• Watchguard - tech notes

    XTM IPSEC iOS mobile VPN:
    http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/mvpn/ipsec/mvpn_ipsec_ios_vpn_c.html

    Activate new device:

    http://www.watchguard.com/activate
    Log in with your WatchGuard account user name and password.
    On the Support Home tab, click Activate a Product.

    Change Device name:

     

    Enable Bridge for ETH1 and Wireless(if device is -W):

    Change the Bridge interface to static IP
    Add Static DNS servers

    Activate Subscriptions:

    1. Activate SpamBlocker Wizard:

    Put incoming SMTP server
    POP3 (not recommended)
    Prevent mail relay for the example.com domain (SMTP Proxy Action -> Address -> Mail From)

    2. Enable Intrusion Priventions

    3. Enable Botnet Detection

    4. Enable Data Loss Prevemtion

    5. Enable APT Blocker (Gateway Antivirus should be activated first)

    Enable Wireless Connections:

    Open Fireware XTM Policy Manager -> Networking -> Wireless

    Configure Firewall Policies:

    Watchguard and Watchguard Web UI and FTP policies:

    Create MGMT aliaces and add them to the policies FROM field

    HTTP-proxy:

    - Enable Application Control
    - Enable IPS
    - Create HTTP-Client-Proxy

    - Create new WebBlocker.Policy
    - Change Deny Message
    - Enable APT Blocker

    HTTPS-proxy:

    - Enable Application Control
    - Enable IPS
    - Create HTTPS-Client-Proxy

    - Create new WebBlocker.Policy

    Add Firewall Policies:

    Add HTTPS-Proxy-In (Port forwarding)
    Add HTTP-Proxy-In (Port forwarding)
    Add RDP-In Packet Filter (Port forwarding)
    Add VPN-In Packet Filter (Port forwarding)
    Add Outdoing Proxy (TCP-UDP)

    - Enable Application Control
    - Enable IPS
    - Create TCP-UDP-Proxy-Out

    Add SMTP-Out-Deny Policy (enable logging)

    Add SMTP-Out-Allow Policy

    - From - Mail server
    - Create new SMTP-Outgoing-Proxy

    - Disable APT blocker

    Delete/Disable Firewall Policies:

    Outgoing Packet Filter (TCP-UDP)

    Logging Setup (Setup -> Logging):

    Send log messages to these WatchGuard Servers:
    Select the Send log messages when the configuration for this Firebox is changed check box

  • WatchGuard IPSec Mobile VPN for iPhone

    On Watchguard:

    Create new Mobile VPN with IPSec (VPN -> Mobile VPN -> IPSec):

    Put Group Name,
    Put Passphrare, Phase1 (SHA1-3DES-DH2), Nat Traversal, Dead Peer Detection,
    Phase2 (ESP-SHA1-AES)
    Virtual IP address pool (IP addresses for mobile users)

    Create User to have access to the VPN.

    On iPhone:

     

  • Cisco to WatchGuard IPSec VPN

    On Watchguard:

    1. Create VPN -> Branch Office Gateway:

    Put PSK, Main Mode, Nat traversal, Dead Per Detection
    Create Transform Settings (SHA1-3DES-DH2)

    2. Create VPN -> Branch Office IPSec Tunnel:

    Put local and remote addresses,
    Tick Add this tunnel to the BOVPN-Alliw policies
    Add phase2 (ESP-SHA1-3DES)

    3. Create wiriwall policy for local traffic.

    On Cisco:

    crypto isakmp policy 1
      encr 3des
      authentication pre-share
      group 2

    crypto isakmp key [PSK] address [WG External IP]

    crypto ipsec transform-set POL_trans esp-3des esp-sha-hmac
      mode transport

     crypto map [POLICY] 1 ipsec-isakmp 
      set peer [WG External IP]
      set transform-set POL_trans
      match address 132

     interface Dialer0
      crypto map [POLICY]

     access-list 132 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

     

  • Project - QNAP as WatchGuard, Router and NAS

    Task: consolidate all network devices in one secure box.

    All device mean Apple TimeCapsule, Router, NAS and HPServer with couple VMs.

    All this staff we going to move into one single box QNAP 451.

    QNAP 451 cost AUD495 and comes just with 1Gb of memory. I bought 8Gb stick for AUD48 and now able to have virtualisation inside the box. (in the future can install additional 8Gb).

    I do not think you have questions how to setup timemachine and NAS (file sharing) on QNAP. Lets concentrate on VMs and router.

    Router will be based on watchguard XTMv. https://www.watchguard.com/wgrd-products/utm/xtmv/overview
    Y    ou can download OVF file from Fireware 11.11.1 OVF Template for new installations

    The issue is that the file is not supported by QNAP VM import. You have to install VirtualBox 4, open OVF and save it again. Now you can import the OVF inside of the QNAP and configure your network adapters.

    One virtual NIC will be dedicated for internet connection, another - LAN.

    We can use same process to move VMs from HPServer to QNAP.

    Also WatchGuard Dimension server was successfuly installed for logging and analysing.

    Finally all boxes inside QNAP. Power consumtion is 28W and everithing could be backed up easely to external USB3 HDD twice a year just in case.
AustIT Remote Support

Popular tag

Who's Online

We have 182 guests and no members online

Google AdSence

AUST IT - Computer help out of hours, when you need it most.

Find out why we do it for less.

About

AUST IT will help you resolve any technical support issues you are facing onsite or remotely via remote desktop 24/7. More...

Contacts

Reservoir, Melbourne,
3073, VIC, Australia

Phone: 0422 348 882

This email address is being protected from spambots. You need JavaScript enabled to view it.

Sydney: 0481 837 077

Connect

Join us in social networks to be in touch.

Newsletter

Complete the form below, and we'll send you our emails with all the latest AUST IT news.