Setup Wizard Default Policies and Settings

You use the Web Setup Wizard or WSM Quick Setup Wizard to set up a Firebox with a basic configuration. The setup wizards help you to configure basic network and administrative settings and automatically configure security policies and licensed security services with recommended settings.

Default Enabled Interfaces

The setup wizards enable these interfaces with settings you specify:

  • External — Interfaces 0
  • Trusted —  Interface 1 
  • Optional — Interface 2 (configurable in the WSM Quick Setup Wizard only)

All other interfaces are disabled by default.

Wireless

In Fireware v12.5.3 and higher, the setup wizards enable and configure the built-in wireless access point on wireless Fireboxes. In the setup wizard, you configure the SSID and password to enable Wi-Fi connections to the trusted network. The Web Setup Wizard configures a trusted network bridge:

  • Network and DHCP settings match the trusted network settings configured in the setup wizard
  • Bridge Members — Trusted (interface1) and the wireless access point (ath1)

If you disable the default trusted bridge, you lose your connection to the Firebox. Before you disable the trusted bridge, configure another trusted network interface that you can connect to.

Default Policies and Services

The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox, and on whether the Firebox feature key includes a license for subscription services.

When you use the setup wizards to create a new configuration, they automatically configure proxy policies and enable most licensed subscription services with recommended settings.

The setup wizards add these default policies:

  • FTP-proxy, with the Default-FTP-Client proxy action
  • HTTP-proxy, with the Default-HTTP-Client proxy action
  • HTTPS-proxy, with the Default-HTTPS-Client proxy action
  • WatchGuard Certificate Portal (Fireware v12.3 and higher)
  • WatchGuard Web UI
  • Ping
  • DNS
  • WatchGuard
  • Outgoing

With these default policies, the Firebox: 

  • Does not allow connections from the external network to the trusted or optional networks, or the Firebox
  • Allows management connections to the Firebox from the trusted and optional networks only
  • Inspects outgoing FTP, HTTP, and HTTPS traffic, with recommended proxy action settings
  • Uses Application Control, WebBlocker, Gateway AntiVirus, Intrusion Prevention, Application Control, Reputation Enabled Defense, Botnet Detection, Geolocation, and APT Blocker security services to protect the trusted and optional networks

The web reputation authority service provided by Reputation Enabled Defense (RED) is not supported in Fireware v12.10 and higher. For more information, go to this Partner Blog post.

  • Allows outgoing FTP, Ping, DNS, TCP, and UDP connections from the trusted and optional networks

For a Firebox that runs Fireware v11.12 or higher, the setup wizards create three proxy actions that are used by the default proxy policies.

Default-FTP-Client

  • Used by the FTP-proxy
  • Based on FTP-Client.Standard
  • Gateway AntiVirus is enabled
  • Logging for reports is enabled

Default-HTTP-Client

  • Used by the HTTP-proxy
  • Based on the HTTP-Client.Standard proxy action
  • WebBlocker, Gateway AntiVirus, Reputation Enabled Defense, and APT Blocker are enabled

The web reputation authority service provided by Reputation Enabled Defense (RED) is not supported in Fireware v12.10 and higher. For more information, go to this Partner Blog post.

  • Logging for reports is enabled

Default-HTTPS-Client

  • Used by the HTTPS-proxy
  • Based on the HTTPS-Client.Standard proxy action
  • WebBlocker is enabled
  • Content Inspection uses the Default-HTTP-Client proxy action, but Content Inspection is not enabled
  • Logging for reports is enabled

You can edit these proxy actions to suit the needs of your network, and you can use these proxy actions for other proxy policies you add.

Default Subscription Services Configuration

The setup wizards enable most licensed security services by default with recommended settings if the feature key includes those features. The Botnet Detection, Tor Exit Node Blocking, and Geolocation features are enabled if the Firebox has a feature key for Reputation Enabled Defense.

The setup wizards configure subscription services only if the Firebox has a feature key that includes those services. If there is no feature key, or if there are no licensed subscription services in the feature key, the wizard configures the policies without subscription services enabled.

Enabled for all policies except WatchGuard, WatchGuard Certificate Portal, and WatchGuard Web UI

  • Scan mode:
  • Fast Scan for Firebox T10, T15, T30, T50, and all XTM models
  • Full Scan for all other models
  • Actions by threat level:
  • Critical — Drop, Alarm, Log
  • High — Drop, Alarm, Log
  • Medium — Drop, Log
  • Low — Drop, Log
  • Information — Allow

In Fireware v12.0 and lower, the action for the Low threat level is set to Allow by default.

For more information about Intrusion Prevention Service settings, go to Configure Intrusion Prevention.

Enabled for all policies except WatchGuard, WatchGuard Certificate Portal, and WatchGuard Web UI

Global Application Control actions:

  • Drop — Application — Crypto Admin
  • Drop — Application Category — Bypass Proxies and Tunnels

For more information about Application Control settings, go to Configure Application Control Actions.

The web reputation authority service provided by Reputation Enabled Defense (RED) is not supported in Fireware v12.10 and higher. For more information, go to this Partner Blog post.

Enabled for the HTTP-proxy policy

Action — Immediately block URLS that have a bad reputation, Log this action

For more information about Reputation Enabled Defense settings, go to Configure Reputation Enabled Defense.

Enabled to block traffic from suspected botnet sites

For more information about Botnet Detection settings, go to Configure Botnet Detection.

Enabled to block traffic from Tor exit nodes

For more information about Tor Exit Node Blocking settings, go to Configure Tor Exit Node Blocking.

Enabled to identify the geographic location of connections through the Firebox

For more information about Geolocation settings, go to Configure Geolocation.

Enabled for the HTTP-proxy and HTTPS-proxy policies

Settings for the Default-WebBlocker action:

  • Categories — The Default WebBlocker action blocks content categories you select in the setup wizard.
  • Server Timeout — By default, the server timeout setting is configured to deny access if the Firebox cannot connect to the WebBlocker Server.
  • License Bypass — By default, the license bypass setting is configured to deny access when the WebBlocker license expires.

In Fireware v12.0 and lower, the license bypass setting is configured to allow access when the WebBlocker license expires.

For more information about WebBlocker category settings, go to Configure WebBlocker Categories.

For more information about the Server Timeout and License Bypass settings, go to Define Advanced WebBlocker Options.

Enabled for the HTTP-proxy and FTP-proxy policies

  • FTP — AV Scan all content (uploads and downloads)
  • HTTP — AV Scan all content (content types and body content types)

In Fireware v12.0.1 and higher, in the Default-HTTP-Client proxy action, the action for the Windows EXE/DLL Body Content Rule is also set to AV Scan. In Fireware v12.0 and lower, the action for this rule is set to Deny by default.

Action — Drop and Alarm when a virus is found or a scan error occurs

For more information about Gateway AntiVirus settings, go to Configure Gateway AntiVirus Actions.

Enabled for the FTP-proxy and HTTP-proxy policies

Actions by threat level:

  • High — Drop, Alarm, Log
  • Medium — Drop, Alarm, Log
  • Low — Drop, Alarm, Log
  • Clean — Allow

In Fireware v12.0 and lower, the action for the High threat level is Block by default.

For more information about APT Blocker settings, go to Configure APT Blocker.

Logging for Reports

The setup wizards enable logging for reports, as described in Where to Enable Logging for Reports.

For packet-filter policies, logging is enabled at the policy level. For default proxy policies, logging is enabled in the proxy action.

  • Send a log message — Enabled in the Ping, DNS, and Outgoing policies
  • Send a log message for reports — Enabled in the Ping, DNS, and Outgoing policies
  • Enable logging for reports — Enabled in the Default-FTP-Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions

For each subscription service, the actions are configured to send log messages, as described in the previous section.

The setup wizard also enables logging of these performance statistics:

  • External interface and VPN bandwidth statistics
  • Security Services Statistics

For more information about these log messages, go to Include Performance Statistics in Log Messages (WSM).

Default Blocked Sites Exceptions

The Blocked Sites Exceptions list configured by the setup wizards includes default exceptions for servers that WatchGuard products and subscription services must connect to. For more information about the default blocked sites exceptions, go to About Blocked Sites.

Related Topics

About Firebox Setup Wizards