Define Firebox Global Settings

In the global settings for your Firebox, you can specify the settings that control the actions of many of the features available on your Firebox. You can also enable more than one Device Administrator to log in to your Firebox at the same time.

You can configure the basic parameters for:

  • Web UI port
  • Automatic reboot
  • Device feedback
  • Fault reports
  • Device administrator connections
  • Traffic generated by the Firebox
  • ICMP error handling
  • TCP SYN packet and connection state verification
  • TCP connection idle timeout
  • TCP maximum segment size (MSS) adjustment
  • Traffic management and QoS

Change the Web UI Port

By default, Fireware Web UI uses port 8080.

To change the default port:

  1. In the Web UI Port text box, type or select a different port number.
  2. Use the new port to connect to Fireware Web UI and test the connection with the new port.

Automatic Reboot

You can schedule your Firebox to automatically reboot at the day and time you specify.

To schedule a reboot for a Firebox managed by a WatchGuard Management Server, go to Schedule Reboot.

To schedule an automatic reboot for your Firebox:

  1. Select the Schedule time for reboot check box.
  2. In the adjacent drop-down list, select Daily to reboot at the same time every day or select a day of the week for a weekly reboot.
  3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format) that you want the reboot to start.

Device Feedback

Device feedback helps WatchGuard to troubleshoot and secure our services, assess the threat landscape, and comply with our legal obligations (such as export control rules). It is also used to improve our products and features. It can include information about how your Firebox is used and issues you encounter with your Firebox, but does not include any information about your company or any company data that is sent through the Firebox. Because of this, device feedback is technical in nature and mainly consists of non-identifiable information. All device feedback that the Firebox sends to WatchGuard is encrypted.

The Firebox sends three types of device feedback data to WatchGuard:

Basic Device Feedback

Your Firebox sends this basic device feedback data to WatchGuard each time the device reboots:

  • Firebox serial number
  • Firebox device model
  • IP address
  • Country
  • Fireware version
  • Fireware build number
  • Firebox uptime since the last restart
  • Hash of the device MAC address
  • Whether advanced device feedback is enabled (Fireware v12.4 or higher)

You cannot disable basic device feedback. If you clear the Send Advanced Device Feedback to WatchGuard check box, the Firebox continues to send basic device feedback data to WatchGuard.

Firebox Cloud devices do not send basic device feedback data to WatchGuard unless advanced device feedback is enabled.

Advanced Device Feedback (Optional)

When you create a new configuration file for your Firebox your Firebox is configured to send advanced device feedback to WatchGuard.

If you do not want to send advanced device feedback to WatchGuard, you can disable it at any time. To disable advanced device feedback on your Firebox, clear the Send Advanced Device Feedback to WatchGuard check box.

When the Send Advanced Device Feedback to WatchGuard check box is enabled, the Firebox sends advanced feedback data to WatchGuard in a compressed file once every six days and each time the device reboots. To conserve space on the Firebox, the advanced feedback data is removed from the Firebox after it is sent to WatchGuard.

Advanced device feedback data includes the following information:

Threat Telemetry (Optional)

When you create a new configuration file for your Firebox or upgrade your Firebox to Fireware v12.11 or higher, by default, your Firebox is configured to send threat telemetry data to WatchGuard. The WatchGuard security team uses that threat telemetry data to research and investigate the threats the Firebox detects and analyze the current threat landscape. WatchGuard then uses the anonymous aggregated data to showcase threat detection trends in the WatchGuard quarterly Internet Security Report and on the WatchGuard Cybersecurity Hub page.

This feature is only available for Fireboxes that run Fireware v12.11 or higher.

If you do not want to send threat telemetry data to WatchGuard, you can disable this feature. To disable threat telemetry feedback on your Firebox, clear the Send Threat Telemetry to WatchGuard check box.

When the Send Threat Telemetry to WatchGuard check box is enabled, the Firebox sends threat telemetry data to WatchGuard in a compressed file daily and each time the device reboots. To conserve space on the Firebox, threat telemetry data is removed from the Firebox after it is sent to WatchGuard.

Threat telemetry data can include the following information for threats detected by the security services enabled on the Firebox:

  • Incident time
  • Security service that detected the incident
  • Proxy policy that handled the traffic
  • Source IP address
  • Destination IP address
  • Type of virus detected
  • Threat level
  • Signature ID
  • MD5 value

The threat telemetry data sent to WatchGuard depends on the security service that detected the threat.

Fault Reports

Your Firebox collects and stores information about the faults that occur on your Firebox and generates diagnostic reports of the fault. Faults are collected for these categories:

  • Failed assertions
  • Program crashes
  • Kernel exceptions
  • Hardware problems

When you enable the Fault Reports feature, information about the faults is sent to WatchGuard once each day. WatchGuard uses this information to improve the Fireware OS and hardware. You can also review the list of Fault Reports, manually send the reports to WatchGuard, and remove Fault Reports from your Firebox.

For information about how to manage the list of Fault Reports, go to Manage Fault Reports.

To enable Fault Reports on your Firebox, select the Send Fault Reports to WatchGuard daily check box.

Device Administrator Connections

You can allow more than one user with Device Administrator credentials to log in to your Firebox at the same time to monitor and manage your Firebox. When you enable this option, users who log in to your Firebox with Device Administrator credentials must unlock the device configuration file before they can change the settings.

To enable more than one Device Administrator to log in to your Firebox at the same time, select the Enable more than one Device Administrator to log in at the same time check box.

Lock and Unlock a Configuration File

(Fireware Web UI Only)

When you enable more than one Device Administrator to connect to your Firebox at the same time, in Fireware Web UI, before a Device Administrator can change the configuration settings in the Firebox device configuration file, that user must unlock the configuration file. When the configuration file is unlocked by a Device Administrator to make changes, the configuration file is locked for all other users with Device Administrator credentials, until the Device Administrator who unlocked the configuration file either locks the configuration file again or logs out.

For information about how to enable more than one Device Administrator to log in to your Firebox at the same time, see Define Firebox Global Settings.

To unlock a configuration file, from Fireware Web UI:

At the top of the page, click the Lock icon.

To lock a configuration file, from Fireware Web UI:

At the top of the page, click the Unlocked icon.

Traffic Generated by the Firebox

In Fireware v12.2 or higher, you can configure policies to control traffic generated by the Firebox. This kind of traffic is also known as self-generated traffic or self-originated traffic.

Before you can create policies to control Firebox-generated traffic, you must select the Enable configuration of policies for traffic generated by the Firebox check box. It is important to understand the changes that occur when you enable this option. When this option is enabled:

  • You can add new policies that apply to Firebox-generated traffic.
  • The previously hidden Any-From-Firebox policy appears in the list of policies.
    This policy cannot be modified or removed.
  • The Firebox no longer sets the source IP address for Firebox-generated traffic to match a BOVPN tunnel route. This means that if your configuration includes a BOVPN tunnel, Firebox-generated traffic uses a WAN interface instead of the BOVPN tunnel.

If auto-order mode is enabled for the Policies list, these changes occur:

  • Policy order number changes for existing policies.
    This occurs because the previously hidden Any-From-Firebox policy now appears.
  • Policies that control Firebox-generated traffic appear before all other policies.
    If no other policies exist that control Firebox-generated traffic, the Any-From-Firebox is first in the list and is numbered 1.
  • Policies that you add for Firebox-generated traffic appear before the Any-From-Firebox policy because they are more granular.

For more information about this setting and policies that control Firebox-generated traffic, go to About Policies for Firebox-Generated Traffic.

To configure policies for Firebox-generated traffic, go to Configure Policies for Firebox-Generated Traffic.

For configuration examples, go to Configuration Examples for Control of Firebox-Generated Traffic.

Define ICMP Error Handling Global Settings

Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:

  • Inform client hosts about error conditions
  • Probe a network to find general characteristics about the network

The Firebox sends an ICMP error message each time an event occurs that matches one of the parameters you selected. These messages are good tools to use when you troubleshoot problems, but can also decrease security because they expose information about your network. If you deny these ICMP messages, you can increase security if you prevent network probes, but this can also cause timeout delays for incomplete connections that can cause application problems.

Settings for global ICMP error handling are:

Fragmentation Req (PMTU)

Select this check box to allow ICMP Fragmentation Req messages. The Firebox uses these messages to find the MTU path.

Time Exceeded

Select this check box to allow ICMP Time Exceeded messages. A router usually sends these messages when a route loop occurs.

Network Unreachable

Select this check box to allow ICMP Network Unreachable messages. A router usually sends these messages when a network link is broken.

Host Unreachable

Select this check box to allow ICMP Host Unreachable messages. Your network usually sends these messages when it cannot use a host or service.

Port Unreachable

Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually sends these messages when a network service is not available or is not allowed.

Protocol Unreachable

Select this check box to allow ICMP Protocol Unreachable messages.

Configure TCP Settings

Enable TCP SYN packet and connection state verification

Select this option to enable your Firebox to verify that the first packet sent through a connection is a SYN packet, without RST, ACK, or FIN flags.

If you disable this option, the connection is allowed even if the first packet sent through the connection includes RST, ACK, or FIN flags.

If you experience stability issues with some connections (for example, connections over a VPN tunnel), you can disable this option.

TCP connection idle timeout

The amount of time that the TCP connection can be idle before a connection timeout occurs. Specify a value in seconds, minutes, hours, or days. The default setting in the Web UI is 1 hour. The default setting in Policy Manager is 3600 seconds (1 hour).

You can also configure a custom idle timeout for an individual policy. For more information, go to Set a Custom Idle Timeout.

If you configure the global idle timeout setting and also enable a custom idle timeout for a policy, the custom idle timeout setting is applied to the policy instead of the global timeout setting.

TCP maximum segment size control

The TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured, users cannot get access to some websites.

The global TCP maximum segment size adjustment options are:

  • Auto Adjustment — This option enables the Firebox to examine all maximum segment size (MSS) negotiations and changes the MSS value to the applicable one.
  • No Adjustment — The Firebox does not change the MSS value.
  • Limit to — Type or select a size adjustment limit.

TCP MTU Probing

When you enable this global option, the Firebox can automatically change the size of its data packets to make sure that PMTU discovery succeeds and to avoid reduced performance caused by fragmentation.

For example, you might enable TCP MTU Probing in these cases:

  • You have a slow PPPoE connection and require smaller packets to optimize performance.
  • You want to make sure that clients on your network can access the Internet through a zero-route BOVPN tunnel on this Firebox even if the Path Maximum Transmission Unit (PMTU) discovery process cannot complete. For example, if a remote router drops a packet but does not send an ICMP Destination Unreachable or ICMP Fragmentation Needed response to the Firebox, an ICMP black hole occurs and the PMTU process cannot complete. If you enable TCP MTU probing, an ICMP black hole does not affect traffic through the zero-route BOVPN.

The TCP MTU Probing options are:

  • Disabled — Default setting.
  • Enabled Only When ICMP Network Issues Are Detected — Automatically enable TCP MTU Probing only when an ICMP error message is dropped and the PMTU discovery process cannot complete. TCP MTU Probing remains enabled for the current connection. For new connections, TCP MTU Probing is disabled by default unless a network issue is detected for the new connection.
  • Always Enabled

TCP window scale option

You can specify the TCP window scale option, as described in RFC 1323. To configure this global setting, you must use Fireware CLI.

The CLI command is global-setting tcp-window-scale.

Enable or Disable Traffic Management and QoS

For performance testing or network debugging purposes, you can disable the Traffic Management and QoS features.

To enable these features, select the Enable all traffic management and QoS features check box.

To disable these features, clear the Enable all traffic management and QoS features check box.

Manage Traffic Flow

By default, your Firebox does not close active connections when you modify a static NAT action used by a policy. You can override this default setting and enable your Firebox to close any active connections through a policy that uses an SNAT action that you modify.

To override the default Traffic Flow setting and enable this feature, in the Traffic Flow section, select the When an SNAT action changes, clear active connections that use that SNAT action check box.

Configure the Logon Disclaimer

To force your users to agree to the terms and conditions you specify before they can log in to manage a Firebox, you can enable the Logon Disclaimer feature.

This section includes instructions to enable the Logon Disclaimer feature from Policy Manager. For instructions to enable this feature from Fireware Web UI, go to Configure the Logon Disclaimer.

When you configure the logon disclaimer settings, you can specify the title of the Logon Disclaimer page and the disclaimer message text. You can also select a custom logo for the Logon Disclaimer. The image file you select must be a JPG, GIF, or PNG file, no larger than 200 x 65 pixels.

To enable and configure the Logon Disclaimer feature, from Policy Manager:

  1. In the Global Settings dialog box, select the Logon Disclaimer tab.
    The Logon Disclaimer settings appear.
  2. Select the Enable Logon Disclaimer check box.
  3. In the Page Title text box, type the text for the title of the Logon Disclaimer page.
  4. In the Specify a Disclaimer Message text box, type or paste the text for the disclaimer message.
  5. To add a custom logo to the disclaimer message:
    1. Select the Use a custom logo check box.
    2. Click Upload and select the image file.
  6. Click OK.

With the Logon Disclaimer feature enabled, the Logon Disclaimer appears when a user logs in to the Firebox through Fireware Web UI or CLI. The user must agree to the Logon Disclaimer before they can log in to the Firebox.

Users must acknowledge the Logon Disclaimer to log in to the CLI in Fireware v12.6.2 and higher.

You can also configure a logon disclaimer for connections to your Management Server. For more information, go to Define Configuration History and Change Comment Settings.

Related Topics

About Traffic Management and QoS

Set a Custom Idle Timeout