Related Topics
Setup Wizard Default Policies and Settings
You use the Web Setup Wizard or WSM Quick Setup Wizard to set up a Firebox with a basic configuration. The setup wizards help you to configure basic network and administrative settings and automatically configure security policies and licensed security services with recommended settings.
The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox, and on whether the Firebox feature key includes a license for subscription services.
Default Policies in Fireware v11.11.x and Lower
For a Firebox that runs Fireware v11.11.x or lower, the setup wizards add default policies, but do not enable licensed subscription services.
The setup wizards in Fireware v11.11.x and lower add five default policies:
- FTP
- WatchGuard Web UI
- Ping
- WatchGuard
- Outgoing
With these default policies, the Firebox:
- Does not allow connections from the external network to the trusted or optional networks, or the Firebox.
- Allows management connections to the Firebox from the trusted and optional networks only
- Allows outgoing FTP, Ping, TCP, and UDP connections from the trusted and optional networks
If your new Firebox was manufactured with Fireware v11.11.x or lower, the setup wizards do not enable subscription services, even if they are licensed in the feature key. To enable the security services and proxy policies with recommended settings, upgrade the Firebox to Fireware v11.12 or higher, reset it to factory-default settings, and then run the setup wizard again.
In Fireware v11.11.2 and higher, the setup wizards also automatically enable NTP on the Firebox.
Default Policies and Services
For a Firebox that runs Fireware v11.12 or higher, the setup wizards automatically configure proxy policies and enable most licensed subscription services with recommended settings. This reduces the amount of manual configuration required to use all the licensed features.
The setup wizards add eight default policies:
- FTP-proxy, with the Default-FTP-Client proxy action
- HTTP-proxy, with the Default-HTTP-Client proxy action
- HTTPS-proxy, with the Default-HTTPS-Client proxy action
- WatchGuard Web UI
- Ping
- DNS
- WatchGuard
- Outgoing
With these default, policies the Firebox:
- Does not allow connections from the external network to the trusted or optional networks, or the Firebox
- Allows management connections to the Firebox from the trusted and optional networks only
- Inspects outgoing FTP, HTTP, and HTTPS traffic, with recommended proxy action settings
- Uses Application Control, WebBlocker, Gateway AntiVirus, Intrusion Prevention, Application Control, Reputation Enabled Defense, Botnet Detection, Geolocation, and APT Blocker security services to protect the trusted and optional networks
- Allows outgoing FTP, Ping, DNS, TCP, and UDP connections from the trusted and optional networks
Default Proxy Actions
For a Firebox that runs Fireware v11.12 or higher, the setup wizards create three proxy actions that are used by the default proxy policies.
Default-FTP-Client
- Used by the FTP-proxy
- Based on FTP-Client.Standard
- Gateway AntiVirus is enabled
- Logging for reports is enabled
Default-HTTP-Client
- Used by the HTTP-proxy
- Based on the HTTP-Client.Standard proxy action
- WebBlocker, Gateway AntiVirus, Reputation Enabled Defense, and APT Blocker are enabled
- Logging for reports is enabled
Default-HTTPS-Client
- Used by the HTTPS-proxy
- Based on the HTTPS-Client.Standard proxy action
- WebBlocker is enabled
- Content Inspection uses the Default-HTTP-Client proxy action, but Content Inspection is not enabled
- Logging for reports is enabled
You can edit these proxy actions to suit the needs of your network, and you can use these proxy actions for other proxy policies you add.
Default Subscription Services Configuration
For a Firebox that runs Fireware v11.12 or higher, the setup wizards enable most licensed security services by default with recommended settings if the feature key includes those features. The Botnet Detection and Geolocation features are enabled if the Firebox has a feature key for Reputation Enabled Defense.
The setup wizards configure subscription services only if the Firebox has a feature key that includes those services. If there is no feature key, or if there are no licensed subscription services in the feature key, the wizard configures the policies without subscription services enabled.
Enabled for all policies except WatchGuard and WatchGuard Web UI
- Scan mode:
- Fast Scan for Firebox T10, T15, T30, T35, T50, T55, and all XTM models
- Full Scan for all other models
- Actions by threat level:
- Critical — Drop, Alarm, Log
- High — Drop, Alarm, Log
- Medium — Drop, Log
- Low — Drop, Log
- Information — Allow
In Fireware v12.0 and lower, the action for Low level threats is set to Allow by default.
For more information about Intrusion Prevention Service settings, see Configure Intrusion Prevention.
Enabled for all policies except WatchGuard and WatchGuard Web UI
Global Application Control actions:
- Drop — Application — Crypto Admin
- Drop — Application Category — Bypass Proxies and Tunnels
For more information about Application Control settings, see Configure Application Control Actions.
Enabled for the HTTP-proxy policy
Action — Immediately block URLS that have a bad reputation, Log
For more information about Reputation Enabled Defense settings, see Configure Reputation Enabled Defense.
Enabled to block traffic from suspected botnet sites
For more information about Botnet Detection settings, see Configure Botnet Detection.
Enabled to identify the geographic location of connections through the Firebox
For more information about Geolocation settings, see Configure Geolocation.
Enabled for the HTTP-proxy and HTTPS-proxy policies
Settings for the Default-WebBlocker action:
- Categories — The Default WebBlocker action blocks content categories you select in the setup wizard
- Server Timeout — By default, the server timeout setting is configured to deny access if the Firebox cannot connect to the WebBlocker Server.
- License Bypass — By default, the license bypass setting is configured to deny access when the WebBlocker license expires.
In Fireware v12.0 and lower, the license bypass setting is configured to allow access when the WebBlocker license expires.
For more information about WebBlocker category settings, see Change WebBlocker Categories to Deny.
For more information about the Server Timeout and License Bypass settings, see Define Advanced WebBlocker Options.
Enabled for the HTTP-proxy and FTP-proxy policies
- FTP — AV scan all content (Uploads and Downloads)
- HTTP — AV scan all content (Content Types and Body Content Types)
In Fireware v12.0.1 and higher, in the Default-HTTP-Client proxy action, the action for the Windows EXE/DLL Body Content Rule is also set to AV Scan. In Fireware v12.0 and lower, the action for this rule is set to Deny by default.
Action — Drop and Alarm when a virus is found or a scan error occurs
For more information about Gateway AntiVirus settings, see Configure Gateway AntiVirus Actions.
Enabled for the FTP-proxy and HTTP-proxy policies
Actions by threat level:
- High — Drop, Alarm, Log
- Medium — Drop, Alarm, Log
- Low — Drop, Alarm, Log
- Clean — Allow
In Fireware v12.0 and lower, the action for the High threat level is Block by default.
For more information about APT Blocker settings, see Configure APT Blocker.
Logging for Reports
For a Firebox that runs Fireware v11.12 or higher, the setup wizards also enable logging for reports, as described in Where to Enable Logging for Reports.
For packet-filter policies, logging is enabled at the policy level. For default proxy policies, logging is enabled in the proxy action.
- Send a log message — Enabled in the Ping, DNS, and Outgoing policies
- Send a log message for reports — Enabled in the Ping, DNS, and Outgoing policies
- Enable logging for reports — Enabled in the Default-FTP-Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions
For each subscription service, the actions are configured to send log messages, as described in the previous section.
The setup wizard also enables logging of these performance statistics:
- External interface and VPN bandwidth statistics
- Security Services Statitistics
For more information about these log messages, see Include Performance Statistics in Log Messages.
Default Blocked Sites Exceptions
In Fireware v11.12.2 and higher, the Blocked Sites Exceptions list configured by the setup wizards includes default exceptions for servers that WatchGuard products and subscription services must connect to. For more information about the default blocked sites exceptions, see About Blocked Sites.