Best Practices to Secure Your Firebox

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

When you first set up a new Firebox, it is configured with default settings that protect your network from common threats. However, you can take additional actions to make sure that you follow recommended best practices to secure your Firebox.

This document lists the recommended high-level steps you can take to configure your Firebox securely:

Physical Security

Security starts at the physical location where your Firebox resides.

Recommendation: It is important that you install the Firebox in a secure location and limit the number of people who have physical access to the device. This makes sure that unauthorized people cannot tamper with your Firebox and other physical network infrastructure.

Follow best practices to secure your physical location, such as the installation of a keycard entry system. In addition, train your staff so that they are aware of tactics used by malicious actors to get access to your physical environment, such as tailgating.

High Availability

Your Firebox cannot protect your network and users if it is offline because of an outage or other issue. For full redundancy, you can configure a FireCluster, which is the high availability (HA) solution for WatchGuard Fireboxes. A FireCluster includes two Fireboxes configured as cluster members. If a cluster member fails, the other cluster member takes over, handles all network traffic, and makes sure that your network remains secure.

For more information about FireCluster, go to About FireCluster.

Accounts and Credentials

Follow these guidelines to make sure that the accounts that manage the Firebox are secure:

Use Firebox Role-Based Administration

With role-based administration on your Firebox, you can share the configuration and monitoring responsibilities for your Firebox between multiple individuals in your organization.

Each locally-managed Firebox includes these roles that you can assign to the unique user accounts you add to manage and monitor the Firebox:

Role Description
Device Administrator User accounts that are assigned the Device Administrator role can connect to the device with read/write permissions to make changes to the device configuration file and monitor the device.
Device Monitor User accounts that are assigned the Device Monitor role can connect to the device with read-only permissions to monitor the device.
Guest Administrator User accounts that are assigned the Guest Administrator role can only connect to the device to manage the list of guest user accounts for connections to the hotspot enabled on the device.

In WatchGuard Cloud, operators with these roles can manage the configuration of a cloud-managed Firebox:

  • Service Provider accounts — Owner and Helpdesk
  • Subscriber accounts — Administrator and Analyst

Recommendations: Limit administration access to the Firebox to only those users who need it. If a user does not require the ability to manage the Firebox, do not assign them a role that can manage the Firebox configuration.

In addition, we recommend that you regularly review all accounts that have administration access to the Firebox and delete any accounts that you no longer need. We recommend that you do this once a quarter.

For more information about users and roles, go to:

Change the Default User Account Passphrases

Each Firebox includes these default, built-in user accounts that you cannot delete:

Default User Account Description Default Passphrase
admin The default Device Administrator user account with read/write permissions. readwrite
status The default Device Monitor user account with read-only permissions. readonly

Recommendation: To keep your device secure, make sure to change the default passphrases for the admin and status accounts each time you:

  • Set up a new Firebox.
  • Restore factory-default settings on a Firebox.

We also recommend you specify unique passphrases for each Firebox you manage and change them frequently.

To change the passphrases of the default user accounts, go to:

Change the Default Password Used to Encrypt Support Snapshot Files

If you connect a USB drive to a USB interface on the Firebox, the device automatically generates a new support snapshot and saves it as an encrypted file to the \wgdiag directory on the USB drive. This also occurs automatically when the device powers on and a USB drive is connected to the device.

Recommendation: To make sure that unauthorized users cannot decrypt the support snapshot file, which includes important information about your Firebox configuration, we recommend that you change the default password used to encrypt the files. To do this, connect to the Firebox Command Line Interface and enter the command: 

usb diagnostic encrypt password

Where password is the password you want to use to encrypt the files.

To learn more about the Command Line Interface, go to the Command Line Interface Reference documentation.

Configure Multi-Factor Authentication for the Firebox

Multi-factor authentication (MFA) is a process that requires users to provide more information than simply their password to authenticate. Because users must use multiple factors to confirm their identity, MFA is more secure than password authentication.

Recommendation: To protect the Firebox from hackers who use brute force attacks or stolen user credentials to get unauthorized access to the device, enable multi-factor authentication (MFA) for users who connect to the Firebox.

AuthPoint is WatchGuard's multi-factor authentication (MFA) service. With AuthPoint, you can require users to authenticate with the AuthPoint mobile app or a hardware token when they log in to a protected resource, such as a computer, VPN, or a cloud service or application. For more information, go to Configure MFA for a Firebox.

To protect cloud-managed Fireboxes, and other services that you manage with WatchGuard Cloud, you can also enable MFA for WatchGuard Cloud operators. To learn more, go to Enable MFA for WatchGuard Cloud Operators.

Use an External Identity Provider as an Authentication Server

When you require users to authenticate through the Firebox, you can create policies to manage traffic from specific users and groups. You can also see user names in log messages and reports, which give you information about user traffic on your network.

Recommendations: For networks with many users, we recommend that you use an external identity provider, such as AuthPoint or a third-party authentication server, rather than Firebox authentication (local Firebox-DB users). With Firebox authentication, an administrator must log in to the Firebox to specify and reset user passwords. Users cannot specify or change their own passwords.

With a third-party authentication server, such as Active Directory, users log in with their existing credentials and can change them when they need to. Administrators can also manage their users centrally and have more configuration options than with Firebox authentication.

For more information about authentication options, go to:

Configure Account Lockout Settings

Hackers use brute force attacks to try to crack the credentials of a legitimate user account. Brute force attacks try all possible user name and password combinations to gain access to the account.

Recommendation: To prevent brute force attempts to guess your user account passwords, you can enable Account Lockout settings for locally-managed Fireboxes. Account Lockout settings apply to all user accounts that are configured for Firebox (Firebox-DB) authentication.

When Account Lockout is enabled, the Firebox temporarily locks a user account after a specified number of consecutive, unsuccessful login attempts, and permanently locks a user account after a specified number of temporary account lockouts.

For more information about how to configure Account Lockout for Firebox-DB authentication on a locally-managed Firebox, go to Configure Firebox Account Lockout Settings.

You can also separately configure Account Lockout settings for Device Management user accounts. For more information, go to Set Global Firewall Authentication Values.

If you use a different identity provider for authentication, we recommend that you configure account lockout settings to protect those accounts.

Configure Block Failed Login Attempts

To help prevent brute force attacks against the Firebox login pages, you can configure the Firebox to temporarily block an IP address after a specified number of consecutive failed authentication attempts within the specified time period. For example, you can block an IP address that has 5 failed login attempts within 10 minutes.

Recommendation: Enable the Blocked Failed Login Attempts feature to protect the login pages for Fireware Web UI, the Firebox Authentication Portal, and the Mobile VPN with SSL client.

For more information, go to:

Firebox Updates

WatchGuard regularly updates Firebox firmware and other software. Follow our recommendations for these types of updates:

Fireware Updates

Fireware releases include new features, enhancements, and fixes to resolve bugs and security issues, as well as updates to other software.

Recommendation: We recommend that you install the latest available Firebox updates when they become available. Firmware updates often include important bug fixes and resolve security issues.

Before you install updated firmware on your Firebox, it is important that you understand the features and any changes that might affect your environment. To learn more about a specific release before you upgrade, review the Fireware Release Notes. If you want to try out a new release before you deploy it to production, consider the use of a test environment.

To learn more about some of the security issues that are resolved in different Fireware releases, you can visit the Security Advisories page on the WatchGuard website, which includes detailed information about whether some known vulnerabilities affect WatchGuard products and services.

To learn how to upgrade to the latest Fireware version:

Security Service Updates

To protect against emerging threats, it is also important to keep security services up to date. The Gateway AntiVirus, IntelligentAV, Intrusion Prevention Service, Application Control, Data Loss Prevention, Botnet Detection, and Geolocation security services use frequently-updated signatures, security definitions, databases, or engines to identify the latest viruses, threats, and applications.

Recommendation: For locally-managed Fireboxes, we recommend that you configure these services to update automatically. For more information, go to Subscription Services Status and Manual Signatures Updates.

Cloud-managed Fireboxes automatically update security services for you when updates are available.

Local and Remote Secure Management

It is very common to want to manage your Firebox remotely, and you can do this securely. However, overexposing your Firebox management interfaces presents a security risk and we strongly recommend that you configure the policies that control firewall management so that unrestricted access from the Internet is not allowed.

Recommendation: To make sure that you do not expose the Firebox management interfaces, use one of these options, shown in order of greatest security:

  • Use a mobile VPN to connect to the management interfaces.
  • Restrict access to the management interfaces to only authenticated users.
  • Allow only specific IP addresses to connect to the management interfaces.

For a detailed explanation of these options, review the Firebox Remote Management Best Practices KB article.

For instructions on how to securely manage the Firebox from a remote location, go to:

To find out more about the threats caused by overexposure of management portals, read this Secplicity blog post: For the Love of InfoSec, Don’t Over-Expose Administrative Management Portals

Mobile VPN Security

In Fireware v12.11 and higher, the Mobile VPN with SSL client download page is removed from the Firebox. To download the Mobile VPN with SSL client, go to the Software Downloads page and select your Firebox model.

We strongly recommend that users who must connect to your network from a remote location use a mobile VPN.

Recommendations: To make sure that your mobile VPN configuration is secure, follow these guidelines:

  • Before you select which mobile VPN to use, make sure that you understand the security characteristics of each mobile VPN type:
  • When you configure the mobile VPN, select strong encryption settings that meet any specific security requirements for your environment or region. For the strongest encryption, we recommend the AES-GCM (256-bit) algorithm.
  • Make sure that users install the latest version of the Mobile VPN client software that is compatible with your Fireware version.
  • For locally-managed Fireboxes, by default, users can download the Mobile VPN with SSL client from a download page on the Firebox that is exposed to the Internet. If you do not want to expose this page, use the WG(config/policy)#no sslvpn web-download enable CLI command to disable it and have your users download the Mobile VPN with SSL client software from the Software Downloads Center, or distribute the client yourself. For more information:

    In Fireware v12.11 and higher, the sslvpnweb-download command is removed from the Firebox.

  • When you configure a mobile VPN on the Firebox, an automatically generated firewall policy allows connections from users and groups you specify in the VPN configuration to the destination Any. For example, when you configure mobile VPN with SSL, the Firebox automatically generates a VPN access policy named Allow SSLVPN-Users, which includes the alias Any in the To list.

These automatically generated policies allow mobile VPN groups and users to get access to all resources on your network. To restrict the resources that mobile VPN users can connect to, we recommend that you remove the Any alias from these policies and add the specific resources you want to the Firebox to allow VPN users to connect to. Alternatively, you can disable the default policies and add more specific firewall policies for traffic from mobile VPN users and groups.

For more information, go to About Aliases

  • When you integrate additional WatchGuard products and services with your Firebox, your network is more secure. These features work with your mobile VPN to provide an extra layer of security:
    • Network access enforcement — Enables network administrators to specify that endpoint devices must meet specific security requirements before they can connect to the network through a mobile VPN. For more information, go to Network Access Enforcement Overview
    • Multi-factor authentication (MFA) — Requires mobile VPN users to supply information in addition to a password to authenticate. You can configure MFA with AuthPoint or a third-party provider. For more information, go to Use Multi-Factor Authentication (MFA) with Mobile VPNs.

Secure Your Firewall Policies

Your firewall policies control the network traffic that the Firebox allows and denies. We recommend that you follow these best practices when you configure and manage firewall policies:

Egress Filtering

Egress filtering is the restriction of outbound traffic from your internal network to the Internet. We recommend that you follow egress filtering practices to make sure that only authorized traffic leaves your network.

Egress filtering requires some effort to make sure that you do not inadvertently block traffic that you want to allow. For this reason, many administrators avoid egress filtering because it is easier to simply allow all outbound traffic. However, this is not a secure approach, and it is better to fully understand which outbound traffic you can safely allow and restrict other outbound traffic.

The default Firebox configuration includes the Outgoing packet filter policy. The Outgoing policy allows all TCP and UDP connections from any trusted or optional source on your network to any external network. Because it is a packet filter policy, not a proxy policy, the Outgoing policy does not filter content when it examines the traffic through your Firebox. The Outgoing policy exists to make sure that the Firebox allows outbound TCP and UDP connections that do not match any other policy.

Recommendation: To make sure that the Firebox allows only connections you want to allow, we recommend you disable the Outgoing policy. This is best practice but takes careful planning and subsequent monitoring.

Before you disable the Outgoing policy, you must add policies for all outbound connections that you want the Firebox to allow. We recommend that you enable logging and closely monitor the type of traffic that leaves your network so that you can determine which policies you must create. You can either add a separate policy for each type of outbound traffic you want to allow, or you can create a custom packet filter for the specific ports necessary for outbound connections you want to allow from your network.

WARNING: Even with careful planning, after you disable the Outgoing policy, it is likely that the Firebox will deny some outbound connections that you want to allow. Be prepared to troubleshoot these issues and add policies as necessary to allow required outbound connections through the Firebox. This process takes time, but also gives you visibility into and control over the types of traffic on your network.

For more information about the Outgoing Policy:

Narrow the Firewall Policy Scope

By default, firewall policies use the built-in aliases Any-External, Any-Trusted, Any-Optional, and Any. Policies configured with these aliases might allow connections from more sources and destinations than is necessary.

For more control over network connections, we recommend that you follow the principle of least privilege. Evaluate the source and destination in each policy to make sure that the policy does not allow connections from more sources or to more destinations than necessary.

Recommendations: Follow these recommendations to fine-tune the scope of your policies:

  • For each policy, configure the source and destination as narrowly as possible.
  • Do not use the Any alias in policies (except in the default Ping and BOVPN-Allow.in and BOVPN-Allow.out policies).
  • Review all policies that include the aliases Any, Any-External, Any-Optional, or Any-Trusted.
    • Make sure the aliases in each policy are actually required for the connections you want to allow.
    • If possible, replace these aliases with a more specific source or destination to narrow the policy scope.

Customize Policy Names

The default Firebox configuration uses standard names for policies. The default policy names indicate the type of traffic the policy handles, but might not be meaningful in your network environment, especially if you add multiple policies of the same type.

To make your policies easier to understand and maintain, give each policy a meaningful name that indicates the purpose of the policy, which users or network it applies to, or any other unique characteristics, such as when the policy is active.

Review Policies Regularly

Over time, the infrastructure, hardware, software, services, and personnel that make up your organization change. The policies that you configured on your Firebox at some point in the past might no longer make sense, and in some cases, might represent a security issue.

Recommendation: It is important to review your firewall configuration regularly to identify any policies that you might want to update or remove. We recommend that you do this at least once a year, but preferably once a quarter.

Pay special attention to these types of policies:

  • Policies that allow external access to your network, especially those that cover common protocols and ports, such as HTTP, HTTPS, FTP, SSH, and RDP.
  • Policies that allow outbound access from your network.

To help you determine whether you still need a policy, enable logging to capture information about the traffic through the Firebox and which ports and policies are used. To make it easier to monitor traffic, add your Firebox to WatchGuard Cloud. You can also use the Policy Map report to determine which policies handle network traffic.

If you identify policies that are no longer in use, we recommend that you initially disable the policies rather than delete them from your configuration. This enables you to continue to monitor traffic until you are sure that the policies are not required.

Certificates

Certificates match the identity of a person or organization with a method for others to verify that identity and secure communications. Your Firebox can use certificates for several purposes.

By default, your Firebox creates self-signed certificates to secure management session data and authentication attempts for Fireware Web UI and for proxy content inspection. To make sure the certificate used for content inspection is unique, its name includes the serial number of your device and the time at which the certificate was created. Because these certificates are not signed by a trusted certificate authority (CA), and they do not contain valid domain or IP information, users on your network see security warnings in their web browsers.

You have three options to remove these warnings:

  • You can import certificates that are signed by a CA your organization trusts (such as a PKI you have already set up for your organization) for use with these features.
  • You can create a custom, self-signed certificate that matches the name and location of your organization.
  • You can use the default, self-signed certificate.

Recommendation: Replace the default self-signed certificates with signed certificates that are trusted by your network clients. Use local private key infrastructure (PKI) to generate any internal certificates used by the Firebox, such as Web Server and Proxy Authority certificates.

This provides several advantages:

  • It is easier to deploy certificates with an internal PKI than to create them on the Firebox.
  • It is easier to deploy certificates with third-party software (such as Active Directory) than to manually install them on each network client.
  • If the network clients trust your local PKI certificate authority, they automatically trust certificates you issue to the Firebox.
  • If you replace your Firebox, you do not have to redeploy certificates to your network clients.

If you decide to use your own PKI, it is important to understand that you must manage it securely to protect your CA keys.

For more information about how the Firebox uses certificates, go to About Certificates.

Configure Logging

Log messages include important information that you might need to troubleshoot issues or to perform a forensic analysis of a security incident. It is important to configure logging on the Firebox and to retain your log message data for future analysis.

Follow these guidelines for logging:

Enable Logging

If you have a cloud-managed Firebox, logging is enabled automatically and you do not have to do anything to capture log data.

If you have a locally-managed Firebox, you can enable logging in different areas of the Firebox configuration.

Recommendation: We recommend that you enable logging on all your Firebox policies. By default, the Firebox sends a traffic log message when a policy denies a connection. You can also configure policies to send log messages for allowed connections, however, this can generate a very large amount of log messages and could impact performance.

For more information, go to Set Logging and Notification Preferences and Configure Logging and Notification for a Policy.

Configure NTP Servers

Network Time Protocol (NTP) synchronizes computer clock times across a network. Your Firebox can use NTP to automatically get the correct time from NTP servers on the Internet to set the system clock. Because the Firebox uses the time from its system clock for each log message it generates, it is important that the time on your device is correct.

Recommendation: To make sure that log messages include accurate timestamps, enable NTP and configure NTP servers. For more information, go to:

Retain Log Messages

While log messages are helpful to troubleshoot network issues in real time, it is very important that you collect and store log messages securely so that you have a record of network activity that you can review any time you need to. For example, in the event of an attack on your network, log message data helps you to perform a forensic analysis of the incident.

Recommendation: We recommend that you configure the Firebox to send log messages to WatchGuard Cloud, Dimension, or an external syslog server. For more information, go to:

We recommend that you always add your Firebox to WatchGuard Cloud for logging and reporting. This makes sure that your log messages are stored even if you do not have your own log server. For more information, go to Get Started — Add a Device to WatchGuard Cloud.

Set Up Alarms and Actively Monitor Events

An alarm is an event that triggers a notification to tell a network administrator about an event that is a possible security threat. For example, the Firebox can generate an alarm when traffic matches, or does not match, a specific policy. A security service such as APT Blocker can generate an alarm when it detects a threat.

If your Firebox sends log messages to WatchGuard Cloud, Dimension, or a WSM Log Server, the administrator can also receive the notification as an email message.

Recommendation: Consider the configuration of alarms and notifications for traffic that might be critical to monitor. For more information, go to:

Backups

It is good practice to make backups of important data and settings used by your network infrastructure. Backups enable you to quickly restore your system in the event of a problem, such as physical damage, corruption, or accidental misconfiguration.

For a locally-managed Firebox, you can use backup images to restore your Firebox settings and configuration to a previous state. Backup images include the configuration file, certificates, passphrases, feature key, and other information unique to your Firebox. You can also save a copy of the configuration file to make a backup of the Firebox configuration settings.

For a cloud-managed Firebox, WatchGuard Cloud saves each deployed configuration automatically and you can revert to a previous configuration as required.

Recommendation: For locally-managed Fireboxes, regularly save a copy of the Firebox backup image and the Firebox configuration file. Because backup images and configuration files include sensitive information, make sure that you store them securely.

For more information, go to Save a Firebox Backup Image and Save the Configuration File.

Additional Recommendations

Follow these additional security best practices:

Do Not Disable Default Packet Handling

When your Firebox receives a packet, it examines the source and destination for the packet and looks at the IP address and the port number. The device also monitors the packets to look for patterns that can show your network is at risk. This process is called default packet handling.

Recommendation: Do not disable Default Packet Handling rules to resolve unrelated issues. The default packet handling settings on the Firebox include important defaults that protect you from threats such as flood attacks, spoofing attacks, and port or address space probes. If you see an issue on your network, we recommend that you investigate and identify the true cause of the issue, rather than disable default packet handling settings because it seems to resolve the problem.

Enable Security Services

Firebox Basic Security Suite and Total Security Suite subscriptions include a number of security services that protect your network from different types of malicious activity:

Security Service Basic Security Suite Total Security Suite
Access Portal1  
Application Control
APT Blocker  
Botnet Detection
Data Loss Prevention2  
DNSWatch  
EDR Core  
Gateway AntiVirus
Geolocation
IntelligentAV1  
Intrusion Prevention Service
spamBlocker
Tor Exit Node Blocking
WebBlocker

1 Available on Firebox T40, T45, T80, and T85, Firebox M Series devices, Firebox Cloud, and FireboxV.

2 Not available on Firebox T20, T25, T40, T45, T80, T85, M290, M390, M590, M690, M4800, and M5800 devices

Recommendation: We recommend that you enable and configure the security services that are included with your Firebox license. If you do not enable all security services, your network might be vulnerable to attack.

Check for Open Ports and Other Vulnerabilities

An open port is a TCP or UDP port that accepts packets. Hackers often scan for open ports as a way to potentially infiltrate a network. It can be helpful to know if host devices in your network have open ports or other vulnerabilities that hackers might try to exploit.

Recommendation: Consider the use of tools like Nmap to scan your network for open ports and make sure that these match your firewall policies.

Vulnerability analysis tools can also scan your network for other types of vulnerabilities. If you decide to run a vulnerability scan on your network, review this KB article.

Use a DMZ and Network Segmentation

Network segmentation is the practice of dividing your network into smaller segments that you can then manage and configure for specific purposes. Fireboxes often have many interfaces that you can use to segment your network. Segmentation can help to improve network performance and also enables you to enforce different security policies for different segments.

As part of network segmentation, you can configure a demilitarized zone (DMZ) to separate systems that are exposed to the Internet from other internal infrastructure.

Recommendation: We recommend that you follow general networking best practices and use segmentation to isolate critical servers from the rest of your network and the Internet, and put Internet facing servers in a DMZ.

Related Topics

Firebox Configuration Best Practices