Define Device Global Settings

From Fireware XTM Web UI, you can specify the settings that control the actions of many Firebox or XTM device features. You can configure the basic parameters for:

To configure the global settings:

  1. Select System > Global Settings.
    The Global Settings dialog box appears.
  2. On the General tab, configure settings for these global categories, as described in the subsequent sections:

Screen shot of the Global Setting page, General tab

  1. On the Networking tab, configure settings for these global categories, as described in the subsequent sections:

Screen shot of the Global Settings page, Networking tab

  1. Click Save.

Change the Web UI Port

By default, Fireware XTM Web UI uses port 8080.

To change the default port:

  1. In the Web UI Port text box, type or select a different port number.
  2. Use the new port to connect to Fireware XTM Web UI and test the connection with the new port.

Automatic Reboot

You can schedule your XTM device to automatically reboot at the day and time you specify.

To schedule an automatic reboot for your device:

  1. Select the Schedule time for reboot check box.
  2. In the adjacent drop-down list, select Daily to reboot at the same time every day or select a day of the week for a weekly reboot.
  3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format) that you want the reboot to start.

Device Feedback

When you create a new configuration file for your XTM device, or upgrade your Firebox or XTM device to Fireware XTM OS v11.7.3 or higher, by default, your XTM device is configured to send feedback to WatchGuard. This feedback helps WatchGuard to improve products and features. It includes information about how your device is used and issues you encounter with your XTM device, but does not include any information about your company or any company data that is sent through the XTM device. Because of this, your device data is anonymous. All device feedback that is sent to WatchGuard is encrypted.

This feature is only available for Firebox or XTM devices that run Fireware XTM OS v11.7.3 or higher.

WatchGuard uses the information from the device feedback data to understand the geographic distribution of Fireware XTM OS versions. The data WatchGuard collects includes summarized information about which features and services are used on XTM devices, about threats that are intercepted, and about device health and performance. This information helps WatchGuard to better determine which areas of the product to enhance to provide the most benefits to customers and users.

When device feedback is enabled, feedback is sent to WatchGuard once every six days and each time the device reboots.

Device feedback includes this information:

Use of the device feedback feature is entirely voluntary. You can disable it at any time.

To disable device feedback:

Clear the Send device feedback to WatchGuard check box.

Fault Reports

Your Firebox or XTM device collects and stores information about the faults that occur on your device and generates diagnostic reports of the fault. Faults are collected for these categories:

When you enable the Fault Reports feature, information about the faults is sent to WatchGuard once each day. WatchGuard uses this information to improve the device OS and hardware. You can also review the list of Fault Reports, manually send the reports to WatchGuard, and remove Fault Reports from your device.

For information about how to manage the list of Fault Reports, see Manage Fault Reports.

This feature is only available for Firebox or XTM devices that run Fireware XTM OS v11.9.3 or higher.

To enable Fault Reports on your device:

Select the Send Fault Reports to WatchGuard daily check box.

Define ICMP Error Handling Global Settings

Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:

The XTM device sends an ICMP error message each time an event occurs that matches one of the parameters you selected. These messages are good tools to use when you troubleshoot problems, but can also decrease security because they expose information about your network. If you deny these ICMP messages, you can increase security if you prevent network probes, but this can also cause timeout delays for incomplete connections, which can cause application problems.

Settings for global ICMP error handling are:

Fragmentation Req (PMTU)

Select this check box to allow ICMP Fragmentation Req messages. The XTM device uses these messages to find the MTU path.

Time Exceeded

Select this check box to allow ICMP Time Exceeded messages. A router usually sends these messages when a route loop occurs.

Network Unreachable

Select this check box to allow ICMP Network Unreachable messages. A router usually sends these messages when a network link is broken.

Host Unreachable

Select this check box to allow ICMP Host Unreachable messages. Your network usually sends these messages when it cannot use a host or service.

Port Unreachable

Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually sends these messages when a network service is not available or is not allowed.

Protocol Unreachable

Select this check box to allow ICMP Protocol Unreachable messages.

To override these global ICMP settings for a specific policy, from Fireware XTM Web UI:

  1. Select Firewall > Firewall Policies.
  2. Double-click the policy to edit it.
    The Policy Edit page appears.
  3. Select the Advanced tab.
  4. Select the Use policy-based ICMP error handling check box.
  5. Select only the check boxes for the settings you want to enable.
  6. Click Save.

Configure TCP Settings

Enable TCP SYN checking

To enable TCP SYN checking to make sure that the TCP three-way handshake is completed before the Firebox or XTM device allows a data connection, select this option.

TCP connection idle timeout

The amount of time that the TCP connection can be idle before a connection timeout occurs. Specify a value in seconds, minutes, hours, or days. The default setting is 1 hour.

You can also configure a custom idle timeout for an individual policy. For more information, see Set a Custom Idle Timeout.

If you configure this global idle timeout setting and also enable a custom idle timeout for a policy, the custom idle timeout setting takes precedence over the global idle timeout setting for only that policy.

TCP maximum segment size control

The TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured, users cannot get access to some web sites.

The global TCP maximum segment size adjustment settings are:

Enable or Disable Traffic Management and QoS

For performance testing or network debugging purposes, you can disable the Traffic Management and QoS features.

To enable these features:

Select the Enable all traffic management and QoS features check box.

To disable these features:

Clear the Enable all traffic management and QoS features check box.

Manage Traffic Flow

By default, your Firebox or XTM device does not close active connections when you modify a static NAT action used by a policy. You can override this default setting and enable your Firebox or XTM device to close any active connections through a policy that uses an SNAT action that you modify.

To override the default Traffic Flow setting and enable this feature, in the Traffic Flow section:

Select the When an SNAT action changes, clear active connections that use that SNAT action check box.

See Also

About Traffic Management and QoS

Set a Custom Idle Timeout

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base