WatchGuard XCS Basics

WatchGuard XCS v9.1

XCS Basics: Contents

 WatchGuard XCS Overview

 Email Basics
 Installation
 Network and Mail Settings
 Anti-Virus
• Anti-Virus scanning
• Spyware scanning
• Outbreak Control
• Malformed Mail
 ReputationAuthority
 Threat Prevention
 Anti-Spam
 User Spam Quarantine
 Trusted/Blocked Senders Lists
XCS Basics: Contents

 Content Control
• Attachment Control
• Objectionable Content Filter
• Content Scanning
• Dictionaries & Lists
• Pattern Filters
 Directory Services (LDAP)
 Policies
 Monitoring
• Dashboard
• Reports
• Message History
• Logs
XCS Basics: Contents

 Administration
• Backup & Restore
• Software Updates
• Security Connection
• Tiered admin accounts
 Available Resources
• Additional resources for WatchGuard XCS support and documentation
WatchGuard XCS Overview
XCS: Extensible Content Security

 Defense in Depth: Complete Email and Web Security

Consolidation of Threats and Risks

 There are many threats to your network security, but two primary
delivery methods: Email and Web
 The XCS platform stops threats before they reach your network and
controls outbound content for complete email and web security
 XCS Feature Matrix
Model Company Email Security Web Security Other
size Subscription Subscriptions
XCS 170 500 users X LiveSecurity® Standard
XCS 370 1000 users X LiveSecurity® Standard
XCS 570 1000 users X LiveSecurity® Plus
(24/7 support)
XCS 770 4000 users X X LiveSecurity® Plus
Mid-enterprise (24/7 support)
XCS 970 7000 users X X LiveSecurity® Plus
Large (24/7 support)
Enterprise
XCS 1170 10,000+ X X LiveSecurity® Plus
Fortune 500, (24/7 support)
ISPs
Includes: Adds: Additional Options:
• Email Security includes: • Web Scanning • McAfee Anti-Virus
• Intercept Anti-Spam • OCF for Web • Email Encryption
• Kaspersky® Anti-Virus • URL Filtering • Brightmail Anti-Spam
• Reputation Authority™ • Web Reputation
• Outbreak Control • Uncategorized Web
• Attachment Control Filtering
• Objectionable Content Filter (OCF) • Web Caching
• Content Scanning • Application Web Usage
• Content Rules • Web Application Control
• Document Fingerprinting • Streaming Media Control
• Queue Replication • Web Traffic Management
• Clustering and Clustering
• Centralized Management
WatchGuard XCS Features

 Firewall-level Network and System Security

• Built on a hardened, secure operating system
 Message Delivery Security
• Email messages
• Web requests
 Content Scanning and Filtering
• Attachment Control
• Attachment Scanning with weighted dictionaries
• Objectionable Content Filter
• Document Fingerprinting
• Content Rules
WatchGuard XCS Features

 Virus Scanning
• KasperskyTM Anti-Virus
• McAfeeTM
 Outbreak Control
• Catch zero-day viruses
 Malformed Message Protection
• Protect downstream servers
WatchGuard XCS Features
 Intercept Anti-Spam
• Spam Words
• Mail Anomalies
• DNS Block List
• URL Block List
• ReputationAuthorityTM
• Token Analysis
• Sender Policy Framework (SPF)
• DomainKeysTMAuthentication
• Backscatter Detection
 Symantec Brightmail Anti-Spam option
WatchGuard XCS Features

 Threat Prevention
• Real-time threat detection and response
 Trusted and Blocked Senders List
• Allows end-user whitelisting/blacklisting
 User Spam Quarantine
• Allows end-user spam management
• Quarantine Management Server (QMS) provides quarantine services on a
separate appliance
 Secure WebMail Proxy
• Secures 3rd party webmail servers such as Outlook Web Access TM and Lotus
iNotesTM
WatchGuard XCS Features

 Secure Authentication
• RADIUS
• LDAP
• RSA SecurIDTM
• SafeWordTM and CRYPTOCardTM tokens
 Integrated and External Message Encryption
• On-box encryption with Cisco Registered Envelope Service (PostX)
• Integrate with existing third-party encryption infrastructure
 Mail Delivery Encryption (TLS)
 Policy Control
• Granular control to enforce company rules
• Apply policies to different users, IP addresses, groups, and domains.
WatchGuard XCS Features

 Directory Service (LDAP) Support

• Reject on Unknown Recipient
• Group/User imports
• Authentication
• SMTP Relay Authentication
• Mail Routing
 Clustering & Queue Replication
• Scalability
• Auto-configuring
• High Availability
• Message delivery failover
 Reporting
• Anti-Spam and mail traffic statistics
• Compliance statistics
• Domain-level granularity
WatchGuard XCS Features

 Reporting
• Anti-Spam statistics
• Content Control and compliance statistics
• Mail traffic statistics
• Domain-level granularity
• Hosted domain reports
 Dashboard
• Summary of current messaging activity
• Recent mail and web activity
• Message traffic flow status
• Message security and content control statistics
WatchGuard XCS Features

 Web Proxy
• Web Proxy proxies web traffic and controls access to external web sites
• Scans web traffic and file transfers using the system’s security and content
scanners
• URL filtering and blocking technology
• Web reputation services with ReputationAuthority
• Web access policies can be applied to different users, IP addresses groups,
and domains
• Traffic Accelerator to preserve bandwidth and efficiently use web resources
Email Basics
Objectives – Email Basics

Upon completion of this section, you will be able to:

• Describe how email is delivered
• Understand the anatomy of a mail transport system
• Understand the anatomy of an email
• Understand basics of the SMTP protocol
Anatomy of a Mail Transport System (MTS)

 An MTS consists of the following components

• Mail User Agents (MUA) or Email Clients
 Compose
 Read
 Store locally

• Mail Transfer Agents (MTA) or Mail Servers

 Relay mail to other mail servers
 Store mail in local mailboxes
Anatomy of a Mail Transport System

 Additional network components are also involved in the mail delivery

process
• Domain Name Servers (DNS)
 Resolve hostnames
 Resolve MX records to the addresses of mail servers

• Routers
 Route network packets between networks

• Firewalls
 Protect the internal network
 Prevent unauthorized access to internal network
 Prevent unauthorized access to the external network
 Anatomy of a Mail Transport System
port 25
Forward port 25 traffic to
Sending SMTP Server To: [email protected] internal mail server
Lookup MX record for example.com

Internal email server

Router/gateway Firewall

Internet
Internal DNS server

External DNS server

50.50.50.25

example.com MX record = 50.50.50.25

Email Protocols

 Sending
• The basic protocol used to send email is SMTP
• SMTP uses a TCP-based connection on port 25

 Retrieving
• Two protocols are typically used by mail clients to retrieve email
• POP uses a TCP-based connection on port 110
 Used to retrieve messages from a shared message store for offline
processing
• IMAP uses a TCP-based connection port 143
 Used to access messages on a shared message store
SMTP Basics

 SMTP is the basic protocol used to send email

 It is a simple protocol consisting of a small number of commands such
as:
• HELO or EHLO
• MAIL
• RCPT
• DATA
SMTP Reply Codes

 SMTP returns a three digit reply code to indicate success, failure or

warnings

 First digit denotes whether the response is good, bad, or incomplete:

• 2 - Success (250 OK)
• 3 - OK so far (354 Start mail input)
• 4 - Temporary failure (452 mailbox full)
• 5 - Permanent failure (550 user unknown)

 Second digit categorizes the result described by the first digit:

• 0 - Syntax
• 1 - Connection
• 5 - Mail system
Common SMTP Reply Codes

 220 Service Ready

 221 Service closing transmission channel
 250 Requested mail action okay, completed
 354 Start mail input; end with <CRLF>.<CRLF>
 452 Requested action not taken: insufficient system storage
 500 Syntax error, command unrecognized
 550 Unknown User
 552 Content Rejected
 554 Transaction failed
 Sample SMTP Conversation
mail.abc.com mail.anothercompany.com

Connect to SMTP service on port 25

SMTP server reply

Sending Receiving
SMTP server SMTP server
Connect to mail.anothercompany.com Connection received from mail.abc.com
>>> EHLO abc.com
>>> 220 mail.anothercompany.com ESMTP
Send 250 OK
EHLO abc.com >>> MAIL FROM:<[email protected]>
>>> 250 mail.anothercompany.com EHLO mail.abc.com Send 250 OK
MAIL FROM:<[email protected]> >>> RCPT TO:<[email protected]>
Send 250 OK
>>> 250 Sender OK
>>> DATA
RCPT TO:<[email protected]> Send 354 OK
>>> 250 Recipient OK >>> Subject: Hello John
DATA
>>> To: Bob
>>> 354 OK
>>> From: Bill Gates
Subject: Hello Bob
>>> Hi Bob,
To: Bob
>>> How was your vacation?
From: Bill Gates >>>.
Hi Bob, Send 250 Ok
How was your vacation? >>> Quit
. Send 221 Bye
>>> 250 Data received OK Close connection
Quit
>>> 221 Bye
Anatomy of an Email Message

 Envelope
• Never seen by the user
• Used internally by the MTA to route the message
• Contains the sender and recipient address

 Headers
• KEY:VALUE pairs that conform to RFC 822
• Each header is transmitted as a single line of text
• Some are mandatory
 Date, From, To
• Optional headers include
 Subject, Cc, Reply-To, Received, Message-ID
 Header beginning with “X-” are for custom usage
Anatomy of an Email Message

 Message body
• Actual content of the email message
• Separated from the headers by a single blank line
• All data transmitted as string of plain text characters
• Any binary message content is encoded as ASCII text.
 To transmit binary data (such as most message attachments)over
SMTP, it must be encoded as a series of ASCII-printable characters.
 There are several encoding methods, such as MIME, Base64, and
BinxHex, to encode binary data as ASCII characters.
 Anatomy of an Email Message
HELO mail.watchguard.com
MAIL FROM: [email protected]
RCPT TO: [email protected]
envelope
DATA

RECEIVED: from mail.watchguard.com (mail.watchguard.com [10.10.1.88])

by server.watchguard.com (8.11.1/8.11.1) with ESMTP id h4DKCF517028
for <[email protected]>; Tue, 13 May 2003 16:12:15 -0400 (EDT)
(envelope-from [email protected])
RECEIVED: by mail.watchguard.com (watchguard WatchGuard XCS) id 4D627D2DF1; Tue, 13 May 2003 16:12:15 -0400 (EDT)
DELIVERED-TO: [email protected]
RECEIVED: from fake (server.watchguard.com [10.10.0.2])
by mail.watchguard.com (watchguard WatchGuard XCS) with SMTP id 9056D2DE0
for <[email protected]>; Tue, 13 May 2003 16:11:06 -0400 (EDT) headers
SUBJECT: Read me please
TO: [email protected]
FROM: [email protected]
MESSAGE-ID: [email protected]
DATE: Tue, 13 May 2003 16:11:06 -0400 (EDT)
<blank line>

Hello, how are you? body

 Interact with SMTP
mail.abc.com mail.anothercompany.com

Connect to SMTP service on port 25

SMTP server reply

Sending Receiving
SMTP server SMTP server

 Use the telnet command to establish a connection to the SMTP service on

your mail system

telnet mailserver.abc.com 25

 With the SMTP commands you just learned, you can send yourself a test
message
Installation
Objectives – Installation and Configuration

Upon completion of this section, you will be able to:

• Get a Feature Key
• Understand deployment topologies for the WatchGuard XCS
• Install the WatchGuard XCS with the Web UI setup wizard
• Apply a feature key to the XCS
Feature Key

 To activate a serial number and obtain a feature key:

• Open a web browser and go to https://www.watchguard.com/activate.
• Enter your LiveSecurity user name and password. (Create a new account if you do not
have one)
• Enter the serial number for the product as it appears on your hardware device, including
the hyphens.

• Click Continue.
• From the drop-down list, select the WatchGuard XCS device.
• Click Activate.
• Copy the full feature key to a text file and save it on your computer.
Pre-Installation Considerations

 Deployment topology
• DMZ
• Parallel to firewall
• Behind firewall
 DNS changes
• MX, A, and PTR records
 Firewall changes
• For the WatchGuard XCS to process messages effectively when located
behind a network firewall, various networking ports and/or NAT rules must
be configured on the network firewall to ensure connectivity
 Outbound mail routing
• While DNS entries are required to route inbound messages through the
WatchGuard XCS, changes are required to the existing internal mail
servers to route outbound messages through the WatchGuard XCS
DMZ Deployment

 WatchGuard XCS on DMZ

• Install the XCS on the DMZ of a network firewall. Requires only one interface.
• This type of deployment prevents any direct connections from the Internet to the
internal mail servers, and makes sure the WatchGuard XCS is located on a secure
network behind the firewall.
• This is the most common deployment strategy for the WatchGuard XCS.
Parallel Deployment

 WatchGuard XCS Parallel to Network Firewall

• To deploy the WatchGuard XCS in parallel with an existing network firewall is
another secure method of deployment configuration.
• The system’s inherent firewall security architecture eliminates the risk associated
with deploying an appliance on the perimeter of a network.
• This parallel deployment eliminates any messaging traffic on the network firewall
and decreases its overall load. A second network interface must be configured to
connect to the Internet-facing network.
Internal Deployment

 WatchGuard XCS on the Internal Network

• The WatchGuard XCS can also be deployed on the internal network with a single
interface.
• Although this configuration allows a direct connection from the Internet into the
internal network, it is a perfectly legitimate configuration when required by existing
network resources.
DNS Changes

 DNS changes
• An MX (mail exchanger) record should be added to your DNS
configuration to forward incoming messages to the WatchGuard
XCS:
example.com. IN MX 0 hostname.example.com

• An "A" record should be added to resolve the domain name to an

IP address:
hostname.example.com. IN A 10.0.0.1

• A PTR record should be added to allow reverse look-ups to

succeed and prevent messages sent from the WatchGuard XCS
being marked as suspected spam:
1.0.0.10.in-addr.arpa. IN PTR hostname.example.com
Installation Steps

 Setup Wizard
• Regional settings
• Administrator password
• Customer info
• Feature Key
• Mail and scanning settings
• Start mail processing
 Mail routing
 Establish trusts for internal mail servers
 Configure internal mail servers to route outbound mail through
the XCS
Connect the WatchGuard XCS Web UI

 Connect the WatchGuard XCS.

 Use the NIC 1 interface (onboard interface on the left)

 Turn on the XCS.

 Wait at least 5 minutes for the system to initialize.
 Default XCS address is 10.0.0.1.
• Set your configuration computer to use 10.0.0.2.
Log in to the WatchGuard XCS Web UI

 Enter the hostname or IP address of your WatchGuard XCS.

 On the initial login you may receive a warning about an

untrusted certificate. Ignore the warning and continue to the site.
Installation – Web Interface
 The default user name/password is admin/admin
WatchGuard XCS Installation Wizard
 Introduction
Installation – Regional Settings

 Select your time zone location

Installation – Network Settings

 Configure the first network interface NIC 1

 You must immediately reboot if you change network or time
zone settings
Installation – Customer Information

 Enter an organization name and a server admin email address

to receive system notifications
Installation – Change Password

 Change the admin password

Installation – Feature Key

 Click Update to manually add a feature key. Paste your feature key
into the text box and click Apply.
 Click Get Feature Key to automatically download and apply your
feature key from the WatchGuard LiveSecurity service. This option
requires an Internet connection and an existing LiveSecurity account.
 Click Enter Feature Key Later to manually add the feature key after
installation.
WARNING: If you do not enter a valid feature key in this step, the
Mail Configuration and Start Processing steps of the wizard
are not displayed.
Installation – Feature Key

 Click Update to manually add a feature key. Paste your feature key
into the text box and click Apply.
 Click Get Feature Key to automatically download and apply your
feature key from the WatchGuard LiveSecurity service. This option
requires an Internet connection and an existing LiveSecurity account.
 Click Enter Feature Key Later to manually add the feature key after
installation.
WARNING: If you do not enter a valid feature key in this step, the
Mail Configuration and Start Processing steps of the wizard
are not displayed.
 Installation – Mail Configuration

 Mail Configuration :
• The email domain you are processing mail for
• Your internal mail server (for example, an Exchange server)
• Initial settings for Intercept Anti-Spam, Anti-Virus, and Attachment Control

WatchGuard Training 50
 Installation – Start Mail Processing

 Enable mail processing in the web wizard to immediately start processing

messages after the installation

51 WatchGuard Training
 Web Setup Wizard

 Click Done. Allow a minute for the XCS to initialize.

 The XCS is ready to start processing both incoming and outgoing mail
with Anti-Spam and Anti-Virus settings enabled!

52 WatchGuard Training
Mail and Network Settings
Network Configuration

 Select Configuration > Network > Interfaces

 Name Server: Use your ISP’s DNS server for faster queries.
 Set a NTP time server to ensure time is always synchronized.
Network Configuration

 Configure any other additional interfaces.

 Ping option is enabled on Interface 1 (NIC 1) by default
 Changing the network configuration requires a reboot
Mail Routing
 Define a mail route for each domain that the WatchGuard XCS will accept mail for
 Your first mail server is setup automatically during the installation wizard
Add a Mail Route
Add a Mail Route
 By default, the WatchGuard XCS accepts mail destined for its own
hostname and any other domains you define
Establish Trusts

 Internal Mail Server should be trusted

 Trusted systems are not processed by Intercept
 Create a specific access pattern (SAP) to establish trust
• Your first mail server is setup automatically during the installation wizard
Establish Trusts

 Click Add Pattern to create the specific access pattern

 Enter the IP address of your internal mail server
 Select Trust
Configure internal mail servers

 You must configure your internal mail servers (such as Exchange) to

route outbound mail through the XCS.
 Example: Exchange 2007
• Open the Exchange Management Console.
• Expand the Organization Configuration option.
• Select Hub Transport.
• Select the Send Connectors tab.
• Right-click on the existing Send Connector.
• Select Properties.
• Go to the Network tab.
• Select Route mail through the following smart hosts:.
• Click Add.
• Enter the IP address of the WatchGuard XCS system to forward outbound mail to, such
as: 10.0.1.25
• Repeat this procedure to add the addresses of all of your WatchGuard XCS systems.
• Click OK.
Configure internal mail servers
Start/Stop Messaging Services

 Select Activity > Status > Status & Utility to stop and
start mail processing.
 You can also stop/start only inbound or outbound mail.
Threat Prevention
Threat Prevention: How it Works

 Performs the tasks of determining threat levels based on IP address and

Historical statistics
 Contacted at several stages of mail delivery for a specific client IP
address:
• Connection
• Early Mail Scanning
• Full Mail Scanning
• Push to F5 or Cisco perimeter device
 Threat Prevention can detect and mitigate both Network & Application
Layer DoS Attacks
Threat Prevention: How it Works

 An overview of the default rules:

• Blacklisted: checks to see if the IP address is on the blacklist
• Directory harvesters
• Big Virus Senders
• DNS Block List clients (on more than one list)
• DNS Block List clients
• Junk Senders
• Internal DoS
• External DoS
• Excessive Senders
Threat Prevention: How it Works

 Junk Senders
• stats1h.bad_mail > 20 && stats1h.perc_ham_to_spam < 25 &&
stats5m.messages > 10 && (!is_internal && !is_mynetworks)
 Internal DoS
• open_connections > 50 && is_internal
 External DoS
• open_connections > 20 && !is_internal
 Excessive Senders
• !is_peers && !is_internal && stats1h.messages > 50000
Threat Prevention: Configuration

 Select Security > Anti-Spam > Threat Prevention > Configure

Threat Prevention: Configuration

 When you enable Threat Prevention, the default rules are enabled
Anti-Virus
Anti-Virus: Configuration

 Select Security > Anti-Virus > Anti-Virus

 
Anti-Virus: Configuration
 On the Anti-Virus page, enable the AV engine (Blue)
 Select an action and whom you want to notify for both inbound and outbound (Red)
 Use Discard mail on inbound mail to discard the message without a notification to the
sender (because usually the sender is forged). Reject mail rejects the message and
sends a notification to the sender
 Use Quarantine Mail for outbound mail, and enable notification to the administrator to
track virus outbreaks.

 
Spyware Scanning: Configuration

 Select Security > Anti-Virus > Spyware

 
 Spyware Scanning : Configuration
 
 On the Anti-spyware page, enable the spyware engine (Blue)
 Select an action and whom you want to notify for both inbound and outbound (Red)
 Use Discard mail on inbound mail to discard the message without a notification to the sender (because
usually the sender is forged). Reject mail rejects the message and sends a notification to the sender
 Use Quarantine Mail for outbound mail, and enable notification to the administrator to track spyware
outbreaks.
Outbreak Control

 A new virus may not have an anti-virus signature yet

 Action triggers if mails contain executable or office documents AND:
• Message is bulk
• Originates from an IP address that has recently sent viruses
• Originates from an IP address with a poor reputation assigned by
ReputationAuthority
• Contains unknown viral code or resembles known viral code
Outbreak Control

 Message can be quarantined for a configurable “hold” time

 Message is then periodically scanned for virus after new pattern files are
downloaded
 After hold time has elapsed, a notification can be sent to user, OR the
message can be released
 Default “hold” time is 8 hours
Outbreak Control

 Select Security > Anti-Virus > Outbreak Control

Outbreak Control

 Notifications can be customized

Malformed Mail

 Many viruses and denial of service attacks (DoS) try to elude virus
scanners by concealing themselves in malformed messages.
 The scan engines cannot detect the attachment and therefore pass the
complete message through to an internal server.
• Some mail clients try to rebuild malformed messages and may rebuild or
activate a virus-infected attachment.
• Other types of malformed messages are designed to attack mail servers
directly. Most often these types of messages are used in denial-of-service
(DoS) attacks.
 The system analyzes each message with extensive integrity checks.
Malformed messages are quarantined if they cannot be processed.
Malformed Mail

 Select Security > Anti-Virus > Malformed Mail.

Malformed Mail

 Select the Enable Malformed Scanning check box.

 Select an Action to be performed when a malformed message is
detected. The default is Quarantine Mail.
ReputationAuthority
WatchGuard Reputation Authority

 In-the-cloud model aggregates real time threat detection from thousands

of global systems
 Rejects 98.3% of unwanted email and web traffic at the perimeter
BEFORE it hits your network
 99.99% accuracy rate with defense in depth
 Included with all WatchGuard XCS appliances
ReputationAuthority and the Reputation Servers

 ReputationAuthority collects information from over 1 billion sources

• WatchGuard XCS sends information back to the ReputationAuthority servers
securely on port 443
• 3rd party synchronizations, such as Spamhaus and SORBS
• Spam traps and honey pot domains
 Correlates all information together using content as the key driver to determine an
overall reputation score
ReputationAuthority and the WatchGuard XCS

 Connection made to XCS

 XCS waits until it receives the MAIL FROM<>
 XCS queries ReputationAuthority with [email protected],
207.236.65.232, which is analyzed against the ReputationAuthority
 The ReputationAuthority returns score and a decision to reject is made
ReputationAuthority: Configuration

 Select Security > Anti-Spam > ReputationAuthority

ReputationAuthority: Configuration

 Make sure Share Statistics, Use Domain and Sender Behavior, and
Reject on Reputation are enabled and you have selected an
appropriate Rejection Threshold (Blue)
 ReputationAuthority also allows you to reject on infected IP addresses,
as well as dial-up connections. These are safe to enable (Red)
Intercept Anti-Spam
Intercept Anti-Spam Features

 Spam Words
• Filters messages based on a dictionary of typical spam words and phrases
that are matched against the message.
 Mail Anomalies
• Checks the incoming message for issues such as unauthorized SMTP
pipelining, missing headers, and mismatched identification fields.
 DNS Block List (DNSBL)
• Checks the message source against domain-based lists of hosts that have a
poor reputation. Messages can also be rejected immediately, before other
Anti-Spam processing, if the client is on a DNSBL.
 URL Block List
• Examines any URLs in the body of a message to see if they appear on a URL
block list. URL Block Lists contain a list of domains and IP addresses of URLs
that have appeared previously in spam messages.
 ReputationAuthority
• Reports a collection of metrics about the sender of a mail message, including
their overall reputation, whether the sender is a dial-up, and whether the
sender appears to be virus-infected.
Intercept Anti-Spam Features

 Token Analysis
• Detects spam based on advanced content analysis of the message against
databases of words and phrases from known spam and valid mail.
 Backscatter Detection
• Detects spam based on signature verification of the Envelope Sender and
prevents spam bounce emails to forged sender addresses.
 Sender Policy Framework (SPF)
• Checks the sending host’s SPF DNS records to identify and validate the
source of a message to determine whether a message was spoofed.
 DomainKeys Authentication
• Checks the sending host’s DomainKeys DNS records to identify and validate
the source of a message to determine whether a message was spoofed.
 Brightmail
• You can utilize the Symantec Brightmail Anti-Spam™ engine as a cost-option.
• Brightmail integrates into the overall Intercept spam score, or you can run
Brightmail independently.
Trusted and Untrusted Networks

 The WatchGuard XCS processes mail differently based on a trust

relationship

 Trusted mail
• Allows XCS to be used as a mail relay
• Bypasses Anti-Spam controls
• Used to update Token Analysis tables with trained legitimate mail

 Untrusted mail
• Cannot relay mail through XCS
• Mail is processed by Anti-Spam controls
Trusted and Untrusted Mail Sources

 XCS only processes mail through spam filters when a message

originates from an “untrusted” source
 For security and to minimize false positives, you should only trust the
internal mail server

B
IP : 203.54.97.133 untrusted
Public interface
Mask: 255.255.255.0
IP : 203.54.95.134
Mask: 255.255.255.0

IP : 10.10.0.1
Private interface
Mask: 255.255.255.0

IP : 10.10.0.2 A
Mask: 255.255.255.0 trusted
Anti-Spam: How it Works

 Three levels of spam score thresholds:

• Certainly Spam
• Probably Spam
• Maybe Spam
 Mail messages analyzed by each Intercept Anti-Spam component
 A final action is performed based on each filter’s input into the Anti-Spam
decision
 By combining the detection abilities of each Anti-Spam filter, a better
informed decision can be made
Anti-Spam: Configuration

 Select Security > Anti-Spam > Anti-Spam

 On the Anti-Spam page, configure the Spam Thresholds and
Actions
(See Blue on next slide)
 Enable Anti-Spam components as required(Red)

 
Anti-Spam: Configuration
Anti-Spam: How it Works – Decision Strategies

 Components are divided into objective and subjective categories

• Objective Components
• Subjective Components
 Message is initially classified using the subjective scores to form the
baseline
• If the subjective score is greater than the Probably Spam threshold, the
classification is lowered to either Probably Spam or Maybe Spam
• The classification is then adjusted by combining the objective scores; each
objective filter that triggers raises the classification by one level
Anti-Spam: How it Works – Components

 Objective Components
• DNS Block List
• URL Block List
• Mail Anomalies
• ReputationAuthority Dial-up
• Backscatter Detection
• SPF
• DomainKeys
 Subjective Components
• Spam Words
• Token Analysis
• ReputationAuthority
 Anti-Spam: Configuration – Decision Strategy

 Select Security > Anti-Spam > Anti-Spam.

 Select Heuristic 1 as the decision strategy (Blue). This is the recommended

strategy
 You can switch to Heuristic 2 after a suitable amount of training is accumulated
Anti-Spam: Configuration – Decision Strategy

 Heuristic 1 (default strategy)

• Heuristic 1 uses the combined scores from the subjective components to
initially classify the message. It then combines the scores from the objective
components to adjust the initial classification. A baseline is established with a
subjective filter. For example, if the combined subjective components score a
message at 60, a baseline of Maybe Spam is established. If one additional
objective filter is triggered, the message is categorized as Probably Spam. If
three objective filters are triggered, the message is categorized as Certainly
Spam.
 Heuristic 2
• Heuristic 2 is identical to Heuristic 1 except that it emphasizes the subjective
components, such as Token Analysis. In environments where there is no
Token Analysis training on outbound legitimate mail (such as some evaluation
scenarios), or for a new installation, Heuristic 2 may result in an increase in
false positives.
Intercept Actions

 Just log  Discard mail

 Modify Subject header  Reject Mail
 Add header  BCC
 Redirect to …  Quarantine mail
(For Spam Quarantine)
Intercept Actions

 Action Data used for

• Modify Subject header
• Add header
• Redirect to …
• BCC
Anti-Spam Header

 Add an X-header to scanned messages

 Indicates results of anti-spam processing
 The header output is similar to the following:
 User Spam Quarantine and
Trusted/Blocked Senders List
User Spam Quarantine

 The WatchGuard XCS Intercept Anti-Spam feature performs

actions on spam messages based on their classification.
• Messages classified as Certainly Spam are usually rejected or discarded, while
messages classified as Probably Spam and Maybe Spam are usually
quarantined.
• The administrative quarantine is an area on the system where all quarantined
messages are stored, and is only accessible to the administrator.
• When spam is filtered and processed, occasionally, a false positive (a legitimate
email classified as spam) result can occur.
• It would be an impossible task for the administrator to examine every message
in the quarantine area for messages that are false positives.
 The User Spam Quarantine feature redirects spam mail into a
local quarantine area for each individual user. This allows end
users to log in to the WatchGuard XCS to view and manage their
own quarantined spam. Users can then identify and release any
false positives from the quarantine, and delete messages that are
actually spam.
User Spam Quarantine

 Used to redirect spam into a local storage area for each individual user
 Allows users to manage their own quarantined spam
• Release messages to their inbox
• View messages
• Delete messages
 To get access to spam quarantine, local accounts must exist for each
user
• Can be created manually or via LDAP Mirrored Users import
Configure User Spam Quarantine

 Select Configuration > WebMail > User Spam Quarantine

 Remember -- spam is 200KB each (max)

Spam Quarantine Notification

 Summary email can be sent at configurable intervals when spam is in

quarantine
 Allows user to manage quarantine without logging in
User Spam Quarantine

 Users log in from their browsers

 Use local user account or domain account
 Click on Spam Quarantine
Spam Quarantine Summary Email

 Releases spam is sent to internal mail server

 Trusted Sender adds sender to a personal whitelist
Spam Quarantine Message

 Summary Notification is customizable

Trusted Senders

 User-defined list of permitted mail senders

 Prevents whitelisted emails from being blocked by system spam filters
 Users can create via WebMail or Summary Email
 Overrides the following actions:
• Modify Subject Header
• Add Header
• Redirect
Trusted Senders Rules

 A Reject action will reject regardless of whitelisting

 If an action is set to Just Log or BCC, the whitelisted message will
pass, but still be logged or BCC’d
 Pattern-based message filtering (PBMF) spam actions set to Medium
or High priority cannot be whitelisted, which supports a strong security
policy
Blocked Senders

 User-defined list of unwanted mail senders

 Prevents emails from getting past system spam filters
 Users must create lists via WebMail
Enabling Trusted/Blocked Senders
 Select Configuration > WebMail > Trusted/Blocked Senders

 Define an action for email from Blocked Senders

Adding Trusted/Blocked Senders with WebMail

 Log in to XCS with your personal credentials

 Select Trusted Senders or Blocked Senders
 Type in email address and click Add
Importing Trusted/Blocked Senders

 You can import Trusted/Blocked Sender lists

 Import manually or automatically
 Both require a .CSV file in the format:
• [recipient],[sender],[block or trust]
WatchGuard Quarantine Management Server (QMS)

 The WatchGuard QMS (Quarantine Management Server) is

a separate appliance that allows you to redirect spam
messages from a WatchGuard XCS to a local quarantine
area that provides spam storage for each individual user in
an organization.
• End users can log in to the WatchGuard QMS to view and manage
their own quarantined spam.
• The WatchGuard QMS is intended for large enterprises, and provides
performance improvements to the integrated quarantine services on
the WatchGuard XCS because quarantined spam is stored on a
separate system which decreases the processing load and amount of
disk space used on the WatchGuard XCS.
• The WatchGuard QMS also provides the ability to support multiple
domains, while the WatchGuard XCS User Spam Quarantine feature
only supports a single domain.
WatchGuard Quarantine Management Server (QMS)
Directory Services (LDAP)
Objectives

Upon completion of this module, you will be able to:

• Understand the basics of LDAP
• Understand how LDAP is integrated with the XCS
• Configure LDAP servers into the XCS
• Configure LDAP users and groups
• Configure WatchGuard XCS to Reject on Unknown Users
• Configure WatchGuard XCS to use LDAP for authentication
LDAP Overview

 LDAP is a protocol for accessing information directories such as user

names, groups, addresses, etc.
 LDAP is designed to provide efficient access to directory services using
simple queries
 LDAP offers:
• Ease of administration
 Central management of users (email addresses, phone numbers,
etc.)
 Central management of computers (IP addresses, locations, spec etc)
• Universal access
 Software can use the directory service
 Single login authentication
• Improved data management
 Directory Structure

A container groups common entries

Parent object

A Directory is
composed of Child object
Entries (objects).

uid=jsmith
givenName= Joe
lastName=smith

Entries are composed of a set of Attributes

Naming Entries

 Common Name (CN)

• All child objects have a CN attribute
 cn=jsmith

 Relative Distinguished Name (RDN)

• Unique within a container
 givenName=Joe

 Distinguished Name (DN)

• Unique within entire Directory
 cn=jsmith,cn=users,dc=example,dc=com
cn=jsmith
uid=jsmith
givenName= Joe
lastName=Smith
Supported Directory Services

 WatchGuard XCS fully supports Microsoft’s implementation of LDAP

called Active Directory (Windows 2000+)

 WatchGuard XCS has also been tested with:

• iPlanet
• Open LDAP
WatchGuard XCS and Active Directory

 WatchGuard XCS uses LDAP for the following:

• Reject on Unknown Recipient
• LDAP Authentication
• User Based Spam Quarantine
• Trusted Senders
• Group Policy Management
Adding a Directory Server

 Select Configuration > LDAP > Directory Servers

 Click Add
• Server URI – Enter the LDAP server Uniform Resource Identifier address
• Bind – Select to bind to this LDAP server
• Bind DN – Enter the distinguished name for the user to bind to the server
• Search Base – Default location from which to start searches
• Page Size – How many results returned per page
Testing LDAP Server Settings

 Click Test

 Successful query indicates connectivity to LDAP server

Searching the LDAP Tree

 Using the same test:

 If the results you expected are displayed, the query was successful
Directory Users

 Imports all Users and Groups

 Used for:
• Reject on Unknown Recipients
• LDAP Authentication
• User Spam Quarantine
• Trusted Senders
• Group Policy Administration
Directory Users

 WatchGuard XCS uses four main attributes for mail processing:

• mail
• proxyAddresses
• memberOf
• sAMAccountName

Note: Both mail and sAMAccountName are required for a successful import
Configuring Directory Users

 Go to Configuration > LDAP > Directory Users

 Click Add

• Directory Server – Should be the one previously defined

• Search Base – Specifies from where to search
• Query Filter – Default searches for all groups and users
• Result Attributes – Can be customized if not using Active Directory
Testing LDAP Settings for User Import

 Click Test
• For LDAP Query the default can be used:
 (|(objectCategory=group)(objectCategory=person))
• If the results you expected are displayed, the query was successful
Importing Users & Groups

 Select Configuration > LDAP > Directory Users

 Click Import Now

 Check Activity > Logs > System to make sure the import was
successful.
Automating Imports
 Select Configuration > LDAP > Directory Users
 Click Import Settings

 Select Import User Data

• Frequency – How often to import users
• Start Time – If daily, weekly, or monthly, choose a time to start
Mirroring Imported Users

 Creates locally-mirrod accounts from imported users

 Necessary for:
• User Spam Quarantine
• Trusted/Blocked Senders
• LDAP Authentication with WebMail Client
Configuring Mirrored LDAP Accounts
 Select Configuration > LDAP > Directory Users
 Click Import Settings

 Select Mirror Accounts

 Select Expiry Period (How long to wait before expiring inactive users)
 Click Import Now
Showing Mirrored Users

 Select Administration > Accounts > Mirror Accounts

 You can search through the list for specific users

LDAP Authentication

 Allows a user to actually log in to WatchGuard XCS using a non-local

account
 Used for:
• Authenticating with WebMail client
• Authenticating to Secure WebMail Proxy (OWA, iNotes)
LDAP Authentication

 Go to User Accounts > Remote Auth

 In the LDAP section, click New

 Query Filter – Default searches for all users

LDAP Authentication with WebMail Client

 WebMail Client access requires local or mirrored account

 Mirror Accounts authenticate through LDAP

 Users must be imported and mirrored

 LDAP authentication must be configured
Configure LDAP Authentication with WebMail Client

 Define LDAP server via Configuration > LDAP > Directory Servers
 Configure LDAP Authentication via Administration > Accounts >
Remote Authentication
 Enable WebMail via Configuration > Network > Interfaces
Configure LDAP Authentication with WebMail Client
 Users need Local mail option selected in Configuration > WebMail > WebMail

 Verify that LDAP users have been mirrored

 To test, logout as admin and log in as a mirrored user
Mail to Unknown Users

 Scenario – WatchGuard XCS accepts for domain.com

• Mail to [email protected] is accepted
• WatchGuard XCS relays to internal mail server
• Internal mail accepts and then sends a Non-Deliverable Report (NDR) to
XCS
• WatchGuard XCS then relays NDR to external server
Reject on Unknown Recipients

 WatchGuard XCS receives mail to [email protected]

 WatchGuard XCS looks at imported table of known users
 [email protected] is rejected at SMTP session
• 550 [email protected]: User unknown
Configuring Reject on Unknown Recipient

 Configure Directory Server

 Configure Directory Users
 Import Users (mirroring not required).
 Enable Reject on Unknown Recipient (Security > Anti-Spam >
Intercept Settings)
LDAP Recipients

 ‘On the fly’ lookup

 Queries the Directory Server every time
 Changes to Directory Server are accessible immediately
 Reject on Unknown Recipient must be enabled
Configuring LDAP Recipients

 Configure a Source Server (Configuration > LDAP > LDAP

Recipients and click Add)

 Use a query that will return your users, and the attribute for email
• (&(objectCategory=*)(|(proxyAddresses=SMTP:%s)(mail=%s)))
 Directory Users vs LDAP Recipients

 Directory Users  LDAP Recipients

• Users are imported • Users are not imported
• Accounts can be mirrored • Accounts are not mirrored
• Log in to Webmail/Spam • Lookups ‘on-the-fly’
Quarantine • Used for Reject on Unknown
• Remote authentication Recipients
• Can be used for Reject On
Unknown Recipients
• Scheduled import

*Note: if both are enabled with Reject on Unknown Recipient then the local and
mirrored Directory Users first and then query the LDAP server.
LDAP Groups

 Group Policy Management

• For example:
 Members of Management Group
– No outbound attachment control
 Members of Sales Group
– Strict attachment control
Adding Groups to Group Policy Management

 Select Security > Policies > Group Policy:

 Assign the Policy to the desired Group

 Summary

Feature LDAP Configuration

Reject on Unknown Recipients Directory Users, LDAP Recipients

LDAP Authentication for WebMail Directory Users (Mirror)

Client Access
LDAP Authentication for Webmail Directory Users
Access (ie. OWA)
User Based Spam Quarantine Directory Users (Mirror) and LDAP
Authentication
Trusted Senders Directory Users (Mirror) and LDAP
Authentication
Group Policy Management Users & Groups
Content Control
Content Control features

 Attachment Control
 Objectionable Content Filter
 Content Scanning
 Dictionaries and Lists
 Pattern Filters
 Content Rules
Attachment Control
Secure Content: Attachment Controls : How it Works

 Define files that should or should NOT enter or leave the organization
 Sending host transmits End of Body (Email) or Request Header (Web)
 Validates Extension/Fingerprint/MIME/Content Type
 Provides the following capabilities:
• Detects attachments in outbound and inbound traffic
• Extracts contents of archive files (such as zip, tar, rar) from up to 24 levels of
compression
• Detects web content types
• Determines the size of the attachments
 Attachment Control decides if attachment should be blocked or passed
Secure Content: Attachment Control: Configure

 Select Security > Content Control > Attachment Control

 Configure inbound and outbound attachment control functionality together with

notifications
 Configure inbound & outbound attachment size together with notifications
Secure Content: Attachment Control: Configure
Objectionable Content Filter
Objectionable Content: How it Works

 The Objectionable Content Filter (OCF) defines a dictionary of key words

that will cause a message to be blocked if any of those words appear in
the message.
 Provides enhanced content filtering functionality and flexibility, allowing
users to restrict content of any form including objectionable words or
phrases and offensive content.
 Prevents unwanted content from entering an organization, and prohibits
the release of sensitive content outside an organization.
Secure Content: Objectionable Content: Configure

 Select Security > Content Control > Objectionable Content

 Configure inbound and outbound objectionable content functionality including

notifications
Secure Content: Objectionable Content: Configure
 Select the Enable OCF check box.
 Set the Action for both inbound and outbound messages.
 Select the OCF Dictionaries to use with inbound and outbound OCF.
 Enable and customize notifications for inbound and outbound
messages.
Content Scanning
Content Scanning: How it Works

 Can examine over 400 types of files and extract text within them
 Often referred to as Deep Content Scanning because it extracts text
beyond the basic email parts (such as subject and body) and plain Web
text
 Provides the capability for extracted text to be analyzed using tools such
as:
• Dictionaries
 Strict Word Match
 Combination Word Match

• Pattern Filters
Secure Content: Content Scanning - Configure

 Select Security > Content Control > Content Scanning

Secure Content: Content Scanning - Configure
Dictionaries and Lists
Secure Content: Dictionaries & Lists - How it
Works
 Matches multiple words and phrases extracted from email and web
body/attachments
• Dictionaries are also used to specify lists of IP addresses and URLs for
Blocked and Trusted Sites
 XCS comes with predefined Financial and Medical term dictionaries
 Supports exact word matching and combination word matching using
positive and negative weights
 Combination Dictionaries (Weighted)
• Words and phrases are assigned a weight by the administrator
• Policy is violated when the aggregate weight of terms exceeds a threshold
Secure Content: Dictionaries and Lists - Configure

 Use a text editor to create a weighted dictionary and save the file. (Use
negative weights to make certain words more neutral, such as health-50)
 For example, the file is named patient.txt:

match, weight
patient, 25
diagnosis, 25
patient number, 35
social security, 35
SSN, 50
SIN, 50
 Secure Content: Dictionaries and Lists - Configure

 Upload the dictionary

• Select Security > Content Control > More > Dictionaries & Lists
• Click the Add button
• Select the Browse button and select the Dictionary file
 patient.txt from the example

• Click the Continue button

• On the File Format page, select acs as the Type and Yes for Weighted
Secure Content: Dictionaries and Lists - Configure

 Click Continue until the Dictionary is uploaded and the

details are displayed in the Edit Dictionary/List page.
 Click Save to return to the Dictionaries and Lists page. Notice the patient
dictionary appears.
Pattern Filters
Secure Content: Pattern Filters - How it Works

 Use Pattern Filters to control email processing. Pattern Filters can match
text in any part of the message
• Supports exact, partial, and pattern matching
 Patterns can be specified with the POSIX.2 Regular Expression syntax

 Rules can be written to match any part of the email message (such as
envelope, header, recipients, body and attachments)
 In addition to Content Control, Pattern Filters are used for:
• Trusting (Whitelist) and Blocking (Blacklist) Senders using the HELO,
Envelope-TO, Envelope-From and Client IP message parts
• Routing email messages
Secure Content: Pattern Filters - How it Works

 Pattern Filters can scan any part of the email message:

• Mail Envelope: HELO, Client IP, Client Host, Envelope: Addr, To, From
• Mail Header
• Recipient: Cc, From, Message-ID, Received, Reply-To, Sender, Subject, To
• Raw Mail Body
• Mail Content
• Token Analysis
• Attachment Content (i.e., Content Scanning)
Secure Content: Pattern Filters - How it Works

 Pattern matching is flexible:

• Contains, Ends with, Matches, Starts with, Reg Exp
 Can be prioritized High, Medium and Low to handle special cases
 Flexible Actions to handle any exception:
• Bypass, Trust, Reject+Train, Reject, Relay+Train, Relay, Accept+Train,
Accept, Certainly Spam, Just Log, PostX Encrypt, BCC, Do Not Train,
Encrypt, Decrypt, Archive High, Archive Medium, Archive Low, plus six (6)
custom actions
 Includes default patterns for credit card numbers
• (such as Diners Club, American Express, Discover, MasterCard & Visa)
 Secure Content: Pattern Filters - Configure

 To create a Pattern Filter:

• Select Security > Content
Control > Pattern Filters
• Click the Add button
• Name the filter
• Optionally add a comment
• Specify options for:
 Apply to
 Message Part
 Pattern and enter some data
 Priority
 Action
Secure Content: Pattern Filters - Configure
 Secure Content: Pattern Filters - Processing Order
 SMTP Connection Checks  Attachment Controls
• Reject on Threat Prevention  Outbreak Control
• Reject on unauth SMTP pipelining  Objectionable Content Filtering
• Reject on expired license  Pattern Filter (High priority)
• Reject on Specific Access Pattern (SAP) and  Pattern Filter (Medium priority)
Pattern Filter HELO
 Trusted Senders List
• Reject on SAP and Pattern Filter Envelope-To  Blocked Senders List
• Reject on SAP and Pattern Filter Envelope-From  Pattern Filter (Low priority)
• Reject on SAP and Pattern Filter Client IP  Content Scanning
• Connection Rules  Document Fingerprinting
• Reject on DNS Block List (DNSBL)  Content Rules
• Reject on ReputationAuthority  Specific Access Patterns
• Reject on Backscatter  Message Encryption (Trusted Only)
• Reject on unknown sender domain  Trusted Network
• Reject on missing reverse DNS  Brightmail (Only if the Brightmail mode is set to
• Reject on missing sender MX “Perform Brightmail Actions”.
• Reject on non-FQDN sender  Intercept Anti-Spam Processing:
• Reject on unknown recipient • SPF (Sender Policy Framework)
• Reject on missing addresses • DomainKeys
• Reject if num recipients exceeds max • DNS Block Lists
• Reject if message size exceeds max • Mail Anomalies
 Message Checks • Spam Words
• Very Malformed • ReputationAuthority Reputation
• Anti-Virus • ReputationAuthority Dial-up
• Spyware detection • Token Analysis
• Pattern Filter Bypass • Backscatter
• Attachment Size Limits • Brightmail (if configured to integrate with
• Malformed messages Intercept)
• URL Block Lists
Content Rules
Secure Content: Content Rules - How it Works

 Content rules allow the administrator to create customized rule

conditions to examine email message content and take customized
actions based on the search criteria
• A specified action is taken on the message if each condition in the content
rule is satisfied
• A rule can contain one or several conditions, and the specified action is taken
on the message if the conditions in the rule are satisfied
• Rules can be ordered in priority as required. Content Rules can be enabled
globally, and can also be configured via Policies (in the Content Control
section)
• The Pattern Filters feature must be enabled for Content Rules to work
correctly
 Content Rules are processed after Pattern Filters.
 It is recommended that you use either one method or the other when creating rule
filters, and do not use both concurrently. This prevenst issues with rule order
processing.
Secure Content: Content Rules: Configuration

 To enable Pattern Filters, select Security > Content Control > Pattern
Filters
 Select Security > Content Control > Content Rules

 Select the Enable Content Rules check box

• This also enables Connection Rules that are configured via Security > Anti-
Spam > Connection Control
 Select the Inbound or Outbound Content Rules link as required to create
and manage your content rules.
Secure Content: Content Rules - Configuration

 Select the Create New Rule link to create a new Content Rule, or select
an existing rule to modify its settings
Secure Content: Content Rules: Configuration

 To add multiple conditions, click the "+" icon. To delete conditions,

use the "x" icon.
Secure Content: Content Rules: Ordering

 The rules are processed in order as displayed

 To re-order rules, select a specific rule and drag it to its desired location
 Click the Save Rule Order button to save the updated order of your rules
when you are finished
Policies
Secure Content: Policies

 Policies
• Policy controls allow specific messaging security features to be customized
and applied to different domains, user groups, IP addresses/networks, or
individual users

 Ability to Analyze
• Who, what, where, how…
• The features that can be used with policy controls:
 Threat Management
 Secure Content
 Anti-Spam options
 Email features
 Web scanning
Secure Content: Policies - How it Works

 Hierarchical Order:
1. User policy ([email protected])
2. IP address policy
3. Group policy (sales, support, accounting)
 Precedence for Group Policies is determined by the order in
which the groups appear in the list
4. Domain policy (example.com)
5. Default policy (for users with no user, group, or domain policies
defined)
6. Global Settings
Secure Content: Policies - How it Works

 Time policies:
 If time policies are configured, a policy with a specific effective time
frame takes precedence over a policy with an effective time period of
“Always”.
 For example,
If a domain has these two domain policies applied to it:
 Policy 1 has an effective time frame of Always
 Policy 2 has an effective time frame of Monday to Friday 9am to
5pm
The final result is that Policy 2 takes effect if the current time is
within the effective time period.
Secure Content: Policies - How it Works

 Using Policies
• Feature must be enabled globally
• Default Policy is used for global exceptions and to enable web notifications
• Create new policies to control behavior
• Assign policies to users, IP addresses, groups, and domains
 Typical Uses
• Exceptions to general processing, such as.exe’s
• Different needs for different people, such as forensics
• In a hosting environment, you can offer some features (such as Anti-Virus) to
some domains and not the others
• Time and IP restrictions for web usage
Secure Content: Policies - Configure

 To create a Policy
• Select Security > Policies > Policies
• Click the Create New Policy link
• Name the Policy (such as Encryption Policy)
• Select Enable This Policy
• Optionally, enter a Description
• Click Finished
• The Policy is now created and appears on the Policies page
Secure Content: Policies - Configure

 To configure the policy:

• Click the Configure link on the Policies page
• Select the area to be configured
• Make your changes and click Apply to continue making changes or Finished
to return to the Policies page
Secure Content: Policies - Configure

 In a policy, you can configure settings, such as Threat Management,

Secure Content, Email & Web functionality
Secure Content: Policies - Configure

 Enable each policy component as required and customize actions for

Inbound/Outbound, Email/Web, notifications, etc.
Secure Content: Policies – User and Domain

 To assign a policy to a user or domain:

• Select Security > Policies > User Policy or Domain Policy
• Enter the Email address of the user or the Domain name
• Select the Policy Name from the Policy list
• Specify effective time frame
Secure Content: Policies - Group

 To assign a policy to a group:

• Select Security > Policies > Group Policy
• Select the group.
• Select the Policy Name from the Policy list
• Specify effective time frame
 Secure Content: Policies - IP

 IP policies apply to web traffic only

• They are not used for email messages
 To assign a policy to IP address or network:
• Select Security > Policies > IP Policy
• Enter the IP address or network using slash notation
• Select the Policy Name from the Policy list
• Specify effective time frame

195 WatchGuard Training

 Secure Content: Policies - IP

When you enter network addresses, you

must add CIDR/slash notation

The XCS
automatically
adds a
hidden /32 for
single host
addresses

196 WatchGuard Training

Monitoring
Dashboard

 The WatchGuard XCS system Dashboard:

• Provides administrators with a brief statistical and graphical summary of
current inbound and outbound email and web activity
• Allows rapid assessment of the current status of the system.
Dashboard

 The Dashboard contains links to the following components:

• Mail Summary
 Displays information on mail resources, such as current incoming and outgoing
connections and the number of messages in the Mail, Deferred, and Quarantined
queues
 Provides a traffic summary of inbound and outbound mail traffic separated by
category (such as Virus, Spam, and Clean mail)
• Web Summary
 Displays a web traffic summary separated by category (such as URL
Categorization and Spyware)
 Provides information on the number of current active web connections, the web
cache efficiency,
 The Web Statistics page displays the top browsed categories, top five blocked web
sites and users, and top five browsing users and browsed web sites. A Web User’s
page displays web statistics for individual users.
• Recent Mail Activity
 Displays the most recent mail messages that have been processed by the system,
including the Message ID, Sender and Recipient information, the message Status,
and the final Action taken on the message
• Recent Web Activity
 Displays the most recent blocked web messages that have been processed by the
system, including the Request ID, Request To and From information, the message
Status, and the final Action taken on the request
Dashboard

 Dashboard Time Period

• The Dashboard can be set to display its information based on time periods
selected by the administrator, including "Last 60 Minutes", "Last 24
Hours", "Last 7 Days", and "Last 31 Days"
 Information on the Dashboard is updated every 60 seconds when the
default "Last 60 Minutes" is selected
 The screen is updated hourly if set to "Last 24 Hours", and updated
every 24 hours if set to "Last 7 Days" and "Last 31 Days"
• Messages processed by the system are not reflected in the statistics until
the required time frame is summarized, such as 60 seconds for "Last 60
Minutes", or one hour for "Last 24 Hours"
 The "Last Generated" time shows when the statistics were last
refreshed
Reporting: How it Works

 Comprehensive range of informative reports:

• Full Email Report • Connection Control Report
• Email Executive Summary • User/Host Report, Session
Summary
• Virus Report, Spyware Report
• Traffic Report • Reputation Domain Report
• Spam Analysis Report • Rules Report
• Attachment Control Report • System and Resource Summary
• Per-User Attachment Report • Web Summary Report
• Pattern Filter Report • Web Analysis Report
• Outbound Content Control Report • Web User Summary Report
Reporting: How it Works

 Report Generation
• Derived from various system logs, then stored in the database
• One-time report or can be scheduled
 Report Viewing
• PDF, HTML, or CSV format
• Via the admin web interface
• Emailed to specific users
 Reports based on:
• Data aggregated for all domains
• Include per domain tables
• Separated reports one for each host domain
Reporting: Configuration

 Select Activity > Reports > Schedule

 Select Create New Report

Reporting: Configuration
Hosted Domains

 Automatically create reports by hosted domain

 Email to domains admin
 List is uploaded as a dictionary in format
example.com,[email protected]
example2.com,[email protected]
example3.com,[email protected]
 Dictionary type is domain&email
Message History

 Each message that passes through WatchGuard XCS generates a

database entry that contains:
• Message processing information
• Filtering information
• Quarantine information
 The ability to see how a message is handled by WatchGuard XCS is
key to verifying rules and configuration
 To see the email database
• Select Activity > History > Message History
Message History: Configuration

 Select Activity > History > Message History

 Select the message type email or web (Red)

 Select the Search Criteria (Blue)
 Select the Time Period for Search (Yellow)
Message History: Configuration

 If a simple search does not satisfy the search criteria, you can use
advanced search to narrow your down search
Message History

 Provides user interface for log file searches

Display Message Details

 Click on a Queue ID to see the details of a message

Log Files

 Mail Logs provide a detailed description of each message passing

through XCS
 Select Activity > Logs > Mail
Mail Logs

 SMTP sessions start with “entry_time=“ log field

 Each log entry identifies the Queue ID, such as “C3FE07112400E69A”
 Includes a Summary of ALL processing
Searching Mail Logs

 Enter a name, Queue ID, or Subject

 Advanced Search allow you to specify dates and times to narrow the
database search to that timeframe
Search History

 Searches are performed in the background

 Search history keeps track of previous searches
 Select Activity > Logs > Previous Searches
System Logs

 Select Activity > Logs > System

 Records system activities such as LDAP imports, backup and restores,
etc.
Other Logs

 Select Activity > Reports > Other Logs

• Kernel Generated Messages: A log message from the system kernel
• Messages From POP/IMAP Logins: Messages from POP, IMAP, and
WebMail logins, including admin and console logins
• HTTP Access Log: A log of HTTPS access to the web server
• Error Messages From the Web Server : Error messages from the internal
web server
• Accesses to the Web Server Made Via SSL: A log of accessed web pages
and the connecting IP address
• HTTP Proxy Log:
Messages generated
by the Web Proxy
System Administration
Backup and Restore

 Three supported backup methods:

• Backup to FTP server
• Backup to SCP server
• Backup to a local disk (using browser download)

 Backups can be triggered on demand or scheduled daily with FTP or

SCP
 Backup options: Administration > Backup & Restore > Backup &
Restore
Local Disk Backup

 Backup is saved to the local hard drive of system running the Web UI
Local Disk Backup

 Local Backups cannot be scheduled

Restore

 Select Local Disk restore

 Select local backup data file to restore.

Restore

 Choose the specific contents you want to restore from the backup
file
Restore

 The WatchGuard XCS now reboots and restores

 Time depends on size of backup
 Press spacebar on console to see progress
System Updates

 To make sure your system software is up to date with the latest patches
and upgrades, you must install any updates released for your version of
software.

 Staying current with the latest patches and upgrades is essential to:
• Maintain security
• Respond quickly to new attacks

 Updates can be delivered or retrieved by

• WatchGuard support servers
• Security Connection
• Email
Applying Updates

 Select Administration > Software Updates > Updates

 You must reboot after you install an update

Security Connection
 Integrated service that polls WatchGuard support servers for
• Software updates
• Security alerts
• Token database updates
 When new information and updates are received an email can be sent
to the administrator
 WatchGuard recommends enabling this service
Security Connection

 Select Administration > Software Updates > Security Connection

 Set Frequency
 Enable Auto Download
• Updates will not be automatically installed. This can be done via the Software
Updates screen.
 Verify notification email address
 Click Connect Now to run Security Connection manually
Tiered Administration

 Allows an administrator to delegate additional administrative access on

a per-user basis
• Select Administration > Accounts > Local Accounts
• Click Add
• Example:
 Administer Aliases
 Administer Quarantine files, etc.
 Full admin
Tiered Administration
 Configure Admin and WebMail access on a network interface
• Select Configuration > Network > Interfaces
• Select Admin & Web User Login, and WebMail check boxes.
Tiered Administration
 Login via WebMail to access administrative functions
Clustering
Clustering: How it Works

 Enables two or more systems to act as a single logical unit to process

email or web traffic over a private/secure network
 No theoretical limit to the size of the cluster
 A cluster can be managed from any single system in the cluster without
the need for a separate management console
 All systems in the cluster can process email and web traffic
 Configuration changes are automatically propagated to all systems in the
cluster
 Systems can be added to the cluster without interruption to processing
Clustering: How it Works
Clustering: How it Works

 The WatchGuard XCS offers different run modes:

• Primary – All configuration changes made here
• Secondary – Keeps a copy of the primary’s database
• Client – Used only for mail processing
• Standalone – Ignores all other computers on cluster bus
 All cluster members should have:
• Same level of hardware
• Identical version of software, patches, etc.
• Identical additional features and licenses (such as Kaspersky Anti-Virus)
 Cluster Network Configuration
• Connect an unused network interface from both systems to a dedicated
network switch. This serves as the cluster network
• Configuration is done automatically
Clustering: How it Works

 Each Member connected to the cluster network:

• Automatically configures its IP address
• Links its hostname with configured IP address
• Advertises itself to other members
 Each member starts in Standalone Mode
 Standalones sees all members on cluster network
 Choose which mode each member will run in
 Changes to Primary system announced via multicast
 Multicast makes sure all members in cluster network are notified
 Members then “pull” configuration change from Primary
 To minimize traffic, members pull only the changes
Clustering: How it Works

 If Primary fails, Secondary is promoted to Primary

 If Secondary fails, client is promoted to a Secondary
 If Client fails, re-install and add as a client
• Configuration is automatically pulled from the existing Primary
 Although treated as a single logical unit, each system processes traffic
independently
Clustering: Configuration

 Select Configuration > Network > Interfaces

 Set up a NTP Server in order to enable clustering

 Enable Clustering on an unused interface, click the Apply button, and

reboot the appliance
Clustering: Configuration

 Each member starts in Standalone Mode

 In Standalone Mode, each member sees all members on cluster network
 Choose which mode each member will run in on the Cluster Activity page
 Clustering: Configuration
 Each Member connected to the cluster bus:
• Automatically configures its IP
• Links its hostname with configured IP
• Advertises itself to other members

 This network interface is automatically configured and can no longer

be modified
Queue Replication
Queue Replication: How it Works

 If a system fails after it receives an email but before it delivers it, the
message may be lost forever

 Queue Replication provides protection against email loss resulting from:

• Hardware problems
• Service denials on the downstream mail server
• Blockage on the downstream mail server
• Network outages
 Queue Replication: How it Works
Queue Replication: How it Works

Internal mail server

System - A System - B

failover connection

mirror queue mail queue

for B For B
queue replication
mail queue mirror queue
For A for A

Note: Processing mail in the mirror queue for the failed XCS must be manually initiated by the administrator
 Queue Replication: Configuration

 Select Administration > Multi-System Management > Queue

Replication

 Enable Queue Replication

Queue Replication: Configuration

 Select Configuration > Network > Interfaces

 Define the source and mirror host

 Use hostname for cluster member and IP address for non-cluster systems
Available Resources
Available Resources

 Product Documentation
• You can view and download the most current documentation for the
WatchGuard XCS on the WatchGuard Product Documentation page:
 http://www.watchguard.com/help/documentation

 Training Resources
• Training presentations and additional training resources are available
on the WatchGuard Product training page:
 http://www.watchguard.com/training/courses.asp

 WatchGuard User Forum

• The WatchGuard forum is an interactive online user forum
moderated by senior support engineers. Visit the WatchGuard XCS
forum at:
 http://www.watchguard.com/forum
Available Resources

 Knowledge Base
• You can view and search the knowledge base for information on
specific WatchGuard product issues at:
 http://watchguard.custhelp.com

 WatchGuard Products and Services

• For more information on WatchGuard products and services, visit the
WatchGuard product information page:
 http://www.watchguard.com/products
Thank You!