Professional Documents
Culture Documents
p68tzg7md3gf NetworkSecurity LocallyManaged
p68tzg7md3gf NetworkSecurity LocallyManaged
FOR LOCALLY-MANAGED
FIREBOXES
Network Security Essentials – Local Management
Exam information
Local vs Cloud Management
Virtual Private
Security Services Certificates Authentication
Networks
• Video Course
• Lab Book
Exam
Resources • Study Guide
Course information
Exam information
NETWORK SECURITY BASICS
MAC Addresses
00-90-7F-19-04-4A
OUI Unique
Vendor Identifier
Types of MAC Addresses
Multicast – MAC address used for applications or protocols sent from one host to many
01-00-5E-00-00-05 (Multicast Prefix)
Broadcast – MAC address that is sent to all devices within a local network
FF-FF-FF-FF-FF-FF
Why MAC Addresses?
Locate the MAC Address
Key Takeaways MAC Addresses
What is an IP address?
Overview of IP addresses
192.168.125.152
2001:0db8:0000:1234:0000:0567:0008:0001
IPv4 Address
192.168.125 .152
11000000 10101000 01111101 10011000
32-bit
IPv4 Address
Network Host
/24
192.168.125.152
255.255.255. 0
Binary
0 0 1 0 0 1 0 1
1 = on
0 = off
Binary / Decimal
35
0
3
255
1
2
128 64 32 16 8 4 2 1
0
1 1 1 1
0 0 0 1
0 0 0 1
1 1 0
Decimal / Binary
192.168.125.152
11000000
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
Decimal / Binary
192.168.125.152
11000000 10101000
128 64 32 16 8 4 2 1
1 0 1 0 1 0 0 0
Decimal / Binary
192.168.125.152
11000000 10101000 01111101
128 64 32 16 8 4 2 1
0 1 1 1 1 1 0 1
Decimal / Binary
192.168.125.152
11000000 10101000 01111101 10011000
128 64 32 16 8 4 2 1
1 0 0 1 1 0 0 0
Locate an IP in Windows
Locate an IP in Linux / MacOS
Key Takeaways IP Addresses
Understanding IP Addressing
Wireshark / TCPDUMP
Source Destination Protocol Info
192.168.1.4? 00:0c:29:c8:52:62 ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.4? Tell 192.168.1.2
Not me!
00:0c:29:2d:f0:03 00:0c:29:c8:52:62 ARP 192.168.1.4 is at 00:0c:29:2d:f0:03
192.168.1.3/24
192.168.1.4?
Not me!
Who has
192.168.1.4
192.168.1.4?
00:0c:29:2d:f0:03
Tell 192.168.1.2
192.168.1.2/24
192.168.1.1/24
192.168.1.4?
192.168.1.4
192.168.1.2is at
00:0c:29:c8:52:62
That‘s me!
00:0c:29:2d:f0:03
Network Host
192.168.125.152
255.255.255. 0
IP Address Classes
Class A
1.0.0.0 – 126.255.255.255
Subnet: 255.0.0.0
Hosts per Subnet: 16,777,214
Class C
192.0.0.0 – 223.255.255.255
Subnet: 255.255.255.0
Hosts per Subnet: 254
IP Address Classes
0.0.0.0 – 0.255.255.255
Standard / Default Route
127.0.0.0 – 127.255.255.255
Localhost / Loopback
169.254.0.0 – 169.254.255.255
Link Local Addresses
255.255.255.255
Broadcast
IP Address Classes
Class C
203.0.113.0 /24
255.255.255.0
192.168.64.7 /27
255.255.255.224
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 1 192.168.64.7
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 255.255.255.224 = /27
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192.168.64.0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 192.168.64.31
192.168.64.7 /23
255.255.254.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 1 192.168.64.7
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 /23 = 255.255.254.0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192.168.64.0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1 1 1 1 192.168.65.255
How to find the network IP, broadcast IP, and the usable IP
address range from an IP address and its subnet mask
Routing
What is routing?
Types of routing
Static Routing
Sends packets through a manually created path to their destination
Default Routing
Sends all packets to the same hop unless a more specific route
entry exists for a destination
.2 .1 .2 .3 .1 .2
eth1 eth0 eth0 eth1
192.168.2.0/24 192.168.1.0/24 192.168.3.0/24
Types of NAT
What is NAT and why is it needed?
Translate
Translate 192.168.1.0/24
192.168.1.0/24 to to external
external public
public IP address
IP address pool
192.168.1.0/24
192.168.1.1 203.0.113.131
192.168.1.2
Mail
198.51.100.6
src: 198.51.100.6:58881 dst: 64.74.121.131:25
src: 198.51.100.6:58881 dst: 192.168.1.2:25 NAT src: 198.51.100.6:58882 dst: 64.74.121.131:80
src: 198.51.100.6:58882 dst: 192.168.1.3:80
src: 198.51.100.6:58883 dst: 192.168.1.3:443 src: 198.51.100.6:58883 dst: 64.74.121.131:443
192.168.1.3
Web
Default VLAN 1
Access
ports
(untagged)
VLAN
VLAN 10
VLAN 20
VLAN 30
VLAN 40
VLAN
Untagged Untagged
VLAN 10 VLAN 30
VLAN 20 Trunk VLAN 40
ports
Tagged
Ethernet Frame
Dst. Src. IEEE Type Data FCS
MAC MAC 802.1Q
4 bytes
Trunk ports carry multiple VLANs and tag them with VLAN IDs for
differentiation
Not tied to a location (floor, building) when you use trunk ports
TCP vs. UDP
Sequencing
3-Way Handshake
Acknowledgements
SYN
SYN-ACK
ACK
Checksum
Sending Data
Data Received
FIN
ACK
FIN
ACK
TCP
Header
Sending Data
Header
TCP UDP
• Heavyweight (slower) • Lightweight (faster)
• Connection-oriented/ reliable • Datagram-oriented/ unreliable
• Header size is 20-60 bytes • Header size is 8 bytes
• 3-way handshake protocol • No handshake protocol
• Sequencing and acknowledgment • No sequencing and no
with error checking and recovery acknowledgment. Basic error
checking using checksums
• Rearrangement of segments
• No rearrangement of segments
• HTTP/HTTPS, SMTP, FTP
• Voice/ video calls, gaming, TV
streaming
Important Protocols
• UDP
• TCP/UDP
DNS
• Port 53
• TCP
HTTP • Port 80
• TCP
HTTPS
• Port 443
• TCP
• TCP
SSH • Port 22
• Port 23
Telnet
• Command line access to server and network equipment
• TCP
POP3
• Port 110 (not encrypted) / Port 995 (encrypted)
• TCP
• TCP
SMTP
• Port 25 (optional encryption) / Port 465 (encrypted)
• TCP/UDP
NTP
• Port 123
• UDP
Remember the most important and used well known port protocols
Encryption
Takes plain text data (such as an email or document) and uses a secret key to
encrypt it into an unreadable format, called cipher text
Symmetric Asymmetric
• Same key used for encryption and • Pair of different keys used for
decryption – shared between two or encryption and decryption
more entities
o Private key (kept safe and not shared)
• Popular algorithms used to decrypt data
A B
29Pa3
Hello Hello
$#v@9
Hello Hello
60/K*
X
Secret A Secret A
X
Asymmetric Encryption (RSA)
Public A Public B
A B
29Pa3
Hello Hello
$#v@9
Hello Hello
60/K*
Private A Private B
A
Public A Public B
Diffie-Hellman Key Exchange
Secret Secret
Common
Agreed
Public secret
Owntransport
secret
base color
color
color
Various revisions
TLS 1.0 (replaced SSL v3) – should no longer be used due to vulnerabilities
TLS 1.2 – most widely used version and remains largely secure
TLS 1.3 – made public in 2018 and brought more security and efficiency
ClientHello
Supported Cipher Suites
ServerHello
Chosen Cipher Suite,
Certificate, Signature,
Key Share
Certificate check
Calculates Session Key Key Share
from Server´s Key Share + Finished
own Key Share Calculates Session Key
Finished from Client´s and
own Key Share
HTTP Request
HTTP Response
TLS 1.3
ClientHello
Supported Cipher Suites,
assumed Key Agreement,
Protocol,
Key Share
ServerHello Calculates
Chosen Cipher Suite, Session Key
Key Agreement, from
Certificate (encrypted with Session Key), Client´s Key Share
Signature, and
Key Share own Key Share
Finished
Certificate
check Finished
HTTP Request
HTTP Response
Key Takeaways – Encryption
Unencrypted
Key Takeaways
PKI certificates are based on trust, because the signing authorities are
trusted
Certificate Signing Request (CSR)
Private
Algorithm (RSA, DSA, ECC)
Length of key (depends on algorithm)
Public
Key Usage (Encryption and/or Signature)
CSR
Private
Common Name (CN): Fully Qualified Domain Name (FQDN) or wildcard certificate (*.domain.tld)
RSA = Named by its inventors Ron Rivest, Adi Shamir and Leonard Adleman (1024/2048/4096/8192 bits)
Organization (O): Company
DSA = Digital Signature Algorithm (1024/2048/4096/8192 bits)
Locality (L): City
ECC = Elliptic Curve Cryptography (80+ bits ; 256-bit ECC = 3072-bit RSA)
Country (C): Two-letter country code
Example through an HTTPS Connection
Asymmetric cryptography
Certificate
SSLTLS
/ TLS
Transport Layer Security
Trusted Root
Certification
Authorities Certificate
Session Key
Symmetric cryptography
Chain of Trust
Self-signed
Self-signed CA certificate
Root CA Certificate
Root CA name Validation/Signing
Root CA public Key
Root CA signature Intermediate CA Certificate
Issuer CA name
Issuer CA public key Validation/Signing
Chain
Root CA public key
Root CA signature End-entity Certificate
End-entity name
End-entity public key
Chain
Issuer CA public key
Issuer CA signature
Key Takeaways - Certificates
Two main types of VPN – Site-to-Site (Branch Office) and Remote Access
(Host-to-Network or Mobile VPN)
VPN service providers provide a way to safely connect from public areas
and hide traffic on the Internet
Site-to-Site VPN (IPSec)
IKEv1
IKEv2
Main Mode Aggressive Mode
Four-way handshake
Higher performance
Six-way handshake and handshake
Three-way
contains encrypted security Less secure as sending the
No
authentication andmodes required –
authentication hash (PSK)
works with dynamic and
encryption algorithms, unencrypted
Diffie-Hellmann static
publicIPkey
peers byCommonly
default used when
exchange, PeerIDs and peers have dynamic (not
hash payloads static) IP addresses
Site-to-Site VPN (IPSec)
Tunnel Switching
HQ
VPN Tunnel Data
VPN Tunnel
Remote Access (Mobile VPN)
Split Tunneling
Default-route VPN
Force all client traffic through tunnel
Common types
HQ
L2TP
IKEv2
VPN Tunnel IPSec
SSL (TLS)
Key Takeaways - VPN
Two main types of VPN – Site-to-Site (Branch Office or Virtual Interface VPN)
and Remote Access (Mobile VPN)
IPSec uses IKEv1 with Main Mode or Aggressive Mode or newer IKEv2
Setup wizards
RapidDeploy
Deployment Options
Use the Web Setup Wizard for most local management setups
Not required for cloud deployment scenarios, with DHCP internet access
The Quick Setup Wizard can reimage Fireboxes that cannot boot normally
Web UI tools
Key Takeaways
Policy Manager and Firebox System Manager (FSM) are the main tools to
use in WatchGuard System Manager (WSM)
Takeaways
License options
Firebox activation
• WGM47201-1-011105-89BExxxx
• You can activate it for any Firebox, as long as the model matches
• The feature key unlocks all licensed features when it is
installed on the Firebox
Feature Key
• You can obtain the feature key by:
Acquisition
o Automatic feature key synchronization
WatchGuard.com
You learned the Firebox can operate with an expired Feature Key
The reset of the networking and policies work. They are listed as never expire in the Feature Key
Gather relevant information before you start the wizard – you have 15
minutes to complete the wizard before hitting the timeout
If the Firebox does not have Internet access when you run the wizard,
you must manually import the feature key
How to upgrade your Firewall Firmware
WebUI demo
Certificates
All users
Feature key
Metadata
Configuration File Compared to a Backup Image
• Included: • Included:
• Policies • Configuration file
• Networking • Certificates
• Firebox-DB users • All users
You can save a configuration file on a device that runs a higher Fireware version
For a device that runs a lower Fireware version, use the OS Compatibility or Save as Version
options
The device OS must be the same as the version of the backup image
If you reset a device to factory-default settings, the backup images will be deleted
User Types
Adding users
Lockout Settings
Try lab #1
System and Global Settings
System Settings
NTP
Global Settings
Key takeaways
Global settings control the Web UI port, multiple admin logins, traffic
management, and the logon disclaimer
Recent product updates may
not be included in this video
RapidDeploy Overview
Purpose of RapidDeploy
Key Takeaways
o Traffic
o Alarm/alert
o Performance/statistic
• The Firebox has limited internal storage
Firebox Log • Log volume affects how much log history is available
Retention
o The amount of logging enabled is a major factor
Limited Firebox storage – logs are not stored for very long
Policies Firebox
You learned there are different types of logs generated by policies and the
Firebox
The Firebox can send logs for updates and increased log levels
Traffic Monitor logs are great when a new policy is added or troubleshooting, but
does not need to enabled
Fireware Web UI
Enabling logging
Additional settings
Advanced arguments
Key Takeaways
You can run diagnostic tasks from Fireware Web UI and Firebox System
Manager
Available tasks are Ping, traceroute, DNS Lookup, and TCP Dump
What is Dimension?
Deployment topologies
Dimension
Users
Generate reports
Use the space bar and wildcards to build a Log Search query
Threatsync
What is Threatsync
Incidents
Policies
• Cloud based tool
Key takeaways
Mixed Routing
Drop-In
Bridge
Mixed Routing Mode
WatchGuard
Most common, Help Center Search
Network features Mixed Routing Mode
most flexible, and
default network mode Router VPN
203.0.113.1/24
External Interface NAT
203.0.113.254/24
Routing
Security features VLAN
172.16.0.0/24
Drop-In Mode
WatchGuard
Hosts keep their Help Center Search
IP addresses and Network features Drop-In Mode
Static Routing
Security features
172.16.0.0/24
Bridge Mode
WatchGuard
Fully Transparent Help Center Search
Bridge Mode
Router
10.10.10.1/24
10.10.10.0/24 10.10.10.0/24
Security features
Key Takeaways – Network Modes
Most flexible mode with all available network and security features
WatchGuard
Each interface is configured with an individual subnet Help Center Search
About Network Modes
Drop-In Mode
and Interfaces
Distributes a single (usually public) subnet across all interfaces
Bridge Mode
Placed between an existing network and its gateway to filter and manage traffic
Transparent in the network, with most security features but limited network features
Firebox Interfaces
External
Trusted
Optional
Custom
Firebox Interfaces
Physical Interface
Firebox Interface Types
Multi-WAN
External
Connects to a network outside your organization
Always have a default route
Member of the Any-External alias
Firebox Interface Types
Trusted
Connects to a private LAN (local area network)
Location for workstations, laptops and secure internal resources
Member of the Any-Trusted alias
Network 1 Network 2
Firebox Interface Types
Optional
Connects to a mixed-trust or DMZ network
Location for public web, FTP, and mail servers
Member of the Any-Optional alias
Firebox Interface Types
Custom
Connects to an internal network of your organization
Separate from the Trusted or Optional security zones
Location for a wireless access point
Firebox Interface Types
Bridge
Combines multiple interfaces to work as a single network
Operates as a Layer 2 switch to route traffic between the interfaces
Apply policies (intra-bridge) in Fireware v12.7 and higher
Security Zone
Trusted, Optional, Custom
Network 1 Network 1
Firebox Interface Types
VLAN
Able to separate devices into different networks without recabling
Not tied to locations (floor, building) using trunks
Apply firewall policies to intra-VLAN traffic
Security Zone
External, Trusted, Optional, Custom
Tagged Trunk
Untagged port/interface
VLAN ID 10
VLAN ID 20
Firebox Interface Types
Link aggregation
Groups multiple physical interfaces to work as a single logical interface
Increases the cumulative throughput beyond a single physical interface
Provides redundancy for any physical link failure
Security Zone
External, Trusted, Optional, Custom, Bridge, VLAN
Firebox Interface Aliases
Any-External
Firebox
Any-Trusted
Any
Any-Optional
Key Takeaways – Firebox Interfaces
VLANs group devices into different networks using trunks and split
switches in multiple segments
Key Takeaways – Firebox Interface
WatchGuard
Help Center Search
About Network Modes
and Interfaces
Firebox Interface Configuration
Using DHCP Server on the interface, you can also set a pool out of the
secondary network
The Firebox itself requires DNS servers for different features to work
Mobile VPN with IKEv2, SSL, IPSec, and L2TP configurations include DNS settings
Use DNS forwarding to send DNS queries for domains to specific DNS servers
Hosts must use the Firebox interface IP address as a DNS server (DHCP clients
automatically receive this configuration)
Destination types
Metrics
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.11.254/24
10.0.20.200/24
10.0.10.2/24 10.0.20.1/24
10.0.20.0/24
203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.11.254/24
10.0.20.200/24
10.0.10.2/24 10.0.20.1/24
10.0.20.0/24
Key Takeaways
Use metrics to effectively combine static routes with dynamic routing and
virtual interface VPNs
Firebox NAT Overview
Verify DNAT settings if Internet access fails, especially if you use a non-
RFC1918 subnet on the internal network
SNAT is the most versatile NAT for inbound connections – enables you to
use a single public IP for multiple purposes
Use NAT Loopback when you need local clients to reach an internal
server using its public IP address
This video might not include
recent product updates
Secondary IP addresses
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.10.2/24 10.0.11.11/24
This video might not include
recent product updates
Key Takeaways
Use the primary public IP or any available secondary IP for multiple purposes
Use NAT loopback when you need local clients to connect to an internal
server with its public IP address
This video might not include
recent product updates
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
10.0.10.2/24 10.0.11.11/24
This video might not include
recent product updates
Key Takeaways
Most commonly known NAT type – often used for outbound traffic to the
Internet
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
1-to-1 NAT
203.0.113.11/24
10.0.10.2/24 10.0.11.11/24
This video might not include
recent product updates
Key Takeaways
Use NAT loopback when you need local clients to connect to an internal
server with its public IP address
Remember to add a separate 1-to-1 NAT entry for each additional interface
Link Monitor Overview
• Business-dependent services
Link Monitor Protocols
• All VPNs
Key Takeaways
Outbound traffic and VPNs are impacted when Link Monitor fails
Link Monitor Configuration
203.0.113.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
203.0.113.1/24 198.51.100.1/24
203.0.113.10/24 198.51.100.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
Key Takeaways
Consider which protocol (Ping, TCP, DNS) will work best – we recommend DNS
Look at live statistics in Firebox System Manager or, for longer periods,
Fireware Web UI
Multi-WAN Overview
What is Multi-WAN?
Multi-WAN types
203.0.113.10/24 198.51.100.10/24
10.0.10.1/24 10.0.11.1/24
10.0.10.0/24 10.0.11.0/24
Key Takeaways
Verify the interface order and any load balancing settings for optimal
Multi-WAN behavior
SD-WAN Overview
What is SD-WAN?
• Make sure that you do not set metrics too low – this will
SD-WAN Tips
cause frequent failovers
Verify that you set metrics correctly – Link Monitor targets are key
SD-WAN Configuration
External interfaces
Internal interfaces
Traffic Management
Core switch
Distribution switch
QoS
Access switch
Key Takeaways
Internal External
Outbound
Inbound
Key Takeaways
Forward and Reverse actions are always from the perspective of the
device that initiates the connection
o SRC IP, DST IP, and DST port (SRC port is not required)
The Firebox does not decide the destination for the traffic
Aliases
Create an alias
Nested aliases
Key Takeaways
Add a policy
Pre-defined templates
Custom templates
Edit templates
This video might not include
recent product updates
Key Takeaways
Proxies see more of the traffic, enabling more filters and actions
Policy properties
Policy schedules
This video might not include
recent product updates
Key Takeaways
Key Takeaways
The three main hidden policies are Any From Firebox, Unhandled
Internal, and Unhandled External
What is a proxy?
A Channel B Channel
• (Proxy)-Client
• (Proxy)-Client.Standard
• Default-(Proxy)-Client
Proxy Actions
Inbound
• (Proxy)-Server
• (Proxy)-Server.Standard
Key Takeaways
Proxies are powerful tools that examine the data inside each packet
Proxies are only available for specific protocols, and the Firebox enforces
the standards of those protocols
A Channel B Channel
Receiving packet from client Analyzing contents Sending new packet to server
TLS Decryption
A Channel B Channel
Private Key
Key Exchange Key Exchange
Public Public
Certificate Certificate
Proxy
Inbound
Packet Filter
Outbound
STARTTLS and SMTPS
General Settings
STARTTLS
Attachments
Remember to consider device load and types of traffic you want to scan
Default Threat Protection Overview
o Flooding
Default
Packet o IP scans
Handling
o Port scans
o DoS/DDoS
• Can be used to manually or automatically block traffic
for IPs, subnets, and domains
Reminders • Easily forgotten, so check all logs, not only policy logs
and Tips
• Sometimes you must add critical devices to the
exceptions list
Check all logs, because Traffic logs do not show Default Threat
Protection events, such as Blocked Sites
Blocked sites
Blocked ports
Key Takeaways
Trigger dummy IPS attack and view results in the Traffic Monitor
Add exceptions
How to enable and disable IPS on policies (Global IPS menu> Policies or
edit the policy)
Stick to Full Scan unless you need performance boost AND have other layers
performing full IPS scans
Key Takeaways
Per-policy configuration
Address exceptions
Recent product updates may
not be included in this video
Key Takeaways
Do not block most of the world, because much of the Internet will stop
working
This video might not include
recent product updates
Geolocation Configuration
Common mistake:
DNSWatch Configuration
Key Takeaways
When you use a local DNS server, make sure to configure it as the first
DNS server in the list
Scanning engine adds to CPU load – scan fewer content types if load is
too high on the Firebox
Use the recommended scan size limits for each Firebox model
This video might not include
recent product updates
Demo of GAV in action, error messages for end user and logs
Optimization
This video might not include
recent product updates
Optimization
Reducing the GAV tasks => taking shortcuts => increasing risk of infection
Apply any optimization only if you are confident your Endpoint solution
can compensate without impacting performance on hosts
This video might not include
recent product updates
Default values proposed by the QSW ensured you are more protected
from the get-go
Scanning engine noticeably adds to CPU load – scan fewer content types
if load is too high on the Firebox
Use the recommended scan size limits for each Firebox model
This video might not include
recent product updates
IntelligentAV Configuration
IntelligentAV configuration
IntelligentAV demo
Set up alerts for bad files, because files that were originally unclassified
might end up being threats
This video might not include
recent product updates
Adds very little load to the Firebox – small amount of latency during
category lookups
WebBlocker Configuration
spamBlocker
Troubleshooting spamBlocker
This video might not include
recent product updates
Adds very little load to the Firebox – small amount of latency to submit
samples for analysis
Add allow exceptions after you verify the sender or domain is safe
• EDR Core licenses are included in Total Security Suite
Anti-Exploit Technology
Contextual
Detections
Antivirus
Technologies
CERTIFICATES
This video might not include
recent product updates
Unencrypted
Key Takeaways
This certificate is used for all HTTPS web pages on the Firebox itself
Trusted CA certificates are filtered from the default view – you rarely have
to make changes to them
If you are not using a local CA server that your clients already trust, you
must deploy the Proxy Authority certificate manually on clients
Firebox Proxy Server Certificates Overview
Web Server certificates are used for the Proxy Server – you can purchase
certificates from third-party certificate authorities
Firebox-DB AuthPoint
RADIUS LDAP
Authentication is critical for security and is required for audits and legal
issues
Verify policy configuration for local and remote users—lock things down
Authentication settings
Portal:
Users authenticate manually
SSO:
Firebox authenticates users
automatically
Jerry
10.0.100.62 10.0.100.79
Sarah 10.0.100.213
Bob
Key Takeaways
Firebox-DB Authentication
Firebox-DB
Key Takeaways
Let me
check with
AD
I need to
These authenticate
credentials
are good!
Key Takeaways
In the configuration, define third-party users and groups that you want to
use in firewall polices and mobile VPNs
RADIUS
Let me
check with
RADIUS
According to I need to
AD, these authenticate
credentials
are good!
Key Takeaways
You can add as many RADIUS servers as you need to the Firebox
The RADIUS shared secret must match what is set on the server
Adjust the RADIUS dead time if you use a single RADIUS server
In the configuration, define third-party users and groups that you want to
use in firewall polices and mobile VPNs
Mobile VPN Overview
Virtual IP Address
192.168.114.153/24
Mobile VPN
Local LAN
10.0.10.0/24
10.0.10.156 10.0.10.3
Mobile VPN Types
Connect Access
• Allows remote clients to reach the • Allows groups and users to access
external interface(s) of the Firebox internal resources
• Used for authentication • Default policy allows users to
access all ports and protocols
• Hidden for IKE-based VPNs
• Recommended to disable the
default policy and add groups to
appropriate policies
• In most cases, it is best not to overlap the virtual IP pool
with other networks – primarily other VPNs
Mobile VPN is typically the most secure way to access resources behind a
Firebox – includes local and BOVPN routing capabilities
IKEv2 is the recommended VPN option, but choose what is best for your
environment and client devices
Routing behavior
Authentication options
Key Takeaways
Routing behavior
Authentication options
Key Takeaways
All authentication server options are available – set the most-used option
as the default
Remote LAN
172.16.100.0/24
BOVPN
Local LAN
10.0.10.0/24
10.0.10.156 10.0.10.3
BOVPN Types
IKEv2 IKEv1
Decide on the appropriate topology early and map out the networks you
will use
10.0.20.2
10.0.11.3
This video might not include
recent product updates
Key Takeaways
Change the IKE version, PFS group, and IPSec proposal to increase
security, if your devices support it
Traffic will be sent over the BOVPN, if the source and destination
addresses match the tunnel routes
BOVPN options
10.0.20.0/24 10.0.11.0/24
ISP MPLS
This video might not include
recent product updates
Key Takeaways
Change the IKE version, PFS group, and IPSec proposal to increase
security, if your devices support it
Use static routes with metrics, dynamic routing, and SD-WAN actions to
direct traffic to the VPN
To control the allowed BOVPN traffic, use the wizard to create policies
This video might not include
recent product updates
10.0.20.2
10.0.11.3
This video might not include
recent product updates
Key Takeaways
Change the IKE version, PFS group, and IPSec proposal to increase
security, if your devices support it
Traffic will be sent over the BOVPN, if the source and destination
addresses match the tunnel routes