WatchGuard Training Introduction to WatchGuard Dimension
Introduction to WatchGuard Dimension What is WatchGuard Dimension? Deploy WatchGuard Dimension Configure WatchGuard Dimension Use WatchGuard Dimension Support WatchGuard Dimension WatchGuard Training 2
What is WatchGuard Dimension? WatchGuard Training 3
What is WatchGuard Dimension? Secure and centralized logging, visibility, and reporting for XTM devices and WatchGuard servers New ways to visualize network data Dashboards with simple drill-down into detailed log and report information Customizable reports that can be emailed to different roles in the organization Complements Web UI visibility tools in XTM OS v11.8 Reports available after first summary report period (5 minutes) All reports are on demand all the time Cloud-ready zero-installation deployment Delivered as a virtual appliance for ESXi (.ova) Running on 64-bit Linux Driven by Postgres 9.2 Web interface supports most desktop and mobile browsers WatchGuard Training 4
What is Dimension? Architecture Log Collector Receives logs from devices, aggregates data Web Services Serves web application to users and administrators Log Server Provides API for log data, provisioning, and automated maintenance Database Persistent storage for log and report data WatchGuard Training 5
Deploy WatchGuard Dimension WatchGuard Training 6
Deployment Requirements WatchGuard Dimension is distributed as an.ova file for installation on VMware ESXi 5.x. Your ESXi host must support 64-bit guest operating systems WatchGuard Dimension has been primarily tested on VMWare ESXi hypervisors. It can also be installed in VMware Workstation, Player, Fusion environments, which is a great option for training and demonstration. WatchGuard is not currently available on any non-vmware hypervisors. WatchGuard Dimension is available on the Software Downloads pages with the downloads for XTM devices. 1. Log in to WatchGuard.com 2. Browse to Articles & Software 3. Filter by Software Downloads (excluding Articles and Known Issues) WatchGuard Training 7
Deployment After downloading the WatchGuard Dimension virtual appliance (.ova) connect to your ESXi host with vsphere. From the File menu, select Deploy OVF Template. WatchGuard Training 8
Deployment Browse to the downloaded WatchGuard Dimension OVA and select that as your source. WatchGuard Training 9
Deployment Confirm the OVF Template Details and Accept the EULA. WatchGuard Training 10
Deployment Choose a name and disk format for this VM. WatchGuard Training 11
Deployment Map the virtual network adapter to the appropriate destination network. Note: WatchGuard Dimension s network adapter defaults to DHCP. You will need a DHCP server on the network for Dimension to receive an IP address and access the setup wizard web interface. WatchGuard Training 12
Deployment Confirm the deployment settings. Note the disk allocation defaults to 43GB. 3GB for OS drive (disk 1) 40GB for Data drive (disk 2) Power on after deployment if you want to keep the default settings. WatchGuard Training 13
Deployment Changing the provisioned size of Hard disk 2 before boot (or reboot) will result in more storage for logging and reports. Other defaults include: 2GB of RAM 2 CPUs (2 sockets, 1 core each) WatchGuard Training 14
Deployment Notes: The Dimension VM is deployed by default with a data disk size of 40GB. The data disk is fully reserved for the log database and the related overhead space required by Postgres. After the Dimension VM is deployed, the data disk size cannot be reduced. To limit the size to be less than 40GB and avoid data loss, you must remove and re-add Hard disk 2 before you power on the VM for the first time. WatchGuard Training 15
Deployment Once your VM is powered on, you see the IP address assigned to Dimension through DHCP. Use this this IP address to make an HTTPS connection to Dimension and start the Dimension Setup Wizard. WatchGuard Training 16
Configure WatchGuard Dimension WatchGuard Training 17
Configuration Requirements WatchGuard Dimension supports these web browsers: Firefox v22 and later Internet Explorer 9 and later Safari 5 and later Safari on ios 6 and later Chrome v29 and later You should be able to successfully use WatchGuard Dimension on most mobile phone and tablet devices. Connect to Dimension in a web browser at https://<dimension-ip-address> WatchGuard Training 18
Configuration Setup Wizard Accept the security warning to continue to connect to WatchGuard Dimension. WatchGuard Training 19
Configuration Setup Wizard Log in with these credentials: User Name: admin Password: readwrite WatchGuard Training 20
Configuration Setup Wizard Make sure you have this information before you start the Setup Wizard: Host name IPv4 address and settings for the eth0 interface Administrator passphrase Log Server Encryption Key WatchGuard Training 21
Configuration Setup Wizard Specify the host name for Dimension Select the IP address method: Static DHCP For a static IP address, we recommend that you specify an IPv4 address. WatchGuard Training 22
Configuration Setup Wizard Set the Administrator Passphrase to use to connect to Dimension and manage the Dimension servers. The Administrator Passphrase must have a minimum of 8 characters. WatchGuard Training 23
Configuration Setup Wizard Set the Log Server Encryption Key. WatchGuard Training 24
Configuration XTM Devices WatchGuard Dimension can accept log messages and generate reports for any device that runs Fireware XTM OS. WatchGuard Dimension can also accept log messages from a WatchGuard Management Server or Quarantine Server. On an XTM device, use the IP address and Encryption Key from WatchGuard Dimension when you configure the WatchGuard Log Server settings. On WatchGuard servers, use the same IP address and Encryption Key in the Logging settings. In some environments you may be NATing the HTTPS and WatchGuard Logging connections through your XTM device. This changes the IP address you use to connect to WatchGuard Dimension or where you send WatchGuard Logging connections. WatchGuard Training 25
Configuration After the Wizard Log In Multiple Super administrator users can be logged in at the same time Configuration pages have modes: RO (Read-Only) RW (Read-Write) WatchGuard Training 26
Configuration After the Wizard Manage Services The Manage Services drop-down list includes the menu options to configure settings for Dimension: Schedule Reports Manage the Log Server Manage the Log Database Manage user accounts Configure System Settings WatchGuard Training 27
Configuration System Settings Configure System and Network settings Manage certificates System Maintenance Reboot Upgrade Restore Factory default!!!! Diagnostic Tools View Connected Users WatchGuard Training 28
Configuration User Management Manage Users and Roles Add, edit, or remove users Apply roles: RO View-only RW Read-write Active Directory Settings Enable Active Directory Authentication Specify an Active Directory Server WatchGuard Training 29
Configuration - Users Add/Edit User: Types: Local Active Directory Specify password Select Roles Select Devices WatchGuard Training 30
Configuration Users Role policy same as WSM User + List of roles + List of Devices User authentication similar to WSM: Local user, AD user, AD Group AD requires DNS to resolve DCs by internal domain name Built-in roles only (no custom roles) Super Administrator Full access Report Administrator View logs View reports Manage scheduled reports and groups View Logs View Reports Applied to a list of devices WatchGuard Training 31
Configuration Logging Server Management On the Status page: View the status of the Log Server Stop and start the Log Server WatchGuard Training 32
Configuration Logging Server Management On the Configuration > General page, you configure these settings for the Log Server: Change the Encryption Key Specify the log data deletion settings Back up and restore the Log Server database WatchGuard Training 33
Configuration Logging Server Management On the Configuration > Notifications page, configure the settings for email: Failure Events Device Events Message Purge Must be configured to send scheduled reports WatchGuard Training 34
Configuration Logging Server Management On the Configuration > Notifications page, configure the settings for reports: Report Customizations are templates to apply to report PDFs: Header Footer Logo Configure settings for ConnectWise Integration WatchGuard Training 35
Configuration Logging Server Management On the Diagnostics page, you can use these diagnostic tools: Purge diagnostic logs Backup/Restore Log Server database View Process List View Log Server log messages View Log Collector log messagess WatchGuard Training 36
Configuration Schedule Reports Report Schedules RO View only RW Add/Edit/Remove scheduled reports Before scheduled reports can be sent, an SMTP server must be configured in the Notifications settings WatchGuard Training 37
Configuration Schedule Reports Schedule General settings Name Descripton (optional) WatchGuard Training 38
Configuration Schedule Reports Device Selection Devices: All Devices Specify Devices Servers: All Servers Specify Servers WatchGuard Training 39
Configuration Schedule Reports Recipient Selection Must add at least one recipient WatchGuard Training 40
Configuration Schedule Reports Report Selection Report Types Timezone For report display purposes only. Web-based reports appear in the browser/os time zone. Customization Aggregation Single (per device) Combined (grouped devices) Frequency WatchGuard Training 41
Configuration New Summary Reports Schedule two new Reports: Executive Summary Web Traffic Summary Both new reports are available as scheduled reports that you can send to specific email addresses. Both reports can use any Report Customization (report template) that you create. WatchGuard Training 42
Configuration Executive Summary Report Executive Summary report Sent as a PDF file Specify a logo, header, and footer to customize the report WatchGuard Training 43
Configuration Web Traffic Summary Report Web Traffic Summary report Sent as a PDF file Specify a logo, header, and footer to customize the report Report includes the Top Domains chart with the Web Categories (in a pie chart), and removes any byte counts or tabular information WatchGuard Training 44
Use WatchGuard Dimension WatchGuard Training 45
Use WatchGuard Dimension To get the most out of Dimension, make sure to: Select Enable logging for reports in proxy actions on your XTM devices and WatchGuard Servers. Enable logging of Allowed Packets in all policies. Configure your XTM devices and WatchGuard servers to send all log messages to your Dimension Log Server. WatchGuard Training 46
Use WatchGuard Dimension Log Messages Reports Dashboards Packet Filter Allowed Logs Web, Packet Filter, Top Client, Application Control Executive, Threat Map, FireWatch Packet Filter Denied Logs Web, Packet Filter, Denied Packet, Top Client, Application Control Security, Threat Map Intrusion Prevention Logs IPS, Denied Packet Security, Threat Map Log when configuration has changed All Proxies: Enable logging for reports HTTP Proxies: Enable logging for reports FTP Proxies: Enable logging for reports SMTP Proxies: Enable logging for reports POP3 Proxies: Enable logging for reports Any alarms Authentication, Audit GAV, IPS, SPAM, Application Control Web, Firebox Statistics, RED Firebox Statistics SMTP, Firebox Statistics POP3, Firebox Statistics GAV, Alarms Executive, Security, Threat Map, FireWatch Executive, Security, Threat Map, FireWatch Executive, Security, Threat Map, FireWatch Executive, Security, Threat Map, FireWatch Executive, Security, Threat Map, FireWatch WatchGuard Training 47
Executive Dashboard Top 10 Clients Domains URL Categories Destinations Applications Application Categories Protocols Click a summary to expand it and see more detail. WatchGuard Training 48
Security Dashboard Top 10 Blocked Clients Destinations URL Categories Applications Application Categories Protocols IPS Signatures Gateway Anti-Virus Click a summary to expand it and see more detail. WatchGuard Training 49
Threat Map Denied Packets (Blocked) Intrusion Prevention Service Web Traffic Application Control All Traffic WatchGuard Training 50
FireWatch Sort by: Source Destination Domains Application WebBlocker Protocol Pivot on: Bytes (Not available for packet filter traffic prior to XTM OS v11.8) Connections Hover for more detail: Filter further Show connections WatchGuard Training 51
Log Manager Log messages stored in UTC time Appears in your web browser s local time WatchGuard Training 52
Log Search Run simple or complex search queries to refine the log messages that appear for the selected XTM device. Filter the search results by log message type: Traffic Alarm Event Diagnostic Statistic All WatchGuard Training 53
Other Available Reports The same reports are available that were previously available on your WatchGuard Report Server Select options to pivot on from the pivot drop-down list Export the report to a PDF file WatchGuard Training 54
Support WatchGuard Dimension WatchGuard Training 55
Dimension Support Console Access vsphere console shows command line access Login with wgsupport/readwrite (must change the password on initial login) Account restricted to only change the IP address To set a static IP address, use the command wg_ip_addr.sh, located in /opt/watchguard/dimension/bin. For example, to set a static IP address of 192.168.24.101 on network 192.168.24.0/24 with gateway 192.168.24.1, type: /opt/watchguard/dimension/bin/wg_ip_addr.sh - i 192.168.24.101 -m 24 -g 192.168.24.1 When given without any options, or with the option --help, the command displays help text. Support Access for Diagnostics is available with a connection restricted by a client-side certificate. WatchGuard Training 56
Dimension Support Known Limitations No external database Local Backup/Restore No host name resolution Cannot import log files to Dimension Certificates must use CSR No external private key WatchGuard Training 57
Thank You! WatchGuard Training 58