 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Network Security Education Center 
|
Frequently Asked Questions
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Firebox® X Edge e-Series Model | X10e & X10e-W | X20e & X20e-W | X55e & X55e-W |
|---|---|---|---|
| Firewall Throughput | 100 Mbps | ||
| VPN Throughput | 35 Mbps | ||
| Network Interfaces 10/100 (Int/Ext/DMZ) | 6 Total (2 internal / 3 external / 1 DMZ) | ||
| Users (Nodes) | 15 (upgradeable to 20) |
30 | Unlimited |
| Concurrent Sessions | 6,000 | 8,000 | 10,000 |
| Branch Office VPN Tunnels | 5 | 15 | 25 |
| Mobile VPN Tunnels - IPSec (incl/max) | 1/11 | 5/25 | 5/55 |
| Mobile VPN Tunnels - SSL (incl/max) | 1/11 | 1/25 | 55/55 |
| Compliant with EU RoHS and WEEE regulations | Yes | ||
Q: What is Edge Pro software and which models support it?
A: Edge Pro software adds the following features:
- MultiWAN support – have two active external WAN connections
- WAN Failover – switch to a secondary WAN connection should the first fail
- WAN Load Balancing – route traffic to two WAN connections to improve performance
- Policy based routing – route traffic based on user set rules
- VLAN tag support – VLAN tags are allowed on the External interface
- Increases SSL VPN tunnels to maximum supported for the specific appliance model
All Firebox X Edge e-Series models can run Edge Pro software. The X55e and X55e-W models include the Edge Pro as standard. All other models can upgrade to Edge Pro software either by purchasing the Edge Pro software upgrade OR by upgrading their current appliance model to an X55e or X55e-W model.
NOTE: The WAN Failover Option has been discontinued. It is replaced by the Edge Pro Upgrade.
Q: How do I determine which Firebox X Edge appliance is right for me?
A: Several factors should guide your decision regarding the choice of Firebox X Edge
e-Series model, such as the number of employees on the network, the need for wireless connectivity, and the company's plans for growth. You can compare up to three Firebox X Edge appliances at a time using the product comparison chart, or phone +1.800.734.9905 in the U.S. and Canada, and +1.206.613.0895 from other areas of the world for more information.
Appliance Software
Q: What is new in Firebox X Edge e-Series Software Release 10?
A: The Edge Release 10 provides networks supported by the Firebox X Edge e-Series with new and enhanced features for your small businesses, branch offices, and remote workers. The Firebox X Edge e-Series continues to provide the strongest security along with unmatched ease of use.
KEY NEW FEATURES WITH RELEASE 10
Mobile VPN with SSL – SSL VPN capability is now included on all Firebox X Edge e-Series models. Different numbers of tunnels are allowed based on your specific Edge model and tunnels may be increased via purchase of the Edge Pro upgrade or via purchase of a model upgrade. The appliance supports a mix of mobile VPN protocols – IPSec, SSL, and PPTP may be used concurrently by different mobile users making VPN connections.
Support for VoIP communications – Proxies for H.323, TFTP and SIP protocols have been added This provides improved compatibility with VoIP communications systems.
Configuration File Backup – You are now able to create backup files for your Edge configuration and restore them when needed.
VLAN Tagging Support – VLAN tags are now supported on the External interface.
Spyware Protection – The HTTP proxy has been enhanced to include protection from spyware.
RADIUS Authentication Support – Authentication via a RADIUS server has been added.
External Authentication Support – External authentication is now supported for IPSec Mobile VPN.
Wireless Client Support – Edge e-Series Wireless models running version 10 can now be configured as wireless clients of a second Edge Wireless appliance.
Spam Quarantine – A quarantine option has been added to the SMTP proxy for Spam using the Quarantine Server within Fireware.
Improved IPS Engine – New IPS signatures, faster scanning, and more accurate scanning (fewer false negatives/positives) are all provided by the improved IPS engine.
New Outgoing Proxy – This proxy recognizes HTTP, HTTPS, SIP and H.323 traffic on non-standard ports and passes it to the appropriate proxy for policy enforcement. It also supports IPS and IM/P2P application blocking on all outgoing TCP connections.
WebBlocker Enhancements – WebBlocker categories have been increased to 54; there is a new option to control access to uncategorized web sites; the ability to install your own WebBlocker server is now supported; and a new “thin” HTTPS proxy is provided that allows WebBlocker to be applied to secure web sites.
Single Sign-On – Support for single sign-on user authentication (with Windows Active Directory) has been added.
WSM Reporting Enhancements – Additional support for reporting on Edge log data is included.
Policies for VPN Tunnels - Policies may be set for VPN tunnels based on the type of traffic.
OPTIONAL Edge Pro Software – Edge Pro Software has been introduced that includes multi-WAN support, WAN failover, load balancing and several other features. (see earlier FAQ). Edge Pro Software is included standard with X55e and X55e-W models and is available as an option for all other models. All current users with the now-discontinued “WAN Failover” option will receive Edge Pro Software as part of their LiveSecurity Service subscription.
Appliance Hardware
Q: How many physical hardware interfaces are on Firebox Edge appliances?
A: Firebox X Edge hardware interfaces are as follows:
| Firebox® X Edge e-Series Model | X10e & X10e-W | X20e & X20e-W | X55e & X55e-W |
|---|---|---|---|
| Network Interfaces 10/100 | 6 Total (2 internal / 3 external / 1 DMZ) | ||
Q: What kind of warranty is included with a Firebox X Edge appliance?
A: All Firebox X Edge e-Series appliances include a one-year standard, limited hardware warranty that begins with product purchase. Additionally, the appliance is covered by a 90-day or 1 year Advance Hardware Replacement that begins when a customer activates the initial LiveSecurity Service subscription. Advance Hardware Replacement coverage is continued when a customer renews the LiveSecurity Service subscription within 90 days of initial subscription activation.
Q: Are the Firebox® X Edge X10e, X20e, and X55e models compliant with European Union RoHS and WEEE regulations?
A: Yes, these models are fully compliant with EU RoHS and WEEE regulations. Previously released Firebox® X Edge models (X5, X5w, X15, X15w, X50, X50w) are not.
Wireless Security
Q: What is the 802.11b/g standard and do Firebox X Edge wireless appliances support it?
A: All Firebox X Edge wireless security appliances support 802.11b/g.
802.11b and 802.11g are specifications for wireless local area network (WLAN) communications, and use the Ethernet protocol and carrier sense multiple access with collision avoidance (CSMA/CA) for path sharing. The modulation method selected for 802.11b/g allows higher data speeds and is less susceptible to multipath-propagation interference.
Q: Who needs a Firebox X Edge wireless appliance?
A: Firebox X Edge e-Series wireless models are ideal for telecommuters who want a wireless solution that also supports multiple wired devices, and for network administrators who want to deploy secure wireless connections. Users who have been waiting for a solution that allows them to enjoy the convenience of wireless networking with the highest level of security will find the features they want in Firebox X Edge e-Series wireless appliances.
Q: How are Firebox X Edge wireless models different from other access point solutions?
A: Most wireless access points do not offer the integrated firewall/VPN capabilities or UTM capabilities (of anti-spam, anti-virus and web filtering) of Firebox X Edge e-Series solutions. In addition, other wireless firewall appliances do not match the Firebox X Edge e-Series wireless appliances in ease of use and support for real-world situations. For example, while other products advertise their support for a single wired device, Firebox X Edge e-Series Wireless models support multiple wired devices connected directly to the appliance through the Ethernet ports provided on the back (up to 4 for the Edge e-Series)*. For an added level of security against WEP cracks, customers can also configure the Wireless Access Point so that it specifically identifies the wireless card customers have installed for wireless networking.
*An optional hub may be used to extend the network to more networked devices
Q: How is setting up a wireless firewall different from a wired firewall setup?
A: Firebox X Edge e-Series wireless devices offer plug-and-play setup through an intuitive Web browser, as do wired Firebox X Edge e-Series models, and they enable customers to protect wireless connections with IPSec encryption.
Q: What wireless security solutions does the Firebox X Edge currently offer?
A: Firebox X Edge e-Series wireless models provide the ability to secure and separate wireless networks for both telecommuters and corporate environments. In addition, customers with wired Firebox X Edge e-Series models can connect an external Wireless Access Point (WAP) to the Optional port and still enjoy the security of requiring IPSec VPN authentication and encryption for all wireless connections.
Q: What is the broadcast range of a Firebox X Edge wireless model?
A: Firebox X Edge e-Series wireless models have been tested to work properly at a range of 500 feet in an unobstructed area, with clear line of sight from the Edge wireless appliance to the test unit, and with no external radio interference. These tests were carried out using the standard wireless antennas that ship with the product. The 802.11b/g-transmitted signal is highly susceptible to interference from both metal objects and other signals in the same frequency band; therefore, the broadcast range can be affected by the user's operating environment and may be less than 50 feet in some offices. The usable range for computers accessing the network via the Edge Wireless can be extended by configuring one Edge to be a wireless client of a second Edge. (This requires e-Series Edge hardware, running version 10)
Q: What are Wireless Guest Services?
A: The Firebox X Edge e-Series wireless appliances includes a default local user account called “guest” as well as the ability to set up three distinct wireless security zones. These three zones could include trusted, guest and optional segments. A guest is a wireless user that is not usually connected to the wireless network. A guest could be a business associate visiting a customer’s organization who has been given temporary access to the Internet, or possibly to their trusted network. Customers can also use guest services if they use their Firebox X Edge e-Series to host wireless users other than the users behind the Firebox X Edge e-Series firewall.
Q: What is the wireless certification status for countries worldwide?
A: Wireless certification status is as follows:
| Country | Edge e-Series Status |
|---|---|
| United States | Complete |
| Canada | Complete |
| European Union Countries | Complete |
| Australia/New Zealand | Complete |
| Japan | Complete |
| Korea | Complete |
| Taiwan | Complete |
| Singapore | Complete |
| China | Complete |
Managing a Firebox® X Edge Appliance
Q: How do customers manage Firebox X Edge e-Series firewall/VPN appliances?
A: The Firebox X Edge e-Series is managed with an intuitive Web browser interface (called the Edge Web Manager) for quick setup, configuration, and remote management. Configuration wizards are included in the Web management console for quick access. Additionally, when customers deploy multiple Firebox X Edge e-Series appliances, frequently as endpoints to a Firebox X Core or Peak e-Series network, the Edge appliances can be centrally managed using WatchGuard System Manager. So whether they manage an Edge locally or centrally, customers will save time and administrative costs.
Q: What is WatchGuard® System Manager?
A: WatchGuard System Manager (WSM) is the software used to manage Firebox X Core and Peak e-Series appliances. When customers deploy one or more Firebox X Edge e-Series appliances as endpoints to a Firebox X Core or Peak e-Series network, the Edge appliances can be centrally managed using WSM. WSM streamlines administration, allowing administrators to:
- Create VPN tunnels in three easy drag-and-drop steps
- Set security policies across the entire network
- Push appliance software updates to all managed Edges
- Generate historical reports
WSM also provides comprehensive logging, flexible security policies, and real-time monitoring.
Q: Which versions of WSM can be used to manage a Firebox X Edge appliance?
A: WSM 8.3.1 (and later) supports central management for the all Edge e-Series (X10e, X10e-W, X20e, X20e-W, X55e, X55e-W), Edge (X5, X5w, X15, X15w, X50, X50w), and SOHO 6 products.
Q: Where can I get more information on WatchGuard System Manager?
A: Read the WatchGuard System Manager FAQ, available on the WatchGuard Web site at www.watchguard.com/products/wsm.asp.
Virtual Private Networking
Q: Which IPSec encryption standards are supported on Firebox X Edge?
A: All Firebox X Edge e-Series appliances support AES (128, 192 and 256 bit), DES (56-bit) and 3DES (168-bit) encryption.
Q: Which VPN standards are supported on Firebox X Edge?
A: Firebox X Edge e-Series supports IPSec, SSL and PPTP.
Q: How many Branch Office VPN tunnels are supported by each Firebox X Edge model?
A: The number of Branch Office VPN tunnels for each Edge model is as follows:
| Firebox X Edge Model | Branch Office VPN Tunnels |
|---|---|
| X10e and X10e-W | 5 |
| X20e and X20e-W | 15 |
| X55e and X55e-W | 25 |
Q: How many Mobile VPN with IPSec tunnels are supported by each Firebox X Edge model?
A: The number of Mobile VPN with IPSec tunnels (included and maximum) for each Edge model is as follows:
| Firebox X Edge Model | Included Mobile VPN with IPSec Tunnels | Maximum Mobile VPN with IPSec Tunnels |
|---|---|---|
| X10e and X10e-W | 1 | 11 |
| X20e and X20e-W | 5 | 25 |
| X55e and X55e-W | 5 | 55 |
Q: Are additional Mobile VPN with IPSec client licenses available?
A: Yes. Additional Mobile User VPN client licenses are available as an optional upgrade. They are available in sets of 5, 10, 20, and 50 seat licenses.
Q: How many Mobile VPN with SSL tunnels are supported by each Firebox X Edge e-Series model?
A: The number of Mobile VPN with SSL tunnels (included and maximum) for each Edge model is as follows:
| Firebox X Edge Model | Included Mobile VPN with SSL Tunnels | Maximum Mobile VPN with SSL Tunnels |
|---|---|---|
| X10e and X10e-W | 1 | 11 |
| X20e and X20e-W | 1 | 25 |
| X55e and X55e-W | 55 | 55 |
Q: Are additional Mobile VPN with SSL client licenses available?
A: Yes. Additional Mobile VPN with SSL client licenses are included with the Edge Pro software. This is an optional upgrade and will increase the number of SSL VPN client licenses to the maximum supported by the Firebox X Edge e-Series model. Note that Edge Pro software is included with the X55e and X55e-W so a model upgrade is an alternative means of adding Mobile VPN with SSL licenses.
Q: Can I use Firebox X Edge appliances in a VPN with other WatchGuard security appliances?
A: Yes. Firebox X Edge models can establish VPN connections to all WatchGuard security appliances, including Firebox X Peak and Core, Firebox Vclass, and SOHO security appliance.
Q: Do Firebox X Edge models support meshed VPN topologies?
A: Yes. Firebox X Edge e-Series appliances can create meshed VPN connections to multiple sites (up to 25 other Firebox X Edge e-Series appliances, depending upon model). Advanced mesh topologies require WatchGuard System Manager for configuration.
Q: Do Firebox X Edge models support clients using Macs, PCs, and Linux?
A: Yes. Firebox X Edge works with any client operating system. This is a fundamental advantage of appliance-based firewall and VPN security; customers do not have to worry about the operating systems on the protected networks.
Q: Can an IPSec tunnel pass through Firebox X Edge models?
A: Yes. Firebox X Edge supports the ability to use NAT with multiple clients behind Firebox X Edge models using IKE/IPSec with ESP.
Q: Can the Firebox X Edge e-Series appliance be used as a VPN endpoint solution for previously released Firebox X Core and Peak (pre-e-Series) models?
A: Yes. The Firebox X Edge e-Series can be used as a VPN endpoint solution for previously released Core and Peak appliances, as well as the current Firebox X Core and Peak e-Series models.
Security Service Subscriptions
Q: What security services are available for the Firebox X Edge e-Series?
A: Firebox X Edge e-Series support the following security subscriptions:
- WebBlocker for powerful URL filtering service
- spamBlocker with virus outbreak detection and quarantine, the best real-time spam detection in the industry
- Gateway AntiVirus/Intrusion Prevention Service (Gateway AV/IPS) to stop known spyware and viruses at the gateway
Q: What is WebBlocker?
A: WebBlocker is a security subscription that allows you to manage your users’ Web surfing. You can control access to sites that host objectionable material or pose network and security risks, including known spyware sites. This helps to increase employee productivity, prevent legal liabilities, and protect against malicious attacks from rogue Web sites. With version 10, WebBlocker can filter HTTPS traffic as well as HTTP traffic, eliminating potentially dangerous or productivity-sapping Web surfing activity.
Q: What is spamBlocker with Quarantine?
A: spamBlocker is a unique, fully integrated, anti-spam security subscription. It distinguishes legitimate communication from spam outbreaks in real time, blocking up to 97% of unwanted emails regardless of the language, content, or format of the message, including image-based spam. spamBlocker is easily deployed and continually updated for the latest up to date protection. With version 10, spamBlocker also includes virus outbreak detection, which protects users from viruses and other malware, via the same mechanism used to block spam.
Q: What is Gateway AntiVirus/Intrusion Prevention Service?
A: Gateway AV/IPS is a signature-based service that identifies and blocks known threats in real time, giving your network an additional layer of protection against spyware, viruses, and application exploits including trojans, buffer overflows, SQL injections, and policy violations. Signatures are updated without interruption, so your network always has up-to-the-minute protection.
Q: How can I purchase security service subscriptions?
A: There are three ways for Firebox X Edge e-Series appliances to add security service subscriptions:
- UTM Bundle - includes Firebox X Edge e-Series appliance plus all three 1 year security service subscriptions plus 1 year of LiveSecurity® Service.
- UTM Software Suite – provides all three 1 year security service subscriptions plus 1 year of LiveSecurity® Service. This package can be added to any existing Firebox X Edge e-Series appliance.
- Individual Security Service - allows the purchase of each 1 year Security Service subscription individually; e.g. Firebox X 20e 1-Year spamBlocker.
All security service subscriptions are fully integrated with the Firebox X Edge e-Series. You simply purchase a subscription to a service, and then use a downloadable license key to turn on the service on your Firebox. One subscription provides network-wide protection for all users configured behind your Firebox X Edge.
Q: Can I get a free trial of these security services?
A: Yes, users can initiate trials of Gateway AV/IPS, spamBlocker, and WebBlocker on Firebox X Edge e-Series appliances.
- When activating a new Firebox X Edge appliance, users will be guided through the free trial activation process
- Users with a Edge appliance that has already been activated can go into “Product Details” in the Managed Products section of the LiveSecurity Service site
- Users can contact their reseller and request a free trial of any of the security service subscriptions.
A 90-day initial subscription to LiveSecurity Service also comes with every Firebox X Edge purchase.
Where do I find out more about security service subscriptions for the Firebox X Edge e-Series?
A: You can find more information about WebBlocker, spamBlocker, and Gateway AV/IPS on the WatchGuard web site at www.watchguard.com/products/security_services.asp.
Upgrades
Q: Is the Firebox X Edge model upgradeable?
A: Yes. Like other Firebox X product lines, the Firebox X Edge e-Series can be model-upgraded to any higher model in the line. Customers can get more VPN capacity by purchasing a downloadable software license key. Purchasing an upgrade requires that the customer has an active LiveSecurity Service subscription.
Q: What is the upgrade path for the Firebox® X Edge line?
A: Firebox X Edge appliances can be upgraded as follows.
| Model | License Key Upgradeable to |
|---|---|
| Edge e-Series | |
| X10e | X20e, X55e |
| X10e-W | X20e-W, X55e-W |
| X20e | X55e |
| X20e-W | X55e-W |
| X55e | N/A |
| X55e-W | N/A |
Q: Can I upgrade to Edge Pro software?
A: Edge Pro software is provided as standard with the X55e and X55e-W. It is an optional upgrade for the X10e, X10e-W, X20e, and X20e-W. If planning to upgrade to the Edge Pro software, you should consider the alternative of upgrading to an X55e or X55e-W as the Edge Pro software is included in the model upgrade as are other additional features.
Q: How do I purchase upgrades and options for my Firebox X Edge?
A: Upgrades, options, and LiveSecurity Service renewals can be purchased from a reseller or online at www.watchguard.com/products/purchaseoptions.asp.
Support
Q: What support is provided with the purchase of a Firebox X Edge appliance?
A: A 90-day initial subscription to LiveSecurity® Service comes with every Firebox X Edge purchase.
Q: What does LiveSecurity Service provide for WatchGuard customers?
A: LiveSecurity Service is the most comprehensive support and maintenance offering in the industry, providing customers with:
- Access to on-going functional enhancements for their WatchGuard products
- Vulnerability warnings and security broadcasts
- Advance hardware replacement
- Technical support
- Self-help resources
Q: Where can I get more information on LiveSecurity Service?
A: You can get more information about LiveSecurity Service at the LiveSecurity Web site at www.watchguard.com/livesecurity.
Physical Environment
Q: Does the power supply support 100/240 volts?
A: Yes. Firebox X Edge contains an auto-sensing power supply that will run on either 100 or 240 volts.
Q: What is the power consumption on a Firebox® X Edge?
A: United States: 12 Watts; Rest of World: 172 Cal/min, 41 BTU/hr.
Legacy Firebox X Edge Appliances
Q: How do Firebox® X Edge e-Series models differ from previously released Firebox® X Edge models?
A: Firebox® X Edge e-Series models differ from previously released Firebox X Edge models in several key areas. Firebox X Edge e-Series models:
Include advanced networking features such as 1:1 NAT and Port Address Translation (PAT), support for multiple IP addresses, and configurable QoS
While both product lines support a stateful packet filter, the Firebox X Edge e-Series provides application-layer inspection through scalable transparent proxies. This blocks otherwise unknown threats through advanced protocol anomaly detection and pattern matching capabilities. This provides true zero day protection against any network based threats.
Support security service subscriptions including spamBlocker, WebBlocker, and Gateway AntiVirus/Intrusion Prevention Service for comprehensive unified threat management
Ship with Edge appliance software v8.x, rather than v7.5 appliance software that ships on previously released Firebox X Edge models
Meet European Union environmental requirements: RoHS, WEEE.
