Watchguard Fireware Tips & Tricks

Keep track of your ip / email

2007-11-15T11:40:00.000+01:00

There are some things you might not want to block but just keep track of.All the examples are HTTP proxy URL Path rules set to allow and log:Your external ip:*your_external_ip*Your email domain:*@your_domain.com*China / Hong Kong / Russia:*.cn**.hk**.ru*Another idea would be to track you internal ip's with a regexe rule. To see if bot's are trying to report back to there C&C masters.

Spamhaus DROP (Don't Route Or Peer)

2007-09-04T19:53:00.000+02:00

I came across this interesting Spamhaus DROP (Don't Route Or Peer) list.Quote:When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.I added this to my 'Blocked Sites...'. You can do this to:1. Download the list.2. Remove everything except the netblocks and save the file

Capra is moving to Sourceforge

2007-06-13T18:50:00.000+02:00

To provide better support Capra is moving to Sourceforge.The new URL is:Capra @ SourceforgePlease update your bookmarks.

Capra v0.4

2007-05-17T17:50:00.000+02:00

What is Capra:Capra is a Open Source tool to quickly get some nice and useful reports out off your Watchguard Fireware log files.Capra uses PHP and MySQL to accomplish this.Features:v0.4:1. Web interface to import Fireware log files in to the MySQL database. (Only imports FWDeny, ProxyHTTPReq, ProxyMatch and FWStatus messages.)2. CLI (25% faster then web interface) to import Fireware log files in

On hold...

2006-10-22T15:34:00.000+02:00

As I am traveling trough China-Tibet-Nepal-India for a year this blog will be on hold. Want to see the pictures of my trip:https://degroep.org/beijingdelhi/photoalbum/photoalbum.php

Webblocker & Surfcontrol 2

2006-08-24T15:27:00.000+02:00

On 17-12-2005 I wrote about the link between Webblocker & Surfcontrol.I seams that Watchguard now has it's own page at Surfcontrol.http://mtas.surfcontrol.com/mtas/WatchGuardTest-a-Site.aspThe categories you can select when you are submitting a site are exactly the same as on the Watchguard. How nice!

Fireboxsupport.com

2006-07-23T23:53:00.000+02:00

If you need help with the configuration of your Watchguard Fireware box you might want to take a look at:http://www.fireboxsupport.com/fireware_pro.htmThey have some very detailed guides, that will help you if you are setting up a box for the first time. They also have some Tips and Tricks. Very usefull.

URL Paths 2

2006-06-15T13:34:00.000+02:00

From the comments of my original post about URL Paths:You can put *.com in the URL Paths. You need to enter it as '/*.com'I use the /*.x convention on all my extension blocking. This helps prevent them from wildcarding some other part of a complex url.You are totally right, this is a better way to implement extension blocking with URL Paths. Thanks

CLI

2006-06-11T23:59:00.000+02:00

Did you know that fireware also has a command line interface.You can SSH to your box on port 4118.You can login with:Username = adminpassword = Your read-write password.You can do all sorts of things from the command line.I use it as a replacement for the 'Restart IPSec' function that was in WFS but not in fireware.To clear individual BOVPN, MUVPN, or PPTP tunnels:WG#no vpn-tunnel ipsec

URL Paths

2006-06-03T13:47:00.000+02:00

I mainly use the URL Paths function of the HTTP Proxy for blocking file extensions. Here is a list of extension that I deny:*.acf*.ade*.adp*.ani*.arj*.bas*.bat*.cab*.chm*.class*.cmd*.clp*.cpl*.cur*.dat*.dcr*.dif*.fav*.hhk*.hhp*.hlp*.ht*.hta*.htt*.htx*.hqx*.idc*.inf*.ins*.isp*.jar*.jav*.java*.job*.lnk*.m3u*.mad*.maf*.mam*.maq*.mar*.mat*.mcw*.mda*.mdb*.mde*.mdn*.mdt*.mdv*.mdw*.mht*.mnd*.mp3*.mpc*.

Capra v0.1 Beta

2006-05-06T10:51:00.000+02:00

What is Capra:Capra is a Open Source tool to quickly get some nice and useful reports out off your Watchguard Fireware log files.Capra uses PHP and MySQL to accomplish this.Features:v0.1:1. Interface to import Fireware log files in to the MySQL database. (Only imports FWDeny messages.)2. Reports:Top 50 denied src IP's.Top 50 denied dst IP's.Top 50 denied src ports.Top 50 denied dst ports.Beta?:

Authentication Solution's

2006-04-20T13:40:00.000+02:00

Wayne Campbell has writen a good article about ways to:1. Have users directed to login screen automatically when not logged in.2. Have a personalized login screen.3. Have users logged out automatically after x amount of time.You can read it here.

Advanced Diagnostics

2006-03-23T22:23:00.000+01:00

You are having a problem with a new VPN connection you are trying to make. You just know you can do this yourself, you just need a little more information from your firebox logs. But they are not showing you the information you need.Do I really need to open a new incident for this?No.Open your "Fireware Policy Manager" and goto --> Setup --> Logging... --> Click on the "Advanced Diagnostics"

GAV & ClamAV

2006-03-06T23:41:00.000+01:00

Do you have a virus that is not blocked by GAV.On the ClamAV website (http://www.clamav.net/) you can submit your sample (http://cgi.clamav.net/sendvirus.cgi) so one of the 'virus database maintainers' of the ClamAV project can make a anti-virus for it.The great benefit of submitting your sample to ClamAV is that you help out your fellow GAV/ClamAV users by doing so.

MS06-005 prevention

2006-02-16T17:33:00.000+01:00

Yesterday the security bulletin: MS06-005Today the exploit: WMP BMP Handling Buffer Overflow ExploitOff course the first solution is the patch. But if you did not yet have the time to test/deploy the patch you can use the following rules to protect your network.1. Go to the 'Body Content Types' of your HTTP-Proxy and add '%0x424D%*' as a pattern match with the 'Rule action' set to Deny, Alarm and

You better keep blocking WMF file's

2006-02-08T11:17:00.000+01:00

Microsoft has released a new security advisory describing a new vulnerability in older versions of Internet Explorer. Again a 'a specially crafted Windows Metafile (WMF) image' could allow remote code execution.Still using?:Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium.Then you better keep the

Body Content Type rules

2006-02-03T11:20:00.000+01:00

I have a nice virus collection on my test computer, looking at the headers of all those little critters I found out that the default "Windows EXE/DLL" "Body Content Type" rule is far from sufficient for blocking executable content. I think it was build to block ActiveX (in combination with the "Windows CAB archive" rule) and it does a reasonable good job at that.If you want to go further and also

Who needs .info/.biz, anyway?

2006-01-10T23:29:00.000+01:00

To quote the people from Sans.org:Who needs .info/.biz, anyway?I have blocked access to the *.info and *.biz TLD's at my watchguard firewall 4 months ago. I had to add 5 *.info domains to a whitelist but I got so much in return.In my blog about the 0-day wmf exploit I recommend the blocking of beehappyy.biz. Guess what showed up in my log's as being block by the 'block all *.biz websites' rule?

MS06-002 prevention (updated)

2006-01-10T22:21:00.000+01:00

As part of there regular patch cycle, Microsoft has release 2 security patches. MS06-002 describes a vulnerability in Embedded Web Fonts. These files can be blocked by your watchguard firewall.What can you do to protect your network:1. Go to the 'URL Path' function of your HTTP-Proxy and add '*.eot' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.UPDATE:My 'Body Content Types

WMF - The story continues

2006-01-01T21:23:00.000+01:00

Another WMF exploit has been release:http://isc.sans.org/diary.php?storyid=992http://www.frsirt.com/exploits/20051231.ie_xp_pfv_metafile.pm.phpUS-CERT (http://www.kb.cert.org/vuls/id/181038) is recommending to block the following byte sequences:0100090002000900D7CDC69AGo to the 'Body Content Types' function of your HTTP-Proxy and add '%0x01000900%*', '%0x02000900%*' and '%0xD7CDC69A%*' as a

Windows WMF 0-day exploit (updated)

2005-12-28T11:25:00.000+01:00

A 0-day exploit against the Windows Graphics Rendering Engine has been posted on Bugtraq. For more information see:http://isc.sans.org/diary.php?storyid=972http://www.securityfocus.com/bid/16074/infohttp://vil.mcafeesecurity.com/vil/content/v_137760.htmhttp://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.phpWhat can you do to protect your network:1. Go to the 'Body Content Types' of your

Webblocker & Surfcontrol

2005-12-17T15:19:00.000+01:00

Do you have a website that is not blocked by the webblocker, but you think it should be based on your category settings?On the Surfcontrol website (http://mtas.surfcontrol.com/mtas/MTAS.asp) you can see the category of the website, and if it's not categorized, you can add the site to the database. If you update your webblocker database daily u will see it getting blocked in 2 to 4 days.The great

Sober

2005-12-13T14:01:00.000+01:00

Quote from http://isc.sans.org/diary.php?storyid=925 :You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom

Trouble with JS/Wounk-A

2005-12-10T16:56:00.000+01:00

Add "*s_ta_ts.js" as a pattern match to the "URL Paths" function of your HTTP proxy, and set it to deny.I see it getting block almost 2 times a week. This saved me allot of phone calls.Off course most off the times this would not work but for some unknown reason JS/Wounk-A always goes by the name s_ta_ts.js.More information on JS/Wounk-A can be found here http://www.sophos.com/virusinfo/analyses/

Use your Watchguard firewall to the max

2005-12-10T16:45:00.000+01:00

This blog is to help users of the Watchguard firewall to use all of its function to there max.I hope it is to some use.