Watch guard防火牆SSL ×××配置

Watch guard防火牆SSL ×××配置操作
Watch guard防火牆的SSL ×××配置步驟如下：
1、通過Watch guard system manager軟件連接上防火牆進入policy manager

2、點選工具欄“×××”中“Mobile ×××”的“SSL ×××”選項

3、進入SSL ×××配置界面，配置完畢後點擊確定即可
 

4、激活SSL ×××後防火牆會自動爲×××生成默認策略，無需修改，也不可隨意刪除，然後點擊上方的“身份驗證服務器”
 

5、進入界面後配置登錄用戶名及密碼，配置完畢後需要保存並上傳配置，否則無效
 
6、配置完後，可通過在web頁面輸入https://外口IP地址:4100 <https://外口ip地址:4100/>登錄，但該頁面通過驗證並不代表SSL ×××連接建立，測試時認證通過後並無法ping通內網主機
 
 

7． 建立SSL ×××需要安裝客戶端：<service-software/">ftp://172.16.2.68:2120/Software/>service-software/ WG-M×××-SSL.exe，安裝完畢後，服務器地址輸入防火牆外口IP即可，輸入用戶名及密碼連接
 
 

可以查看到一些信息：主機獲得了虛擬192.168.113.2的地址，及一些其他信息
 

測試ping內網地址：10.0.0.1和10.0.0.2，ping通！
 

查看客戶端的日誌，可以看到連接建立的信息：
2010-05-30T09:25:01.427 O×××:>INFO:Open××× Management Interface Version 1 -- type 'help' for more info
2010-05-30T09:25:01.427 O×××:>PASSWORD:Need 'Auth' username/password
2010-05-30T09:25:01.505 O×××:SUCCESS: verb=3
2010-05-30T09:25:01.505 O×××:SUCCESS: mute=20
2010-05-30T09:25:01.505 O×××:SUCCESS: real-time state notification set to ON
2010-05-30T09:25:01.505 O×××:1275182700,CONNECTING,,,
2010-05-30T09:25:01.505 O×××:END
2010-05-30T09:25:01.505 O×××:SUCCESS: real-time log notification set to ON
2010-05-30T09:25:01.505 O×××:1275182700,I,Open××× 2.1_rc9 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Sep 30 2008
2010-05-30T09:25:01.505 O×××:1275182700,,MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2010-05-30T09:25:01.505 O×××:1275182700,,Need password(s) from management interface, waiting...
2010-05-30T09:25:01.505 O×××:1275182701,,MANAGEMENT: Client connected from 127.0.0.1:1337
2010-05-30T09:25:01.505 O×××:END2010-05-30T09:25:01.505 O×××:SUCCESS: 'Auth' username entered, but not yet verified
2010-05-30T09:25:01.505 O×××:SUCCESS: 'Auth' password entered, but not yet verified
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,W,WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,,Control Channel MTU parms [ L:1539 D:140 EF:40 EB:0 ET:0 EL:0 ]
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,,Data Channel MTU parms [ L:1539 D:1450 EF:39 EB:4 ET:0 EL:0 ]
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,,Local Options hash (VER=V4): '7d20c2bc'
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,,Expected Remote Options hash (VER=V4): 'de2aef47'
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,I,Attempting to establish TCP connection with 1.1.1.2:443
2010-05-30T09:25:01.505 O×××:>LOG:1275182701,,MANAGEMENT: >STATE:1275182701,TCP_CONNECT,,,
2010-05-30T09:25:01.521 O×××:>STATE:1275182701,TCP_CONNECT,,,
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,I,TCP connection established with 1.1.1.2:443
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,Socket Buffers: R=[0->0] S=[0->0]
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,I,TCPv4_CLIENT link local: [undef]
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,I,TCPv4_CLIENT link remote: 1.1.1.2:443
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,MANAGEMENT: >STATE:1275182701,WAIT,,,
2010-05-30T09:25:01.521 O×××:>STATE:1275182701,WAIT,,,
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,MANAGEMENT: >STATE:1275182701,AUTH,,,
2010-05-30T09:25:01.521 O×××:>STATE:1275182701,AUTH,,,
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,TLS: Initial packet from 1.1.1.2:443, sid=5f370bd7 080c315a
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,W,WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,VERIFY OK: depth=1, /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSL×××_CA
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,Validating certificate extended key usage
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,VERIFY EKU OK
2010-05-30T09:25:01.521 O×××:>LOG:1275182701,,VERIFY X509NAME OK: /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSL×××_Server
2010-05-30T09:25:01.536 O×××:>LOG:1275182701,,VERIFY OK: depth=0, /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSL×××_Server
2010-05-30T09:25:02.786 O×××:>LOG:1275182702,,Data Channel Encrypt: Cipher 'DES-CBC' initialized with 64 bit key
2010-05-30T09:25:02.786 O×××:>LOG:1275182702,,Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2010-05-30T09:25:02.786 O×××:>LOG:1275182702,,Data Channel Decrypt: Cipher 'DES-CBC' initialized with 64 bit key
2010-05-30T09:25:02.786 O×××:>LOG:1275182702,,Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2010-05-30T09:25:02.786 O×××:>LOG:1275182702,,Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2010-05-30T09:25:02.786 O×××:>LOG:1275182702,I,[Fireware_SSL×××_Server] Peer Connection Initiated with 1.1.1.2:443
2010-05-30T09:25:03.958 O×××:>LOG:1275182703,,MANAGEMENT: >STATE:1275182703,GET_CONFIG,,,
2010-05-30T09:25:03.958 O×××:>STATE:1275182703,GET_CONFIG,,,
2010-05-30T09:25:03.958 O×××:>LOG:1275182703,,SENT CONTROL [Fireware_SSL×××_Server]: 'PUSH_REQUEST' (status=1)
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,,PUSH: Received control message: 'PUSH_REPLY,topology subnet,route 10.0.0.0 255.255.255.0,route-gateway 192.168.113.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.113.2 255.255.255.0'
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,,OPTIONS IMPORT: timers and/or timeouts modified
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,,OPTIONS IMPORT: --ifconfig/up options modified
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,,OPTIONS IMPORT: route options modified
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,,OPTIONS IMPORT: route-related options modified
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,,MANAGEMENT: >STATE:1275182704,ASSIGN_IP,,192.168.113.2,
2010-05-30T09:25:04.193 O×××:>STATE:1275182704,ASSIGN_IP,,192.168.113.2,
2010-05-30T09:25:04.193 O×××:>LOG:1275182704,I,TAP-WIN32 device [
2010-05-30T09:25:04.208 O×××:>LOG:1275182704,,TAP-Win32 Driver Version 9.4
2010-05-30T09:25:04.208 O×××:>LOG:1275182704,,TAP-Win32 MTU=1500
2010-05-30T09:25:04.208 O×××:>LOG:1275182704,I,Set TAP-Win32 TUN subnet mode network/local/netmask = 192.168.113.0/192.168.113.2/255.255.255.0 [SUCCEEDED]
2010-05-30T09:25:04.208 O×××:>LOG:1275182704,I,Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.113.2/255.255.255.0 on interface {CD064A3E-E19E-4AB7-95D1-72EF1B66C87D} [DHCP-serv: 192.168.113.254, lease-time: 31536000]
2010-05-30T09:25:04.208 O×××:>LOG:1275182704,I,Successful ARP Flush on interface [589826] {CD064A3E-E19E-4AB7-95D1-72EF1B66C87D}
2010-05-30T09:25:09.364 O×××:>LOG:1275182709,,TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2010-05-30T09:25:09.364 O×××:>LOG:1275182709,,MANAGEMENT: >STATE:1275182709,ADD_ROUTES,,,
2010-05-30T09:25:09.364 O×××:>STATE:1275182709,ADD_ROUTES,,,
2010-05-30T09:25:09.364 O×××:>LOG:1275182709,,C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 192.168.113.1
2010-05-30T09:25:09.364 O×××:>LOG:1275182709,,Route addition via IPAPI succeeded [adaptive]
2010-05-30T09:25:10.521 Succeed to restart DNS Client
2010-05-30T09:25:10.521 O×××:>LOG:1275182709,I,Initialization Sequence Completed
2010-05-30T09:25:10.521 O×××:>LOG:1275182709,,MANAGEMENT: >STATE:1275182709,CONNECTED,SUCCESS,192.168.113.2,1.1.1.2
2010-05-30T09:25:10.521 O×××:>STATE:1275182709,CONNECTED,SUCCESS,192.168.113.2,1.1.1.2