Contents

Related Topics

Define Firebox Global Settings

In the global settings for your Firebox, you can specify the settings that control the actions of many of the features available on your Firebox. You can also enable more than one Device Administrator to log in to your Firebox at the same time.

You can configure the basic parameters for:

  • ICMP error handling
  • TCP SYN packet and connection state verification
  • TCP connection idle timeout
  • TCP maximum size adjustment
  • Traffic management and QoS
  • Web UI port
  • External console connections through the serial port
  • Automatic reboot
  • Firebox fault reports

Change the Web UI Port

By default, Fireware Web UI uses port 8080.

To change the default port:

  1. In the Web UI Port text box, type or select a different port number.
  2. Use the new port to connect to Fireware Web UI and test the connection with the new port.

Automatic Reboot

You can schedule your Firebox to automatically reboot at the day and time you specify.

To schedule an automatic reboot for your Firebox:

  1. Select the Schedule time for reboot check box.
  2. In the adjacent drop-down list, select Daily to reboot at the same time every day or select a day of the week for a weekly reboot.
  3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format) that you want the reboot to start.

Device Feedback

When you create a new configuration file for your Firebox, or upgrade your Firebox to Fireware OS v11.7.3 or higher, by default, your Firebox is configured to send feedback to WatchGuard.

This feature is only available for Fireboxes that run Fireware OS v11.7.3 or higher.

Device feedback helps WatchGuard to improve products and features. It includes information about how your Firebox is used and issues you encounter with your Firebox, but does not include any information about your company or any company data that is sent through the Firebox. Because of this, your Firebox data is anonymous. All device feedback that is sent to WatchGuard is encrypted.

WatchGuard uses the information from the device feedback data to understand the geographic distribution of Fireware OS versions. The data WatchGuard collects includes summarized information about which features and services are used on Fireboxes, about threats that are intercepted, and about device health and performance. This information helps WatchGuard to better determine which areas of the product to enhance to provide the most benefits to customers and users.

Use of the device feedback feature is entirely voluntary. You can disable it at any time.

When device feedback is enabled, feedback is sent to WatchGuard once every six days and each time the Firebox reboots. Device feedback is sent to WatchGuard in a compressed file. To conserve space on the Firebox, the feedback data is removed from the Firebox after it is sent to WatchGuard.

Device feedback includes this information from your Firebox:

  • Device details
    • Firebox serial number
    • Fireware OS version and build number
    • Firebox model
    • Firebox uptime since the last restart
    • Start and end time stamps for the feedback data sent to WatchGuard
  • Device sizing details
    • Count of policies
    • Number of enabled interfaces
    • Number of BOVPN tunnels
    • Number of Mobile VPN tunnels
    • Number of VLANs
    • Configuration file size
  • Performance details
    • Maximum number of concurrent sessions
    • Maximum number of proxy connections
    • Maximum amount of packet filter throughput
    • Maximum VPN throughput
    • Maximum CPU usage
    • Maximum memory usage
    • Peak proxy connection limit usage
  • Feature usage details
    • Which WatchGuard user interface sent feedback to WatchGuard: Fireware Web UI, WatchGuard System Manager, or the Command Line Interface
    • Whether the Firebox is under Centralized Management and the management mode for the Firebox
    • Number of Access Points (AP) configured on the Firebox
    • Authentication options configured on the Firebox
    • Whether the Firebox is a member of a FireCluster and in Active/Active or Active/Passive mode
    • Whether VoIP security feature is enabled
    • Whether Intrusion Prevention Service (IPS) is enabled
    • Logging options configured on the Firebox
    • Number of proxy actions with Subscription Services enabled in the configuration
  • Subscription Services details
    For each service, the details include whether the service is enabled, counts of the number of events for each service enabled on the Firebox, and a list of the events triggered on the Firebox for each service (includes the source IP address, protocol, and threat level of the event).
    • Intrusion Prevention Service (IPS)
    • Gateway AntiVirus (GAV)
    • WebBlocker
    • spamBlocker
    • Data Loss Prevention (DLP)
    • APT Blocker
    • Default Threat Protection
  • Access Point details
    • Whether the Gateway Wireless Controller is enabled
    • Number of AP devices configured on the Firebox
    • Number of SSIDs configured on the Firebox
    • Whether the Wireless Hotspot is enabled
  • Fully Qualified Domain Name (FQDN) details
    • Whether FQDN is in use
    • How many FQDNs are configured
    • How many FQDNs use specific domain names
    • How many FQDNs use wildcards
    • How many FQDNs are configured in packet filter policies
    • How many FQDNs are included in the Blocked Sites exception list
    • How many FQDNs are included in quota exceptions
    • How many packet filter policies include FQDN in a policy filter
    • How many sanctioned DNS servers are in use
  • Quota details
    • Whether quotas are configured on the Firebox
    • How many quota rules are configured
    • How many quota actions are configured
    • How many quota exceptions are configured
  • Mobile Security details
    • Whether Mobile Security is configured
    • How many mobile devices are connected
    • How many Android devices are connected
    • How many iOS devices are connected
    • How many mobile devices are connected through a VPN
  • Network Visibility details
    • How many interfaces have Active Scan enabled
    • The schedule interval configured for Active Scan
    • How many devices were found on your network
    • How many devices were found by Mobile Security
    • How many devices were found by Active Scan
    • How many devices were found by Exchange Monitor
    • How many devices were found by HTTP detection
    • How many devices were found by the iked process
    • How many devices were found by the SSL VPN process
  • RADIUS SSO details
    • Whether quota statistics are configured for RADIUS SSO
  • Mobile Security details
    • Whether Mobile Security is enabled
    • How many policies include a Mobile Security device group
    • How many connections were denied by a policy with Mobile Security enabled
  • Botnet Detection details
    • Whether Botnet Detection is enabled
    • How many traffic source addresses have been tested
    • How many traffic source addresses were from botnets and were dropped
    • How many traffic destination addresses were tested
    • How many traffic destination addresses that were sent to botnets were dropped

Fault Reports

Your Firebox collects and stores information about the faults that occur on your Firebox and generates diagnostic reports of the fault. Faults are collected for these categories:

  • Failed assertions
  • Program crashes
  • Kernel exceptions
  • Hardware problems

When you enable the Fault Reports feature, information about the faults is sent to WatchGuard once each day. WatchGuard uses this information to improve the Fireware OS and hardware. You can also review the list of Fault Reports, manually send the reports to WatchGuard, and remove Fault Reports from your Firebox.

For information about how to manage the list of Fault Reports, see Manage Fault Reports.

This feature is only available for Fireboxes that run Fireware OS v11.9.3 or higher.

To enable Fault Reports on your Firebox:

Select the Send Fault Reports to WatchGuard daily check box.

Device Administrator Connections

You can allow more than one user with Device Administrator credentials to log in to your Firebox at the same time to monitor and manage your Firebox. When you enable this option, users who log in to your Firebox with Device Administrator credentials must unlock the device configuration file before they can change the settings.

To enable more than one Device Administrator to log in to your Firebox at the same time:

Select the Enable more than one Device Administrator to log in at the same time check box.

Lock and Unlock a Configuration File

(Fireware Web UI Only)

When you enable more than one Device Administrator to connect to your Firebox at the same time, in Fireware Web UI, before a Device Administrator can change the configuration settings in the Firebox device configuration file, that user must unlock the configuration file. When the configuration file is unlocked by a Device Administrator to make changes, the configuration file is locked for all other users with Device Administrator credentials, until the Device Administrator who unlocked the configuration file either locks the configuration file again or logs out.

For information about how to enable more than one Device Administrator to log in to your Firebox at the same time, see Define Firebox Global Settings.

To unlock a configuration file, from Fireware Web UI:

At the top of the page, click the Lock icon.

To lock a configuration file, from Fireware Web UI:

At the top of the page, click the Unlocked icon.

Define ICMP Error Handling Global Settings

Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:

  • Tell client hosts about error conditions
  • Probe a network to find general characteristics about the network

The Firebox sends an ICMP error message each time an event occurs that matches one of the parameters you selected. These messages are good tools to use when you troubleshoot problems, but can also decrease security because they expose information about your network. If you deny these ICMP messages, you can increase security if you prevent network probes, but this can also cause timeout delays for incomplete connections, which can cause application problems.

Settings for global ICMP error handling are:

Fragmentation Req (PMTU)

Select this check box to allow ICMP Fragmentation Req messages. The Firebox uses these messages to find the MTU path.

Time Exceeded

Select this check box to allow ICMP Time Exceeded messages. A router usually sends these messages when a route loop occurs.

Network Unreachable

Select this check box to allow ICMP Network Unreachable messages. A router usually sends these messages when a network link is broken.

Host Unreachable

Select this check box to allow ICMP Host Unreachable messages. Your network usually sends these messages when it cannot use a host or service.

Port Unreachable

Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually sends these messages when a network service is not available or is not allowed.

Protocol Unreachable

Select this check box to allow ICMP Protocol Unreachable messages.

Configure TCP Settings

Enable TCP SYN packet and connection state verification

Select this option to enable your Firebox to verify that the first packet sent through a connection is a SYN packet, without RST, ACK, or FIN flags.

If you disable this option, the connection is allowed even if the first packet sent through the connection includes RST, ACK, or FIN flags.

If you experience stability issues with some connections (for example, connections over a VPN tunnel), you can disable this option.

TCP connection idle timeout

The amount of time that the TCP connection can be idle before a connection timeout occurs. Specify a value in seconds, minutes, hours, or days. The default setting in the Web UI is 1 hour and the default setting in Policy Manager is 3600 seconds.

You can also configure a custom idle timeout for an individual policy. For more information, see Set a Custom Idle Timeout.

If you configure this global idle timeout setting and also enable a custom idle timeout for a policy, the custom idle timeout setting takes precedence over the global idle timeout setting for only that policy.

TCP maximum segment size control

The TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured, users cannot get access to some websites.

The global TCP maximum segment size adjustment options are:

  • Auto Adjustment— This option enables the Firebox to examine all maximum segment size (MSS) negotiations and changes the MSS value to the applicable one.
  • No Adjustment— The Firebox does not change the MSS value.
  • Limit to— Type or select a size adjustment limit.

TCP MTU Probing

To make sure PMTU discovery is successful, you can enable TCP MTU probing on your Firebox. When this option is enabled, clients on your network can get access to the Internet through a zero-route BOVPN tunnel configured on this Firebox, even when your Firebox has received an ICMP unreachable packet for the traffic sent through the BOVPN tunnel (an ICMP black hole was detected).

The TCP MTU Probing options are:

  • Disabled — Default setting.
  • Enabled only when ICMP network issues are detected — This option automatically enables TCP MTU Probing when an ICMP error message is dropped and the PMTU discovery process cannot complete (an ICMP black hole is detected). When the problem is resolved, TCP MTU Probing remains enabled.
  • Always enabled

TCP MTU Probing is supported in Fireware v11.9.5 and higher.

Enable or Disable Traffic Management and QoS

For performance testing or network debugging purposes, you can disable the Traffic Management and QoS features.

To enable these features:

Select the Enable all traffic management and QoS features check box.

To disable these features:

Clear the Enable all traffic management and QoS features check box.

Manage Traffic Flow

By default, your Firebox does not close active connections when you modify a static NAT action used by a policy. You can override this default setting and enable your Firebox to close any active connections through a policy that uses an SNAT action that you modify.

To override the default Traffic Flow setting and enable this feature, in the Traffic Flow section:

Select the When an SNAT action changes, clear active connections that use that SNAT action check box.

Configure the Logon Disclaimer

To force your users to agree to the terms and conditions you specify before they can log in to manage a Firebox, you can enable the Logon Disclaimer feature.

This section includes instructions to enable the Logon Disclaimer feature from Policy Manager. For instructions to enable this feature from Fireware Web UI, see Configure the Logon Disclaimer.

When you configure the logon disclaimer settings, you can specify the title of the Logon Disclaimer page and the disclaimer message text. You can also select a custom logo for the Logon Disclaimer. The image file you select must be a JPG, GIF, or PNG file, no larger than 200 x 65 pixels.

This feature is only available for Fireboxes that run Fireware OS v11.9.3 or higher.

To enable and configure the Logon Disclaimer feature, from Policy Manager:

  1. In the Global Settings dialog box, select the Logon Disclaimer tab.
    The Logon Disclaimer settings appear.
  2. Select the Enable Logon Disclaimer check box.
  3. In the Page Title text box, type the text for the title of the Logon Disclaimer page.
  4. In the Specify a Disclaimer Message text box, type or paste the text for the disclaimer message.
  5. To add a custom logo to the disclaimer message:
    1. Select the Use a custom logo check box.
    2. Click Upload and select the image file.
  6. Click OK.

With the Logon Disclaimer feature enabled, when your users connect to your Firebox and log in, the Logon Disclaimer page appears. Each user must agree to the Logon Disclaimer before they can connect to your Firebox. If they do not agree to the disclaimer, they cannot connect to the Firebox and are redirected to the Login page.

You can also configure a logon disclaimer for connections to your Management Server. For more information, see Define Configuration History and Change Comment Settings.

See Also

About Traffic Management and QoS

Set a Custom Idle Timeout

Give Us Feedback     Get Support     All Product Documentation     Technical Search