Fireware XTM Traffic Management

WatchGuard Certified Training Fireware XTM Traffic Management Fireware XTM and WatchGuard System Manager v11.4

Disclaimer Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright and Patent Information Copyright 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, Fireware, LiveSecurity, and spamblocker are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. All other trademarks and tradenames are the property of their respective owners. Printed in the United States. TRAINING www.watchguard.com/training training@watchguard.com SUPPORT www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 ii WatchGuard Fireware XTM Training

Table of Contents Course Introduction... 1 Training Options... 1 Necessary Equipment and Software... 2 Training Scenario... 2 Prerequisites... 3 Certification... 3 Fireware XTM Web UI and Command Line Interface... 3 Additional Resources... 3 Traffic Management... 5 What You Will Learn... 5 Configure Multi-WAN... 5 Use Policy-Based Routing and Server Load Balancing... 6 Control Bandwidth Use with Traffic Management Actions... 6 About Outgoing Interface Bandwidth... 7 About Traffic Management Actions... 7 About Traffic Priority... 7 Exercise 1: Configure Multi-WAN Failover... 8 Exercise 2: Use a Traffic Management Action without Setting Priority... 10 Put a Default Configuration on the XTM device... 10 Define Outgoing Interface Bandwidth... 10 Create a Traffic Management Action... 11 Add Policies to the Configuration... 11 Set Up a Server to Host FTP and HTTP Downloads... 12 Set Up Service Watch... 12 See the Results of the Configuration... 12 Exercise 3: Use Traffic Management Actions with Traffic Priority... 14 When to Reserve Bandwidth and Prioritize Traffic in a Policy... 14 Before You Begin... 14 Add Policies to the Configuration... 14 See the Results of the Configuration... 16 Exercise 4: Use Guaranteed Bandwidth with Individual Traffic Management Actions... 18 Before You Begin... 18 Create Two Traffic Management Actions... 18 Change the HTTP and FTP Traffic Management Actions... 19 See the Results of the Configuration... 19 Test Your Knowledge... 21 i

ii WatchGuard Fireware XTM Training

Fireware XTM Training Course Introduction Traffic Management Devices WatchGuard XTM 2 Series / XTM 5 Series / XTM 8 Series / XTM 1050 Device OS versions Fireware XTM v11.4 and Fireware XTM v11.4 with a Pro upgrade Management software versions WatchGuard System Manager v11.4 Training Options If you use Fireware XTM and WatchGuard System Manager (WSM) for your WatchGuard XTM device, there are several training options available to you: Classroom training with a WatchGuard Certified Training Partner (WCTP) WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list of training partners can be found on our web site at: http://www.watchguard.com/training/partners_locate.asp Quick review presentation You can download and review the Firewall Basics presentation. This PowerPoint presentation gives an overview of WatchGuard System Manager and Fireware XTM Policy Manager. Students learn how to install a XTM device with the Quick Setup Wizard, create basic security policies, and get more information about additional subscription services. Fireware XTM Training with Fireware XTM Training Modules Each training module available for WatchGuard System Manager and Fireware XTM focuses on a specific feature or function of configuration and security management. For more information, including configuration steps for advanced procedures, see the Fireware XTM WatchGuard System Manager Help. 1

Necessary Equipment and Software For the majority of the Fireware XTM Training training modules, you only need a default WatchGuard Fireware XTM configuration file that you view and modify locally. You do not need to connect to a device to complete most of the exercises. The few modules that require additional hardware include instructions on what is needed and how to set it up. In some training modules, you will connect to one or more XTM devices or a Management Server. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for devices used in the exercises. For self-instruction, you can safely connect to an XTM device or Management Server on a production network. You will not change the configuration file of any device. To complete the majority of the Fireware XTM Training with Fireware XTM training modules, you must have this hardware and software: Management computer Your management computer must be a personal computer with the Microsoft Windows XP, Microsoft Windows Vista, or Microsoft Windows 7 operating system installed. For more information about management computer system requirements for WSM and Fireware XTM v11.4, see the Fireware XTM Training. WSM software and Fireware XTM OS If you have a LiveSecurity Service account, you can download the v11.4 WatchGuard System Manager software and Fireware XTM OS from the WatchGuard web site through the Software Downloads page. The software is also available from your instructor during classes delivered by WatchGuard Certified Training Partners. Firewall configuration file During the training exercises, you will open, modify, and save XTM device configuration files. You can use Policy Manager to create new configuration files. You can also open the configuration file of your production XTM device and save it to your local hard drive. We recommend that you do not save any configuration files you make during the training exercises to an XTM device in use on your network. XTM 2 Series, 5 Series, 8 Series, or XTM 1050 devices (optional) For some exercises, particularly the exercises which introduce logging, monitoring, and reports, it is useful to connect to a real XTM device on a production network. You do not need to change the configuration properties of this device. You can complete the exercises without access to an XTM device installed on a production network, but it is much easier to grasp some concepts when you can see log messages and information from a real network. Training Scenario Throughout the Fireware XTM Training with Fireware XTM training modules, we use a fictional company called Successful Company. While the modules build on a story of configuring a firewall and network for Successful Company, you can complete many of the exercises using examples from your own network or a set of addresses and situations provided by your WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company and a real company are purely coincidental. 2 WatchGuard Fireware XTM Training

Prerequisites Prerequisites This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard hardware devices is required. Certification The WatchGuard Certified System Professional (WCSP) exam is available for all WatchGuard partners. The exam is based on the contents of this course, and we recommend that you study this training to prepare for the exam. If you are a WCSP, you can log in to your LiveSecurity Service account and browse to the exam at: https://www.watchguard.com/training/certcentral.asp For more information about how to become a WCSP, see the WatchGuard Training Technical Certification web page at: http://watchguard.com/training/technical_cert.asp Fireware XTM Web UI and Command Line Interface You can use Fireware XTM Web UI (Web UI) and Command Line Interface (CLI) management solutions to complete many of the same tasks that you perform in WatchGuard System Manager and Policy Manager. Some advanced configuration options and features are not available with Fireware XTM Web UI or Command Line Interface. Because not all configuration options are available in the Web UI and CLI, and because the Web UI and CLI are online configuration tools (you need a network connection to an XTM device to use them), the exercises in the Fireware XTM Training training modules do not use the Web UI and the CLI. Additional Resources For more information about how to install and configure WatchGuard System Manager see these resources: Fireware XTM WatchGuard System Manager Help You can launch the Help system from your management computer after you install WSM. To view more information about the features in a dialog box or application window, click Help or press the F1 key. A topic that describes the features you see and provides links to additional information appears in your default web browser. For the most up-to-date information, browse to http://www.watchguard.com/help/documentation/ and launch the Fireware XTM WatchGuard System Manager Help. You can also download the Help system for offline use. Fireware XTM WatchGuard System Manager User Guide Browse to http://www.watchguard.com/help/documentation/ and download the Fireware XTM Training. WatchGuard Online Knowledge Base Browse to http://watchguard.custhelp.com. Course Introduction 3

4 WatchGuard Fireware XTM Training

Fireware XTM Training Traffic Management Redundancy, Traffic Shaping, Prioritization, and Routing What You Will Learn Most organizations have mission-critical, real-time network appliwgtcations that must take priority over other traffic. You can use bandwidth restrictions and reservations along with prioritization to make sure critical applications have the bandwidth they need. In this module, you learn how to: Use multi-wan to create a backup external network connection Create Traffic Management actions to guarantee and restrict bandwidth Route traffic based on policy type Use Service Watch to see your changes at work Before you begin these exercises, make sure you read the Course Introduction module. All exercises in this course module were designed for a controlled environment using a LAN network. Real-world tests introduce volatility and latency associated with the Internet. Tests run in such an environment can produce unexpected results. Configure Multi-WAN The multi-wan feature allows you to send network traffic to up to four external interfaces. This is useful when you want to have a backup Internet connection, or if you want to divide your outgoing network traffic between multiple physical interfaces. Multi-WAN settings do not apply to incoming network traffic, and you can only use this feature in Mixed Routing mode. When you enable multi-wan, you can choose one of five routing methods: Round-robin The XTM device measures the amount of incoming and outgoing traffic for each interface, and sends new packets to the interface with the lowest average amount of traffic. If you have Fireware XTM with a Pro upgrade, you can set weights to prioritize some interfaces over others. Failover You specify one interface as the primary external interface. When the currently active external interface is unavailable, the XTM device sends all network traffic through the next available external interface. Interface overflow You configure a list of interfaces and a threshold for how much traffic can be sent through each interface. When the threshold is exceeded, the XTM device uses the next interface on the list for new connections. 5

Routing table This is the default multi-wan routing method. Your XTM device uses the routes in its routing table, as well as dynamic routing processes, to choose the best interface for each packet. You can modify how this method works by adding static routes. Serial modem (XTM 2 Series only) Connect an external modem with a dial-up connection to the USB port on your XTM 2 Series device. When all other external interfaces are inactive, the device sends traffic to the serial port. For more information on multi-wan configuration properties, see Exercise 1: Configure Multi-WAN Failover on page 8. Use Policy-Based Routing and Server Load Balancing After you have configured multi-wan, you can use policy-based routing to send traffic from the policies you specify to a different external interface by default. This can help reduce network traffic on a single network interface. You can also use failover with policy-based routing to select the interface to use when one interface is not available. Policy-based routing does not operate on incoming network traffic, and it is not enabled by default. Server load balancing is another feature you can use to manage network traffic, but in the opposite direction. For example, if you have several HTTP servers, you can use server load balancing to ensure that incoming network connections to those IP addresses are distributed evenly between all of the HTTP servers. For more information on how to set up policy-based routing or server load balancing, see the Fireware XTM WatchGuard System Manager Help or User Guide. Control Bandwidth Use with Traffic Management Actions Although the XTM device has no control over the rate at which packets arrive at a given interface, you can use traffic management settings to: Guarantee bandwidth A traffic management action with reserved bandwidth and low priority can give bandwidth to realtime applications with higher priority when it is necessary to prevent connection timeouts. Other traffic management actions can take advantage of unused reserved bandwidth when it becomes available. Limit bandwidth Some network traffic, such as large file transfers, is not negatively affected by restricted bandwidth or short delays. A traffic management action that restricts bandwidth for these connections guarantees sufficient bandwidth for other applications. Maximum bandwidth limits can also help regulate total volume of data transfer over time to help your organization keep WAN usage within monthly quotas. Assign different levels of priority to policies Traffic prioritization at the firewall allows you to manage multiple priority levels of network traffic and reserve the highest priority for real-time or streaming data. A policy with high priority can take bandwidth away from existing low priority connections. If you use priorities correctly, you can make sure specific connections always succeed even when other applications also use the network. Traffic prioritization in Fireware XTM uses the configuration settings Outgoing Interface Bandwidth, Traffic Management actions, and QoS (optional). To use these features, you must understand how each setting works and how they can be used together. 6 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions About Outgoing Interface Bandwidth Before you use traffic management features, you must give each interface a bandwidth limit, known as Outgoing Interface Bandwidth. This limit is applied to the traffic that is sent from an interface to its network segment. For example, you could set the Outgoing Interface Bandwidth on the external interface when you upload files to a remote FTP server on the Internet. For downloads initiated from the trusted interface, you could set Outgoing Interface Bandwidth on the trusted interface. If you give an interface a bandwidth limit, Fireware XTM refuses packets that exceed the limit. Also, Policy Manager gives a warning if you go over these limits when you create or adjust Traffic Management actions. When you set Outgoing Interface Bandwidth on the external interface, you should set your LAN interface bandwidth based on the minimum link speed supported by your LAN infrastructure. About Traffic Management Actions Traffic Management actions enforce an absolute maximum connection rate and bandwidth limit. They can also guarantee a minimum bandwidth for each interface. All policies that use the same Traffic Management action share that action s connection rate and bandwidth settings. Unused guaranteed bandwidth reserved by one Traffic Management action can be used by other actions. To plan your traffic management configuration, follow these steps: For the Outgoing Interface Bandwidth setting and other Traffic Management actions, make sure to set your speeds in kilobits or megabits per second (Kbps or Mbps) rather than kilobytes or megabytes per second (KBps or MBps). Identify three categories of applications based on priority and sensitivity to bandwidth restriction. You can add more at any time as necessary. Divide the Outgoing Interface Bandwidth for each interface based on anticipated need for each category. Make sure each division is large enough to accommodate all policies included in that category. For each category, create one Traffic Management action with the bandwidth reservations you determined for each interface. Open each policy in your XTM device configuration and add the Traffic Management action associated with that category. About Traffic Priority The networking industry has many different algorithms to prioritize network traffic. Fireware XTM uses a high performance, class-based queueing method known as Hierarchical Token Bucket. Prioritization in Fireware XTM is equivalent to CoS levels 0 to 7, where 0 is routine priority (default) and 7 is the highest priority. You can set traffic priority for each policy on the Advanced tab s QoS tab. Use this table as a guideline when you assign priorities: It is possible for high priority network traffic to interfere with system administration connections. Reserve the highest traffic priority levels only for network administration policies to make sure they are always available. For more information on QoS, see the Fireware XTM WatchGuard System Manager Help or User Guide. Traffic Management 7

Exercise 1: Configure Multi-WAN Failover At Successful Company, the network administrator has decided to purchase a backup connection to the Internet through a different ISP. The network administrator will use Policy Manager to configure the multi-wan feature with the Failover routing method so that Successful Company employees can continue to work when the primary Internet connection is unavailable. 1. Select Network > Configuration. The Network Configuration dialog box appears. If you have a second external network interface configured already, proceed to Step 6. 2. In the Interfaces list, select Optional-6 (Interface 7). Click Configure. The Interface Settings dialog box appears. 3. In the Interface Name text box, type BackupInternet. 4. From the Interface Type drop-down list, select External. 5. Select the Use DHCP Client radio button. For this exercise, we will not complete any additional fields in this dialog box. 6. Click OK. The Network Configuration dialog box appears. 7. Select the Multi-WAN tab. 8. From the Multi-WAN Configuration drop-down list, select Failover. 9. Select the Link Monitor tab. 10. In the External Interfaces list, select External. 11. Select the Ping check box. 12. From the Ping drop-down list, select Domain Name. 13. In the Ping text box, type example.com. This tells the device to ping the example.com domain at regular intervals to see if the connection is available. 14. In the External Interfaces list, select BackupInternet. 8 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions 15. Repeat Steps 11 13. 16. Click OK. Traffic Management 9

Exercise 2: Use a Traffic Management Action without Setting Priority You might have circumstances when you must control minimum and maximum bandwidth for a group of policies, without concern for priority on an individual policy setting basis. These policies may represent less important or infrequently used ports that need bandwidth restrictions. Some applications rely on predictable, real-time data delivery to give a satisfactory user experience. Without prioritization, high-bandwidth applications can cause unacceptable delay if they are already transmitting when a higher priority application is launched. Likewise, real-time connection reliability can be disrupted if other applications begin transmitting data. For example, a large FTP download could degrade or disrupt an HTTP session during bandwidth saturation, which results in, say, choppy video in a YouTube download. The following exercise shows how to guarantee minimum bandwidth that is shared between more than one policy, without setting priority in the policies. When configured this way, all policies compete for the same bandwidth. Requirements for this exercise: One test computer connected to the XTM device trusted interface. One Windows 2003 Server computer connected to the external interface with a switch or hub (along with the Internet router). Windows 2003 Server includes IIS, which must be installed to run the FTP and HTTP server. You need both the FTP and HTTP server configured for this exercise. One computer running WSM version 11.x. XTM device running Fireware XTM version 11.x. One hub or switch to connect the computers to the XTM device trusted interface. Put a Default Configuration on the XTM device 1. Run the Quick Setup Wizard to initialize your device. Your instructor can help you with this process. 2. Open Policy Manager for your device. 3. Select the Outgoing policy. Click Delete. Define Outgoing Interface Bandwidth 1. Select Setup > Global Settings. The Global Settings dialog box appears. 2. Select the Enable all traffic management and QoS features check box. Click OK. You must perform this step before you can configure any Traffic Management settings. 3. Select Network > Configuration. The Network Configuration dialog box appears. 4. In the Interfaces list, select Trusted (Interface 1). Click Configure. The Interface Settings dialog box appears. Because your computers on the trusted network download files from a server on the external network, you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define Outgoing Interface Bandwidth on the external interface for this exercise. 5. On the Advanced tab, set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK. 6. Click OK to close the Network Configuration dialog box and return to Policy Manager. 10 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions Create a Traffic Management Action 1. Select Setup > Actions > Traffic Management. The Traffic Management Actions dialog box appears. 2. To create a custom Traffic Management action, click Add. 3. In the Name text box, type Min1000Kbps. We will use this action to guarantee bandwidth for a group of policies. 4. Click Add. An interface appears in the Bandwidth configuration for outgoing traffic list. 5. From the Interface drop-down list, select Trusted. 6. In the Minimum Guaranteed Bandwidth column, double-click the cell adjacent to Trusted and type 1000. 7. Click OK. 8. Click Close to return to Policy Manager. Add Policies to the Configuration 1. Click. Or, select Edit > Add Policy. The Add Policies dialog box appears. 2. Expand the Packet Filters folder and select HTTP. Click Add. The New Policy Properties dialog box appears. 3. Select the Advanced tab. 4. From the Traffic Management drop-down list, select Min1000Kbps. 5. Click OK to close the New Policy Properties dialog box. The Add Policies dialog box appears. 6. In the Packet Filters list, select DNS. Click Add. Make sure you do not select DNS-proxy in the Proxies list. The New Policy Properties dialog box appears. 7. Click OK to return to the Add Policies dialog box. Click Close. 8. Double-click the FTP policy. The Edit Policy Properties dialog box appears. 9. Select the Advanced tab. 10. From the Traffic Management drop-down list, select Min1000Kbps. 11. Click OK. The HTTP and FTP policies now use the same Traffic Management action. Traffic Management 11

Set Up a Server to Host FTP and HTTP Downloads 1. Connect the server s network card to the same hub or switch that connects the device external interface to the Internet router. Normally, you would connect your device directly to the LAN interface of your Internet router. For this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external network of the device. 2. Set up the FTP server. For information on how to do this, see this Microsoft article: http://support.microsoft.com/kb/323384. 3. Create a 350 MB text file named 350mbfile.txt and save it in the ftproot folder. The default location for this folder is c:\inetpub\ftproot. To create a file in Windows, use the fsutil command at the Command Prompt: fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000 4. Set up the web server on your Windows 2003 Server. For information on how to do this, see this Microsoft article: http://support.microsoft.com/kb/324742 5. Copy the 350mbfile.txt file from the C:\inetpub\ftproot to the C:\inetpub\wwwroot directory. Set Up Service Watch 1. Open WatchGuard System Manager and connect to your device. 2. Start Firebox System Manager, and select the Service Watch tab. 3. Right-click anywhere in the window and select Settings. The Settings dialog box appears. 4. From the Chart Type drop-down list, select Bandwidth. 5. From the Graph Scale drop-down list, keep the default value setting (auto-scale). 6. In the Show list, select all policies not used in this exercise and click Remove. Keep only the FTP and HTTP policies. The policies you removed now appear in the Hide list. 7. Click OK. See the Results of the Configuration Both the FTP and the HTTP policy use the same Traffic Management action, Min1000Kbps. If you exceed your maximum allowed bandwidth, both policies will use the same minimum and maximum bandwidth restrictions. 1. On the computer you will use for the download, close all other programs. Results can vary if other applications on the computer have access to the network. 2. On a computer that is connected to the trusted interface, start an FTP session. 3. Make a FTP connection to your Windows 2003 Server on the external network and download the 350MB file you created earlier. You can use either the command line, Internet Explorer, or an FTP client of your choice to make the connection. 4. Select the Service Watch tab. The graph should show that the FTP transfer takes all of the available bandwidth. This should be approximately equal to the value you set for Outgoing Interface Bandwidth on the trusted interface (1500 Kbps). 5. On the same computer you used for the FTP transfer, start the download of the 350MB file you copied to the C:\inetpub\wwwroot folder. If your instructor put the 350MB file in the root of C:\inetpub\wwwroot folder, use this URL: http://<web server IP address>/350mbfile.txt Make sure the FTP transfer is still active before you start the HTTP transfer. 12 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions 6. In Service Watch, look at the amount of bandwidth that is used by both policies. After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced. The HTTP and FTP connections now compete for bandwidth, but they should now receive approximately equal amounts. Traffic Management 13

Exercise 3: Use Traffic Management Actions with Traffic Priority All policies that share a Traffic Management action compete for the same amount of bandwidth. However, you can set a higher priority on specific types of traffic that are more important to your business functions. However, when traffic flows through all policies, those with the lowest priority settings might not be given any of the reserved bandwidth within that queue and their connections can time out. The requirements for this exercise are the same as for Exercise 2. When to Reserve Bandwidth and Prioritize Traffic in a Policy Some applications rely on predictable, real-time data delivery to give a satisfactory user experience. Without prioritization, high bandwidth applications can cause unacceptable delay if they are already transmitting when a more important application is launched. Likewise, real-time connection reliability can be disrupted if other applications begin transmitting data. For example, a VoIP call could have reduced audio quality when someone begins to download a file with HTTP. Before You Begin Before you begin this exercise, you must: Set up an HTTP and FTP server Create a 350MB file to download Reset the XTM device to factory-default settings Define the Outgoing Interface Bandwidth for the trusted interface Create a Traffic Management action named Min1000Kbps Configure an HTTP and FTP policy to both use the Traffic Management action Create a DNS policy to allow traffic to the HTTP/FTP server Configure Service Watch to monitor only the HTTP and FTP packet filter policies If you have not already completed these steps, see the previous procedures in Exercise 2. Add Policies to the Configuration 1. Double-click the HTTP policy you created in Exercise 2. The Edit Policy Properties dialog box appears. 2. Select the Advanced tab. 3. From the Traffic Management drop-down list, make sure Min1000Kbps is selected. 4. Select the QoS tab. 5. Select the Override per-interface settings check box. 14 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions 6. From the second Value drop-down list, select 5. Click OK. Now the HTTP policy uses the custom Traffic Management action, and its traffic has a priority of 5. 7. Double-click the FTP policy you modified in Exercise 2. The Edit Policy Properties dialog box appears. 8. Repeat Steps 2 6. Make sure that the second Value drop-down list is set to the default value of 0. FTP now uses the custom Traffic Management action, and its traffic has a priority of 0. Traffic Management 15

See the Results of the Configuration The HTTP policy has higher priority and guaranteed bandwidth. The FTP policy has only routine priority (0) and no guaranteed bandwidth. HTTP data will be handled at a predictable rate and some FTP traffic will be queued when HTTP connections are active. When no HTTP connections are active, the FTP policy can use all available bandwidth: 1. On the computer you will use for the download, close all other programs. Results vary if other applications on the computer have access to the network. 2. On a computer that is connected to the trusted interface, make a FTP connection to your Windows 2003 Server on the external network and download the 350MB file you created earlier. You can use either the command line, Internet Explorer, or an FTP client of your choice to make the connection. 3. On the same computer you used for the FTP transfer, start the download of the 350MB file you copied to the C:\inetpub\wwwroot folder. If your instructor put the 350MB file in the root of C:\inetpub\wwwroot folder, use this URL: http://<web server IP address>/350mbfile.txt Make sure the FTP transfer is still active before you start the HTTP transfer. 4. Select the Service Watch tab and look at the graph. The HTTP policy uses more bandwidth because its priority is higher than the traffic from the FTP policy. 16 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions 5. Start additional HTTP sessions to the web server and download the same 350mb file to different locations on the test computer. You can expect results similar to the ones shown below when your connections exceed the maximum allowed bandwidth. The HTTP connections will use all available bandwidth, and none will be available for the FTP transfers. In this example, HTTP uses all 1.5 MB of our maximum allowed bandwidth. Traffic Management 17

Exercise 4: Use Guaranteed Bandwidth with Individual Traffic Management Actions Bandwidth reservation prevents connection timeouts. A traffic management action with reserved bandwidth and low priority can give more bandwidth to real-time applications with higher priority when necessary. Other traffic management actions can take advantage of unused reserved bandwidth when it becomes available. With traffic management actions and priorities, you can guarantee bandwidth on a per-policy basis. Our previous exercise demonstrated policies sharing the same Traffic Management actions; however, such configurations do not allow you to specify minimum bandwidths for each policy. For example, suppose your company has an FTP server on the external network and you want to guarantee that FTP traffic always has at least 200 Kbps of bandwidth through the external interface. You might also consider a minimum bandwidth from the trusted interface to make sure that the connection has end-to-end guaranteed bandwidth. To do this, you create a Traffic Management action that defines a minimum of 200 Kbps on both the trusted and external interfaces. You then create an FTP policy and apply the Traffic Management action. This guarantees that FTP traffic can use a minimum of 200 Kbps of bandwidth at all times. The requirements for this exercise are the same as for Exercise 2. Before You Begin Before you begin the following exercise, you must: Set up an HTTP and FTP server Create a 350MB file to download Reset the XTM device to factory-default settings Define the Outgoing Interface Bandwidth for the trusted interface Create a Traffic Management action named Min1000Kbps Configure an HTTP and FTP policy to both use the Traffic Management action Create a DNS policy to allow traffic to the HTTP/FTP server Configure Service Watch to monitor only the HTTP and FTP packet filter policies If you have not already completed these steps, see the previous procedures in Exercise 2. Create Two Traffic Management Actions 1. Select Setup > Actions > Traffic Management. The Traffic Management Actions dialog box appears. 2. Click Add to create a custom Traffic Management action. The New Traffic Management Action Configuration dialog box appears. 3. In the Name text box, type Min400Kbps. 4. Click Add. An interface appears in the Bandwidth configuration for outgoing traffic list. 5. From the Interface drop-down list, select Trusted. 6. In the Minimum Guaranteed Bandwidth column, double-click the cell adjacent to Trusted and type 400. 7. Click OK. 8. Click Add to create a custom Traffic Management action. The New Traffic Management Action Configuration dialog box appears. 9. In the Name text box, type Min900Kbps. 18 WatchGuard Fireware XTM Training

Control Bandwidth Use with Traffic Management Actions 10. Repeat Steps 4-7. 11. In the Minimum Guaranteed Bandwidth column, double-click the cell adjacent to Trusted and type 900. 12. Click OK. 13. Click Close to return to Policy Manager. Change the HTTP and FTP Traffic Management Actions 1. Double-click the HTTP policy you created in Exercise 2. The Edit Policy Properties dialog box appears. 2. Select the Advanced tab. 3. From the Traffic Management drop-down list, select Min900Kbps. The HTTP policy now uses the Traffic Management action Min900Kbps. 4. Click OK to return to Policy Manager 5. Double-click the FTP policy. The Edit Policy Properties dialog box appears. 6. Select the Advanced tab. 7. From the Traffic Management drop-down list, click Min400Kbps. 8. Click OK. The FTP policy now uses the Traffic Management action Min400Kbps. See the Results of the Configuration Both the HTTP and the FTP policies have guaranteed minimum and maximum bandwidths. These policies do not compete for bandwidth because they do not use the same Traffic Management action. This configuration is ideal when each policy must have a guaranteed minimum, maximum bandwidth, or both. This would not be possible if the policies shared the same Traffic Management action. 1. On the computer you will use for the download, close all other programs. Results vary if other applications on the computer have access to the network. 2. On a computer that is connected to the trusted interface, make a FTP connection to your Windows 2003 Server on the external network and download the 350MB file you created earlier. You can use either the command line, Internet Explorer, or an FTP client of your choice to make the connection. Traffic Management 19

3. Select the Service Watch tab and look at the graph. The results should be similar to those shown below. 4. On the same computer you used for the FTP transfer, start the download of the 350MB file you copied to the C:\inetpub\wwwroot folder. If your instructor put the 350MB file in the root of C:\inetpub\wwwroot folder, use this URL: http://<web server IP address>/350mbfile.txt Make sure the FTP transfer is still active before you start the HTTP transfer. 5. Select the Service Watch tab and look at the graph. Although both connections are active, the HTTP policy will have more guaranteed bandwidth than the FTP policy, as shown below. 20 WatchGuard Fireware XTM Training

Test Your Knowledge Test Your Knowledge 1. True or false? You cannot assign a Traffic Management action and set traffic priority in the same policy. 2. True or false? Bandwidth Meter is a FSM utility used to graph the HTTP and FTP connections in the exercises in this module. 3. Which priority level is generally recommended for latency-sensitive connections such as VoIP? (Select one.) A) 4 Flash Override B) 0 Routine C) 5 Critical D) 2 Immediate E) 1 Priority 4. True or false? You set the Outgoing Interface Bandwidth in the Advanced tab of each XTM device network interface configuration. 5. For which interface will you have to set the Outgoing Interface Bandwidth to guarantee bandwidth for downloads to an external FTP server from a computer on the trusted interface? (Select one.) A) Trusted Interface B) Optional Interface C) External Interface D) None of the above E) All of the above 6. True or false? Before you use traffic management features, you must enable the feature in the Global Settings dialog box. ANSWERS 1. False 2. False. Service Watch is configured to graph bandwidth in this exercise. 3. C 4. True 5. A 6. True Traffic Management 21

TRAINING www.watchguard.com/training training@watchguard.com COPYRIGHT 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and spamblocker are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.