To configure the global settings:
By default, Fireware XTM Web UI uses port 8080.
To change the default port:
You can schedule your XTM device to automatically reboot at the day and time you specify.
To schedule an automatic reboot for your device:
When you create a new configuration file for your XTM device, or upgrade your Firebox or XTM device to Fireware XTM OS v11.7.3 or higher, by default, your XTM device is configured to send feedback to WatchGuard. This feedback helps WatchGuard to improve products and features. It includes information about how your device is used and issues you encounter with your XTM device, but does not include any information about your company or any company data that is sent through the XTM device. Because of this, your device data is anonymous. All device feedback that is sent to WatchGuard is encrypted.
This feature is only available for Firebox or XTM devices that run Fireware XTM OS v11.7.3 or higher.
WatchGuard uses the information from the device feedback data to understand the geographic distribution of Fireware XTM OS versions. The data WatchGuard collects includes summarized information about which features and services are used on XTM devices, about threats that are intercepted, and about device health and performance. This information helps WatchGuard to better determine which areas of the product to enhance to provide the most benefits to customers and users.
When device feedback is enabled, feedback is sent to WatchGuard once every six days and each time the device reboots.
Device feedback includes this information:
Use of the device feedback feature is entirely voluntary. You can disable it at any time.
To disable device feedback:
Clear the Send device feedback to WatchGuard check box.
Your Firebox or XTM device collects and stores information about the faults that occur on your device and generates diagnostic reports of the fault. Faults are collected for these categories:
When you enable the Fault Reports feature, information about the faults is sent to WatchGuard once each day. WatchGuard uses this information to improve the device OS and hardware. You can also review the list of Fault Reports, manually send the reports to WatchGuard, and remove Fault Reports from your device.
For information about how to manage the list of Fault Reports, see Manage Fault Reports.
This feature is only available for Firebox or XTM devices that run Fireware XTM OS v11.9.3 or higher.
To enable Fault Reports on your device:
Select the Send Fault Reports to WatchGuard daily check box.
Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:
The XTM device sends an ICMP error message each time an event occurs that matches one of the parameters you selected. These messages are good tools to use when you troubleshoot problems, but can also decrease security because they expose information about your network. If you deny these ICMP messages, you can increase security if you prevent network probes, but this can also cause timeout delays for incomplete connections, which can cause application problems.
Settings for global ICMP error handling are:
Fragmentation Req (PMTU)
Select this check box to allow ICMP Fragmentation Req messages. The XTM device uses these messages to find the MTU path.
Select this check box to allow ICMP Time Exceeded messages. A router usually sends these messages when a route loop occurs.
Select this check box to allow ICMP Network Unreachable messages. A router usually sends these messages when a network link is broken.
Select this check box to allow ICMP Host Unreachable messages. Your network usually sends these messages when it cannot use a host or service.
Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually sends these messages when a network service is not available or is not allowed.
Select this check box to allow ICMP Protocol Unreachable messages.
To override these global ICMP settings for a specific policy, from
Enable TCP SYN checking
To enable TCP SYN checking to make sure that the TCP three-way handshake is completed before the Firebox or XTM device allows a data connection, select this option.
TCP connection idle timeout
The amount of time that the TCP connection can be idle before a connection timeout occurs. Specify a value in seconds, minutes, hours, or days. The default setting is
You can also configure a custom idle timeout for an individual policy. For more information, see Set a Custom Idle Timeout.
If you configure this global idle timeout setting and also enable a custom idle timeout for a policy, the custom idle timeout setting takes precedence over the global idle timeout setting for only that policy.
TCP maximum segment size control
The TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured, users cannot get access to some web sites.
The global TCP maximum segment size adjustment settings are:
For performance testing or network debugging purposes, you can disable the Traffic Management and QoS features.
To enable these features:
Select the Enable all traffic management and QoS features check box.
To disable these features:
Clear the Enable all traffic management and QoS features check box.
By default, your Firebox or XTM device does not close active connections when you modify a static NAT action used by a policy. You can override this default setting and enable your Firebox or XTM device to close any active connections through a policy that uses an SNAT action that you modify.
To override the default Traffic Flow setting and enable this feature, in the Traffic Flow section:
Select the When an SNAT action changes, clear active connections that use that SNAT action check box.
About Traffic Management and QoS
Set a Custom Idle Timeout