Ok, I got a brand new XTM 5 Series WatchGuard firewall and only a couple of days to satisfy my curiosity. First of all it supports three administrative interfaces:
1. Command Line Interface (CLI). Which is pretty obvious.
2. Web Interface. Just point your browser to the management IP address of the firewall and access it by using HTTPS protocol at port 8080.
3. WatchGuard System Manager (WSM). WSM is a centralised management software.
Console settings:
Baud Rate — 115200
Data Bits — 8
Stop Bits — 1
Parity — No
Flow Control — None
There are 2 users available from the start: admin and status. The default passwords are readwrite and readonly respectively.
Let’s check what their privileges are in detail:
XTM_5_Series login: status
Password:
--
-- WatchGuard Firebox Operating System Software.
-- Fireware XTM Version 11.6.5
-- Support: https://www.watchguard.com/support/supportLogin.asp
-- Copyright (c) 1996-2011 by WatchGuard Technologies, Inc.
--
WG>?
Exec commands:
diagnose Display internal diagnostic information
exit Exit from the EXEC
export Export information to external platform
help Description of the interactive help system
history Display the command history list with line numbers
no Negate a command or set its defaults
ping Send echo messages
show Show running system information
sysinfo Display system information
traceroute Trace route to destination
who Show who is logged on
WG>
WatchGuard-XTM login: admin
Password: readwrite
--
-- WatchGuard Firebox Operating System Software.
-- Fireware XTM Version 11.6.5
-- Support: https://www.watchguard.com/support/supportLogin.asp
-- Copyright (c) 1996-2011 by WatchGuard Technologies, Inc.
--
[code]WG#?
Privilege commands:
arp Manipulate the system ARP cache
backup Backup previous software release or configuration
cert-request Certificate request
checksum The checksum of all the packages installed on appliance
clock Manage the system clock
configure Enter configuration mode
debug-cli Configure debugging options
diagnose Display internal diagnostic information
dnslookup Look up domain name
exit Exit from the EXEC
export Export information to external platform
fips FIPS mode setting
help Description of the interactive help system
history Display the command history list with line numbers
import Import information from external platform
mgmt-user-unlock Unlock a locked management account
no Negate a command or set its defaults
password Change the current administrator's password
ping Send echo messages
policy-check Policy check
reboot Reboot system
restore Appliance software image
show Show running system information
shutdown Shutdown this WatchGuard appliance
sync Sync info from live security server
sysinfo Display system information
tcpdump Dump traffic on a network
traceroute Trace route to destination
upgrade Upgrade software release with dl file
usb USB drive
vpn-tunnel Encrypted virtual connection
who Show who is logged on
Before doing any configuration manipulations, check sysinfo for OS version. If OS version is old there might be some features missing like link-aggregation command mode which is available only in Fireware XTM v11.7 and higher.
WG#show sysinfo
--
-- System Information
--
system name : WatchGuard-XTM
system model : XTM515
contact : system contact
location : system location
system time : 08:04:34GMT 08/29/2013
up time : 0 days 0 hours 16 minutes 59 seconds
serial number : 80BE05699xxxx
version : 11.6.5.B364214
cpu utilization : 0%(1 min) 0%(5 min) 0%(15 min)
memory usage : 2029600 kB(total) 1574988 kB(free) 454612 kB(used)
time zone : GMT+0:00 Greenwich Mean Time
Some features are subscription dependent and activated by importing feature keys manually or automatically from the official web resource. To list current features issue show feature command.
WG#sh features
--
-- Total 22 Feature(s)
--
Feature Capacity Status Expiration
MODEL XTM515 Disabled Never
AUTHENTICATED_USER 500 Enabled Never
BGP 0 Enabled Never
BOVPN_TUNNEL 65 Enabled Never
FIRECLUSTER 0 Enabled Never
FW_RULE 0 Enabled Never
FW_SPEED 2000 Enabled Never
FW_USERS 0 Enabled Never
LOAD_BALANCE 0 Enabled Never
MUVPN_USER 75 Enabled Never
OSPF 0 Enabled Never
POLICY_ROUTING 0 Enabled Never
QOS 100 Enabled Never
SERVER_LOAD_BALANCING 0 Enabled Never
SESSION 80000 Enabled Never
SSLVPN_USER 65 Enabled Never
L2TP_USER 65 Enabled Never
VLAN 100 Enabled Never
VPN_SPEED 250 Enabled Never
WAN_FAILOVER 0 Enabled Never
LINK_AGGREGATION 0 Enabled Never
XTM_PRO 0 Enabled Never
You can check some global settings by using show global-setting command.
WG#show global-setting
--
-- TCP Settings
--
TCP SYN checking : Enable
MSS adjustment : automatic
--
-- ICMP Error Messages Setting
--
allow specified ICMP error messages:
(1): fragmentation-required
(2): time-exceeded
(3): network-unreachable
(4): host-unreachable
(5): port-unreachable
(6): protocol-unreachable
denied specified ICMP error messages:
--
-- Traffic management and QoS
--
Enable all traffic management and QoS features: Disabled
--
-- WEB UI Properties
--
WebUI port : 8080
--
--Auto reboot setting
--
Auto reboot : Disabled
reboot the firebox at
Hour : 0
Minute : 0
--
--TCP settings
--
TCP connection idle timeout : 0day(s) 1hour(s) 0minute(s) 0second(s)
TCP close timeout : 0day(s) 0hour(s) 0minute(s) 10second(s)
TCP time-wait timeout : 0day(s) 0hour(s) 2minute(s) 0second(s)
--
--UDP settings
--
UDP idle timeout : 0day(s) 0hour(s) 0minute(s) 30second(s)
UDP stream timeout : 0day(s) 0hour(s) 3minute(s) 0second(s)
WG#
Interface configuration output:
WG#sh interface
--
-- Interface Properties
-- Type: TR = trusted, EX = external, OP = optional, VL = vlan, BR = bridge, CL = cluster, NA = not apply
--
physical interface count : 7
licensed interface count : 7
--
-- Interface Address & Status
--
Enabled If-# Name Address Type/MTU Status IP-Assignment IP-Node-Type
yes 0 External 0.0.0.0/0 EX/1500 down DHCP IPv4 Only
yes 1 Trusted 10.0.1.1/24 TR/1500 down static IPv4 Only
yes 2 Optional-1 10.0.2.1/24 OP/1500 down static IPv4 Only
yes 3 Optional-2 10.0.3.1/24 OP/1500 down static IPv4 Only
yes 4 Optional-3 10.0.4.1/24 OP/1500 down static IPv4 Only
yes 5 Optional-4 10.0.5.1/24 OP/1500 down static IPv4 Only
yes 6 Optional-5 10.0.6.1/24 OP/1500 down static IPv4 Only
WG#show interface 0
--
-- Interface Properties <Interface 0>
-- re-auth: re-authentication
--
enabled : yes
IP node type : IPv4 Only
link status : down
interface number : 0
interface name : External
interface type : external
mac address : 00:90:7f:9d:dc:fa
IP-Assignment : DHCP
DHCP host ip : 0.0.0.0
DHCP host id :
DHCP host name :
DHCP lease time : [not specified]
--
-- Advanced Settings
--
MTU : 1500
link speed : auto-negotiation
address group : [disable]
blocked ip notification : disable
anti spoof : match interface type
anti ip/port scan : enable
DoS prevention : enable
DF bit : copy
Qos max-link-bandwidth : 0
Qos marking type : Precedence
Qos marking method : Preserve
Qos marking priority : No_Priority
VPN minimum Path MTU : 576
VPN learned Path MTU life time: 600
WG#show interface 1
--
-- Interface Properties <Interface 1>
-- re-auth: re-authentication
--
enabled : yes
IP node type : IPv4 Only
link status : down
interface number : 1
interface name : Trusted
interface type : trusted
mac address : 00:90:7f:9d:dc:fb
ip address : 10.0.1.1/24
--
-- Advanced Settings
--
MTU : 1500
link speed : auto-negotiation
address group : [disable]
blocked ip notification : disable
anti spoof : match interface
anti ip/port scan : disable
DoS prevention : enable
DHCP service : DHCP server
DHCP server leasing time : 8 (hours)
DHCP server IP range(s) : 10.0.1.2 - 10.0.1.254
DHCP domain name :
DF bit : copy
Qos max-link-bandwidth : 0
Qos marking type : Precedence
Qos marking method : Preserve
Qos marking priority : No_Priority
WG#show interface 2
--
-- Interface Properties <Interface 2>
-- re-auth: re-authentication
--
enabled : yes
IP node type : IPv4 Only
link status : down
interface number : 2
interface name : Optional-1
interface type : optional
mac address : 00:90:7f:9d:dc:fc
ip address : 10.0.2.1/24
--
-- Advanced Settings
--
MTU : 1500
link speed : auto-negotiation
address group : [disable]
blocked ip notification : disable
anti spoof : match interface
anti ip/port scan : disable
DoS prevention : enable
DHCP service : disable
DF bit : copy
Qos max-link-bandwidth : 0
Qos marking type : Precedence
Qos marking method : Preserve
Qos marking priority : No_Priority
And the one you might be interested in for a start is how to change user’s password on WatchGuard:
WG#password
User(admin/status): admin
New Password:
Retype New Password:
WG#
That’s it for now. There are more overview articles in Category:WatchGuard.
By privilege15