Deploy Dimension Behind a Firebox
To provide an extra layer of security to your Dimension system, you can deploy your instance of Dimension behind a Firebox. When you configure the settings for this Firebox, make sure that the configuration meets these requirements:
- The configuration includes an HTTP or TCP-UDP proxy policy that monitors outbound HTTP traffic. The HTTP proxy action for this proxy policy must allow HTTP responses that do not include the Content-Type field in the response header
- If the HTTP or TCP-UDP proxy policy uses an HTTPS proxy action with deep inspection enabled to monitor outbound HTTPS traffic, you must import the CA certificate used to sign the Proxy Authority CA certificate (used by the HTTPS proxy for deep inspection) to Dimension as a trusted CA certificate. This enables Dimension to validate the server certificate when it makes outbound HTTPS connection. If the validation fails, Dimension drops the connection.
- The configuration includes a WG-Logging policy to allow traffic from the external interface to a static NAT action that translates the public IP address of the Firebox to the private IP address of Dimension.
For external Fireboxes to send log messages to a Dimension instance behind a Firebox, the Firebox must have a policy to allow inbound TCP port 4115 connections, with a static NAT action to forward those connections to Dimension.
Dimension must regularly make these HTTPS connections through the Firebox:
- Sends a request to services.watchguard.com to get a unique APT token pair assigned to look up APT malware information. This automatically occurs once each day on new deployments, until the information is successfully retrieved. The only information sent to WatchGuard is the Dimension system UUID.
- Sends feedback about the instance of Dimension to WatchGuard at services.watchguard.com, if the Send feedback to WatchGuard option is selected.
For more information, go to Modify Dimension System Information. - Sends a support snapshot file to WatchGuard at services.watchguard.com, if the Send diagnostic feedback about Dimension to WatchGuard option is selected.
For more information, go to Run Diagnostic Tasks on Your Dimension System. - Retrieves details about APT malware from analysis.lastline.com
Because Dimension is based on a Ubuntu Linux platform, and must periodically connect to Ubuntu for OS updates to correct security and system stability issues, you must make sure that Dimension can make a connection to Ubuntu. To get the necessary updates, Dimension must be able to resolve these addresses through DNS:
- Archive.ubuntu.com
- Security.ubuntu.com
Dimension must also make HTTP requests to these addresses. If you use proxies in your Firebox configuration (for example, the HTTP-proxy policy), you must make exceptions to allow Dimension to contact the Ubuntu addresses.
When you deploy your instance of Dimension behind a firewall (a gateway Firebox or another NAT device), before you add a Firebox to Dimension for management, make sure the firewall is set for correct port-forwarding to Dimension, and then make sure your Dimension instance is configured to use the Firewall's IP address in the Public Accessibility settings. If you change the port used for connections to Dimension, you must also make sure that the firewall that Dimension is behind includes a rule to forward traffic from the new port to port 443. For more information about how to configure Public Accessibility settings for Dimension, go to Configure General Server Settings.
Get Started with WatchGuard Dimension