

Firebox Proxy Authority Certificate Overview
 What is the Proxy Authority certificate used for?
 What type of certificate can be used for the Proxy Authority?
 Distribution of the Proxy Authority certificate

Key Takeaways
 The Proxy Authority certificate is used for outbound content inspection –

we recommend you create your own certificate for this purpose
 Only CA certificates can be used for the Proxy Authority – third-party

certificate authorities will not sell you an intermediate CA certificate
 If you are not using a local CA server that your clients already trust, you
must deploy the Proxy Authority certificate manually on clients
Firebox Proxy Server Certificates Overview
 What are the Proxy Server certificates used for?
 What type of certificate can be used for the Proxy Server?
 Using multiple Proxy Server certificates

Key Takeaways
 Proxy Server certificates are used for inbound content inspection –

multiple certificates are required for multiple domains
 Web Server certificates are used for the Proxy Server – you can purchase
certificates from third-party certificate authorities
 If you create your own privately-signed Web Server certificate, external

clients will receive certificate warnings
AUTHENTICATION
Authentication Overview
 Why use authentication?
 Built-in Firebox authentication options
 Third-party authentication servers

• Provides additional security—only authorized users can
send traffic on the network
• Gives you granular control over resource access

Authentication
Basics • Allows you to track user behavior and productivity with
logs and reports
• Allows you to track management user changes
• Allows you to perform security audits

Built-in Firebox Options
Firebox-DB AuthPoint
• Simplest option—no external • Provides multi-factor

requirements authentication support
• Works with all authentication • Works with all authentication
features on the Firebox features on the Firebox, with
limited WSM support
• Requires users to type in their
passphrases in the management • Does not require external
interface—no self-service options AuthPoint Gateway software
• Does not integrate with third-party
authentication servers
Third-party Authentication Options
RADIUS LDAP
• Includes SecurID and other similar • Includes Active Directory (AD) or

authentication standards any server that supports LDAP
• Microsoft NPS integrates with • Works with most authentication
Active Directory features on the Firebox; not
available for Mobile VPN with IKEv2
• Works with all authentication or L2TP
features on the Firebox; required
for Mobile VPN with IKEv2 or L2TP • AD available for SSO, but requires
additional software
• Excellent option for Single Sign-On
(SSO)
• Users or groups must be manually added on the
Firebox, and those objects are case-sensitive
• For third-party options, user names, passphrases, and
Authentication timeouts are set up on the server

Notes
• For increased security, restrict policies to users and
groups only, and watch out for policies with built-in
aliases
• External users can be configured on a separate server

Key Takeaways
 Authentication is critical for security and is required for audits and legal
issues
 Verify policy configuration for local and remote users—lock things down
 Use a variety of authentication options; multiple servers and domains are

supported
Authentication Portal
 What is the Authentication Portal?
 Authentication settings
 Using the Authentication Portal

Authenticating Users
Portal:
Users authenticate manually
SSO:
Firebox authenticates users
automatically
Jerry
10.0.100.62 10.0.100.79
Sarah 10.0.100.213
Bob
Key Takeaways
 Authentication Portal enables manual authentication to the Firebox
 SSO is best for environments that authenticate users automatically, but

the Authentication Portal can be a useful backup
 WG-Auth policy must be enabled for users to access the portal
 Branding can be customized in the Authentication Portal settings
 Unauthenticated users can be redirected to the portal automatically

when their traffic is denied as unhandled
Firebox-DB Authentication
 Create users and groups
 Use Firebox-DB users in policies
 Manage authenticated users

Firebox-DB Authentication
Firebox-DB
Management User Accounts and

Accounts Groups
Key Takeaways
 Firebox-DB is a built-in authentication system for firewall policies, mobile

VPNs, and other features
 You create users in the Firebox-DB and add them to groups
 The Authentication Portal enables users to authenticate to the Firebox

and use firewall policies
 To improve searches and reporting, authenticated users are added to

traffic logs
Active Directory and LDAP
 Add LDAP servers
 Add LDAP users and groups
 Manage LDAP authentication
 Test LDAP connection

Let me
check with
AD
I need to
These authenticate
credentials
are good!
Domain Controller 10.0.100.79

Sarah 10.0.100.213
Bob
Key Takeaways
 Use the wizard to add Active Directory servers to the Firebox
 Enable LDAPS to improve the security of the connection
 Remember to configure internal DNS on the Firebox for domain names
 In the configuration, define third-party users and groups that you want to
use in firewall polices and mobile VPNs
 The Fireware Web UI connection tester is a great way to troubleshoot

problems with Active Directory and LDAP
RADIUS
 Add RADIUS servers
 Add RADIUS users and groups
 Manage RADIUS authentication

Let me
check with
RADIUS
According to I need to
AD, these authenticate
credentials
are good!
RADIUS Server 10.0.100.79

Sarah 10.0.100.213
Bob
Key Takeaways
 You can add as many RADIUS servers as you need to the Firebox
 The RADIUS shared secret must match what is set on the server
 Adjust the RADIUS dead time if you use a single RADIUS server
 In the configuration, define third-party users and groups that you want to
use in firewall polices and mobile VPNs
Mobile VPN Overview
 Why do we need mobile VPN?
 What types of mobile VPN are available?
 Recommendations for mobile VPN

Virtual Private Networks (VPNs)
Virtual IP Address
192.168.114.153/24
Mobile VPN
Local LAN
10.0.10.0/24
10.0.10.156 10.0.10.3
Mobile VPN Types
IKEv2 SSL (TLS)
• Best throughput and security • Communication ports can be

customized
• Easy to deploy on all platforms
using scripts or configuration files • Very easy to do split-tunneling
• Allows pre-logon VPN connections • Works with all authentication
servers directly
• Can be mass-deployed to clients
• Firebox-controlled routing
• Client-controlled routing
Mobile VPN Types
L2TP (IKEv1 Main Mode) IPSec (IKEv1 Aggressive Mode)
• Requires no client software at all • Allows independent virtual pool

subnets for different users or
• Works on any operating system, groups
including legacy ones and Linux
• Works with all authentication
• Allows pre-logon VPN connections servers directly
• Can be mass-deployed to clients • Firebox-controlled routing
• Client-controlled routing
Mobile VPN Policies
Connect Access
• Allows remote clients to reach the • Allows groups and users to access
external interface(s) of the Firebox internal resources
• Used for authentication • Default policy allows users to
access all ports and protocols
• Hidden for IKE-based VPNs
• Recommended to disable the
default policy and add groups to
appropriate policies
• In most cases, it is best not to overlap the virtual IP pool
with other networks – primarily other VPNs
• Default encryption settings are chosen for compatibility

Important Tips
purposes – thoroughly test any changes you make
• Ensure you have DNS configured correctly, if you want

to access local resources by name
Key Takeaways
 Mobile VPN is typically the most secure way to access resources behind a
Firebox – includes local and BOVPN routing capabilities
 IKEv2 is the recommended VPN option, but choose what is best for your
environment and client devices
 Verify your encryption and DNS settings

Mobile VPN with IKEv2
 Routing behavior
 Authentication options
 Security, performance, and DNS settings

• Tunnel routes are configured on the client
IKEv2 VPN • The Firebox provides files to configure client devices

Routing
• Mass deployment is supported – no software is
required (except on Android)
Key Takeaways
 If you need to change the tunnel routes, certificate, or encryption

settings, then the client configuration must be updated
 Active Directory authentication is supported only through AD Network

Policy Server (NPS) using RADIUS
 Highest performance and security – test cipher compatibility and

performance before mass deployment
Mobile VPN with SSL
 Routing behavior
 Authentication options
 Security, performance, and DNS settings

• Tunnel routes are configured on the Firebox
• The WatchGuard Mobile VPN with SSL client downloads

Mobile VPN the configuration file when it connects
with SSL
Routing
• If you have to restrict local network access for a client,
use the sslvpn resource default-route-client CLI
command to create a zero-route tunnel
Key Takeaways
 If you have to change the tunnel route configuration, the WatchGuard

Mobile VPN with SSL client will download the changes when it next
connects
 All authentication server options are available – set the most-used option
as the default
 If TCP port 443 is restricted at remote locations, or you have to increase

performance, use the UDP protocol on common ports such as 53
Branch Office VPN Overview
 Branch office VPN (BOVPN) topology
 What types of branch office VPNs are available?
 Recommendations for branch office VPNs

Virtual Private Networks (VPNs)
Remote LAN
172.16.100.0/24
BOVPN
Local LAN
10.0.10.0/24
10.0.10.156 10.0.10.3
BOVPN Types
Route-based Policy-based TLS
• Virtual interface (VIF) • Classic option with • Useful when IPSec is

that supports GRE gateways and tunnels not allowed at a site
and VTI protocols
• For connections to • Limited deployment
• Required for cloud older Fireboxes or options (hub and
VPN connections third-party devices spoke only)
(AWS and Azure)
• Each tunnel route • Low performance
• Allows advanced counts as a separate
static and dynamic VPN tunnel
routing
• No tunnel routes
IPSec IKE Options
IKEv2 IKEv1
• Highest performance • Great performance – longer to

establish or re-key
• Highest security
• Fault detection is optional and
• Fault detection built-in sometimes proprietary
• No modes to select – works with • Use Main mode for static IPs
both static and dynamic IPs by
default • Use Aggressive mode for dynamic
IPs (this mode is known to be
weak)
• Use only for legacy devices
• Recommended to use a 20+ character pre-shared key
(PSK) or custom certificate for security
• Optimize encryption settings for performance – AES-
Important GCM ciphers and elliptic curve Diffie-Hellman groups

Notes
• If a remote network overlaps with a local one, it is best
to change one of the subnets – use 1:1 NAT as a last
resort, or for networks that you do not manage
• BOVPN failover is only supported between Fireboxes

Key Takeaways
 Decide on the appropriate topology early and map out the networks you
will use
 It is recommended to use virtual interfaces whenever possible, due to

flexibility and ease of configuration
 Use IKEv2 whenever possible, along with optimized encryption (IPSec

Transform) settings
Branch Office VPN
 Classic BOVPN routing behavior
 Configure gateways and tunnels
 BOVPN tunnel NAT

• Tunnel routes are used to direct traffic to the BOVPN
Classic BOVPN
(Policy-based) • Configuration must be completed in multiple menus
• Legacy third-party compatibility

Network Diagram
Satellite BOVPN Headquarters
10.0.20.0/24 10.0.10.0/24 10.0.11.0/24
eth1 IP= 10.0.10.1
10.0.20.2
10.0.11.3
Key Takeaways
 Classic BOVPNs are used to connect to legacy equipment
 Change the IKE version, PFS group, and IPSec proposal to increase
security, if your devices support it
 Traffic will be sent over the BOVPN, if the source and destination
addresses match the tunnel routes
 NAT is supported in the tunnel routes, instead of the policies or global

NAT settings
BOVPN Virtual Interfaces
 BOVPN options
 Configure virtual interfaces
 Troubleshoot virtual interfaces

• Routing table is used to direct traffic to the BOVPN
Virtual
Interfaces • Easier to configure
(Route-based)
• Better third-party compatibility
Network Diagram
10.0.20.0/24 10.0.11.0/24
ISP MPLS
Key Takeaways
 Virtual interfaces are the preferred BOVPN method
 Use static routes with metrics, dynamic routing, and SD-WAN actions to
direct traffic to the VPN
 To control the allowed BOVPN traffic, use the wizard to create policies
Branch Office VPN Configuration
 Classic BOVPN routing behavior
 Configure gateways and tunnels
 BOVPN tunnel NAT

• Tunnel routes are used to direct traffic to the BOVPN
Classic BOVPN
(Policy-based) • Configuration must be completed in multiple menus
• Legacy third-party compatibility

Network Diagram
10.0.20.0/24 10.0.10.0/24 10.0.11.0/24
eth1 IP= 10.0.10.1
10.0.20.2
10.0.11.3
Key Takeaways
 Classic BOVPNs are used to connect to legacy equipment
 Traffic will be sent over the BOVPN, if the source and destination
addresses match the tunnel routes
 NAT is supported in the tunnel routes, instead of the policies or global

NAT settings

p68tzg7md3gf NetworkSecurity LocallyManaged

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

p68tzg7md3gf NetworkSecurity LocallyManaged

Uploaded by

Copyright:

Available Formats

NETWORK SECURITY ESSENTIALS

 Local versus cloud management

 How to navigate this course

Local Management Cloud Management

• Firebox is managed using • Firebox is managed using

Navigating the Course

Network and Security Basics Firebox Administration and Setup

Logging and Networking on the

 What is a MAC address?

 Overview of types of MAC addresses

 Why is a MAC addresses needed?

 How to find the MAC address for a computer

 MAC stands for Media Access Control

 Unique identifier assigned to a Network Interface Card (NIC)

 Set by the manufacturer as the physical address of each NIC

 48-Bit hexadecimal address used for Layer 2 communication

 Unicast – Unique MAC address assigned to an interface

 MAC address stands for Media Access Control

 Different types are Unicast, Multicast and Broadcast

 MAC addresses communication is on Layer 2

 Locate a MAC address on a host by using ipconfig / ifconfig

 Overview of binary and decimal

 How to find the IP address of a computer

• A unique address to identify a device connected to a computer

OCTET OCTET OCTET OCTET

 Understand what an IP Address is

 Understand binary and decimal conversion

 Locate a host IP Address

 What is ARP and what is it used for?

 Making ARP visible

 ARP stands for Address Resolution Protocol

 Mechanism to map MAC addresses to IP addresses in order to

Windows (cmd): arp –a

 Understand what ARP is

 Understand how ARP works

 What is subnetting and why is it used?

 How to find the network and broadcast IP and usable IP address

Class D (Multicast) Class B Class E (Experimental)

Public Class A Private

/25 /24 /26 /25 /27 /27

Classless Inter-Domain Routing

Usable IP addresses = 192.168.64.1 – 192.168.64.30

Usable IP addresses = 192.168.64.1 – 192.168.65.254

 Subnetting is a way to divide a network into subnetworks

 IP classes define the size of the network and host portion

 IP classes have public and private networks

 CIDR has replaced the previous classful network addressing

 Understand the logic of routing

 Routing is a process that decides the path through which

 Routing processes direct traffic based on routing tables,

 Dynamic Routing (RIP, OSPF, BGP, EIGRP)

IPv4 Route Table

IPv4 Routes IPv4 Routes

 Routing is a process deciding the path of traffic being sent between

 Types of routing are Static, Default and Dynamic

 Private IP address ranges are not routable on the internet

 What is NAT and why is it needed?

 NAT stands for Network Address Translation

 Translates IP addresses from one network to another

 Lack of available IPv4 addresses resulted in the creation of

 Dynamic NAT (DNAT)

 Static NAT (SNAT)