Contents

Related Topics

Setup Wizard Default Policies and Settings

You use the Web Setup Wizard or WSM Quick Setup Wizard to set up a Firebox with a basic configuration. The setup wizards help you to configure basic network and administrative settings and automatically configure security policies and licensed security services with recommended settings.

The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox, and on whether the Firebox feature key includes a license for subscription services.

Default Policies in Fireware v11.11.x and Lower

For a Firebox that runs Fireware v11.11.x or lower, the setup wizards add default policies, but do not enable licensed subscription services.

The setup wizards add five default policies:

  • FTP
  • WatchGuard Web UI
  • Ping
  • WatchGuard
  • Outgoing

With these default policies, the Firebox: 

  • Does not allow connections from the external network to the trusted or optional networks, or the Firebox.
  • Allows management connections to the Firebox from the trusted and optional networks only
  • Allows outgoing FTP, Ping, TCP, and UDP connections from the trusted and optional networks

If your new Firebox was manufactured with Fireware v11.11.x or lower, the setup wizards do not enable subscription services, even if they are licensed in the feature key. To enable the security services and proxy policies with recommended settings, upgrade the Firebox to Fireware v11.12 or higher, reset it to factory-default settings, and then run the setup wizard again.

In Fireware v11.11.2 and higher, the setup wizards also automatically enable NTP on the Firebox.

Default Policies and Services in Fireware v11.12 and Higher

For a Firebox that runs Fireware v11.12 or higher, the setup wizards automatically configure proxy policies and most licensed subscription services with recommended settings. This reduces the amount of manual configuration required to use all the licensed features.

The setup wizards add eight default policies:

  • FTP-proxy, with the Default-FTP-Client proxy action
  • HTTP-proxy, with the Default-HTTP-Client proxy action
  • HTTPS-proxy, with the Default-HTTPS-Client proxy action
  • WatchGuard Web UI
  • Ping
  • DNS
  • WatchGuard
  • Outgoing

With these default, policies the Firebox: 

  • Does not allow connections from the external network to the trusted or optional networks, or the Firebox
  • Allows management connections to the Firebox from the trusted and optional networks only
  • Inspects outgoing FTP, HTTP, and HTTPS traffic, with recommended proxy action settings
  • Uses Application Control, WebBlocker, Gateway AntiVirus, Intrusion Prevention, Application Control, Reputation Enabled Defense, Botnet Detection, Geolocation, and APT Blocker security services to protect the trusted and optional networks
  • Allows outgoing FTP, Ping, DNS, TCP, and UDP connections from the trusted and optional networks

Default Proxy Actions

For a Firebox that runs Fireware v11.12 or higher, the setup wizards create three proxy actions that are used by the default proxy policies.

Default-FTP-Client

  • Used by the FTP-proxy
  • Based on FTP-Client.Standard
  • Gateway AntiVirus is enabled
  • Logging for reports is enabled

Default-HTTP-Client

  • Used by the HTTP-proxy
  • Based on the HTTP-Client.Standard proxy action
  • WebBlocker, Gateway AntiVirus, Reputation Enabled Defense, and APT Blocker are enabled
  • Logging for reports is enabled

Default-HTTPS-Client

  • Used by the HTTPS-proxy
  • Based on the HTTPS-Client.Standard proxy action
  • WebBlocker is enabled
  • Content Inspection uses the Default-HTTP-Client proxy action, but Content Inspection is not enabled
  • Logging for reports is enabled

You can edit these proxy actions to suit the needs of your network, and you can use these proxy actions for other proxy policies you add.

Default Subscription Services Configuration

For a Firebox that runs Fireware v11.12 or higher, the setup wizards enable most licensed security services by default with recommended settings if the feature key includes those features. The Botnet Detection and Geolocation features are enabled if the Firebox has a feature key for Reputation Enabled Defense.

The setup wizards configure subscription services only if the Firebox has a feature key that includes those services. If there is no feature key, or if there are no licensed subscription services in the feature key, the wizard configures the policies without subscription services enabled.

Logging for Reports

For a Firebox that runs Fireware v11.12 or higher, the setup wizards also enable logging for reports, as described in Where to Enable Logging for Reports.

For packet-filter policies, logging is enabled at the policy level. For default proxy policies, logging is enabled in the proxy action.

  • Send a log message — Enabled in the Ping, DNS, and Outgoing policies
  • Send a log message for reports — Enabled in the Ping, DNS, and Outgoing policies
  • Enable logging for reports — Enabled in the Default-FTP-Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions

For each subscription service, the actions are configured to send log messages, as described in the previous section.

The setup wizard also enables logging of these performance statistics:

  • External interface and VPN bandwidth statistics
  • Security Services Statitistics

For more information about these log messages, see Include Performance Statistics in Log Messages.

Default Blocked Sites Exceptions

In Fireware v11.12.2 and higher, the Blocked Sites Exceptions list configured by the setup wizards includes default exceptions for servers that WatchGuard products and subscription services must connect to. For more information about the default blocked sites exceptions, see About Blocked Sites.

Give Us Feedback     Get Support     All Product Documentation     Technical Search