Watchguard WSM Upgrade User guide

Category
Software manuals
Type
User guide
WatchGuard
®
System Manager
Upgrade Guide
WatchGuard System Manager v8.2
WatchGuard Fireware v8.2
WatchGuard Firebox System v7.4
ii WatchGuard System Manager
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT:
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.521.8340
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to mid-
sized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
organization grows and to deliver the industry’s best combination of security,
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
architecture protects against emerging threats effectively and efficiently and provides
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with
vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 521-8340 or visit
www.watchguard.com
.
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Guide Version: 8.2-352-2571-001
Complete copyright, trademark, patent, and licensing informa-
tion can be found in the WatchGuard System Manager User
Guide. A copy of this book is automatically installed into a sub-
folder of the installation directory called Documentation. You
can also find it online at:
http://www.watchguard.com/help/documentation/
Upgrade Guide iii
iv WatchGuard System Manager
Upgrade Guide v
Contents
CHAPTER 1 Introduction ............................................................................................................................. 1
Introducing WatchGuard System Manager 8.0, 8.1, and 8.2 .................................................... 1
Appliance Software ................................................................................................................................ 1
Using Fireware appliance software tools ......................................................................................... 2
What’s New with WatchGuard System Manager? ........................................................................ 2
Enhancements to WFS appliance software ..................................................................................... 3
WatchGuard Servers ............................................................................................................................ 3
Comparing WFS and Fireware Pro ..................................................................................................... 4
Appliance software feature matrix ................................................................................................... 5
Planning Your Migration ....................................................................................................................... 8
Upgrading Subscription Services ...................................................................................................... 8
CHAPTER 2 Installing the WatchGuard System Manager Software ...................................... 9
Documenting Your Security Policy ................................................................................................... 9
Installing the Software ........................................................................................................................10
Installation requirements ..................................................................................................................10
Installing the software .......................................................................................................................11
Uninstalling the software ..................................................................................................................12
Setting Up the Management Server ...............................................................................................12
Management Server licenses ...........................................................................................................13
Using the Management Server ........................................................................................................13
Migrating your DVCP Server from a Firebox to a Management Server .............................13
Viewing the Network with WatchGuard System Manager .....................................................15
Using WFS7.4 ..........................................................................................................................................17
Upgrading from WSM 8.0 or WSM 8.1 to WSM 8.2 ....................................................................17
Downgrading Fireware 8.2 to a Previous Version ......................................................................17
CHAPTER 3 Putting Fireware on the Firebox ..................................................................................19
Using the Quick Setup Wizard ..........................................................................................................19
Connecting to the Firebox .................................................................................................................25
vi WatchGuard System Manager
Using fbxinstall.exe ...............................................................................................................................27
Upgrading to Fireware Pro ................................................................................................................27
Restoring a backup image ................................................................................................................28
CHAPTER 4 Fireware Network Configuration .................................................................................29
Working with Interfaces ......................................................................................................................29
DHCP Server .........................................................................................................................................31
Virtual Private Networking .................................................................................................................32
Policy-based NAT ...................................................................................................................................32
Aliases .......................................................................................................................................................33
CHAPTER 5 Fireware Policy Manager ..................................................................................................35
Services .....................................................................................................................................................35
Proxy Migration ......................................................................................................................................36
WebBlocker ..............................................................................................................................................37
Intrusion Prevention/Default Packet Handling .........................................................................38
Blocked Sites ........................................................................................................................................38
Firewall Authentication .......................................................................................................................39
Upgrade Guide 1
Introducing WatchGuard System Manager 8.0, 8.1, and 8.2
CHAPTER 1 Introduction
Introducing WatchGuard System Manager 8.0, 8.1, and 8.2
WatchGuard® System Manager (WSM) 8.0 was an important software release for WatchGuard custom-
ers. This release introduced Fireware™ Pro appliance software and added enhancements to the previous
WSM management software. With WSM 8.0, you can manage Firebox® X Edge, Firebox III, Firebox X Core,
and Firebox X Peak devices at the same time from the same management station. With Fireware Pro
appliance software on a Firebox X Core or Firebox X Peak, you can use advanced network features that
include dynamic routing and a feature-rich IPS (intrusion prevention service).
WatchGuard® System Manager (WSM) 8.1 added the capability to support drop-in mode. Drop-in mode
gives the ability to put a Firebox appliance into a well-established network infrastructure with minimal
disruption.
WatchGuard® System Manager (WSM) 8.2 adds several new capabilities:
•M
anagement for multiple Firebox X Edge devices. WSM 8.2 can apply firmware upgrades,
create and
update global policies, and collect log data for large Edge deployments from a
centralized management station.
Optional spamBlocker service. WatchGuard has partnered with Commtouch to deliver a
highly accurate,
user-friendly spamBlocker application for Fireboxes running Fireware Pro.
More granular control of web access with WebBlocker. Fireware Pro 8.2 introduces 40
SurfControl
categories for the WebBlocker service.
This Upgrade Guide is for users who must upgrade from WFS 7.x to WSM 8.x.
Appliance Software
Fireware™ Pro is the next generation of security appliance software available from WatchGuard®. Appli-
ance software is a software application stored in the memory of your firewall appliance. The Firebox
uses the appliance software with the configuration file to operate. When you install an upgrade on your
Firebox® X Core or Firebox X Peak device, you write a new version of the appliance software to its mem-
ory.
The WatchGuard® System Manager now supports two versions of appliance software:
WFS - This is the default appliance software on Firebox III and Firebox X Core appliances. This is an
enhanced version of the appliance software successfully used by WatchGuard customers since
1998. WatchGuard System Manager v8.x includes WFS v7.4.
What’s New with WatchGuard System Manager?
2 WatchGuard System Manager
Fireware Pro - This is the default appliance software on Firebox X Peak appliances. This next
generation appliance software enables WatchGuard to expand the number of features available
to Firebox X customers. Advanced network features like multi-WAN support, dynamic routing,
and QoS enable customers with complex networks to more effectively protect their networks,
while simultaneously benefiting from WatchGuard’s proactive Deep Application Inspection
capabilities.
Using Fireware appliance software tools
When you install WatchGuard System Manager, it automatically installs the software tools you must
have to configure and manage a Firebox X Core or Firebox X Peak with Fireware Pro appliance software.
These include:
Fireware Firebox System Manager
Fireware Policy Manager
Fireware HostWatch
When you add a device to the WatchGuard System Manager Devices tab, the system identifies which
appliance software the Firebox uses. If you select a Firebox, then click a management tool icon, it auto-
matically starts the correct management tool for the version of appliance software installed on that Fire-
box.
For example, add a Firebox X5000 to the Devices tab using the instructions found in the WatchGuard
System Manager User Guide. Select the Firebox X5000. Click the Policy Manager icon on the WSM tool-
bar. Fireware Policy Manager starts and opens the configuration file.
What’s New with WatchGuard System Manager?
With this release, there are many changes to WatchGuard® System Manager — some large and some
small. In this section we tell you the most important enhancements.
New WatchGuard System Manager features
What was previously the VPN Manager view/workspace is now the the default view for all the Firebox®
devices, Log Servers, and Management Servers in your network. It is now known as WatchGuard System
Manager. From WatchGuard System Manager, you can start monitoring and configuration tools such as
Policy Manager, HostWatch, and Firebox System Manager.
WatchGuard System Manager also includes:
Simple management of a network with more than one WatchGuard hardware platform:
-Firebox III
-Firebox X Core
- Firebox X Edge and Firebox X Edge Wireless
-Firebox X Peak
- Firebox SOHO6 and Firebox SOHO6 Wireless
- Firebox S6 and Firebox S6 Wireless
A Management Server that operates on a Windows server instead of on a gateway Firebox. This
solution is more scalable and flexible and lets you easily set up a large network with many offices
and VPN tunnels.
Upgrade Guide 3
What’s New with WatchGuard System Manager?
A feature that allows you to use SNMP to monitor important device statistics. You can also send
SNMP traps to SNMP servers.
Log messages written in XML.
New features introduced with Fireware Pro
The Fireware Pro appliance software improves WatchGuard’s ability to supply new features on the same
hardware platform. Fireware Pro is available as an upgrade to WatchGuard System Manager. Contact
your reseller or browse to the WatchGuard web site for more information. Features new to this release
include:
Enhancements to the Gateway AntiVirus service such as features to examine outgoing messages,
lock attachments with suspicious content, and make better reports
Interface independence
Signature-based intrusion prevention with stateful signature matching
Multi-WAN for more flexibility and network connection time
Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2
Quality of Service (QoS) that uses “virtual pipes” to route the traffic to match your business
requirements
Active Directory and LDAP integration
Application Server Load Sharing and enhanced policy management interface for advanced
controls and more granular control of your security policy
New optional spamBlocker service to examine inbound e-mail messages and find spam e-mail
40 SurfControl categories for the WebBlocker service
Enhancements to WFS appliance software
The WatchGuard System Manager v8.x includes WFS v7.4 appliance software. This version has two
important features.
WSM 8.x uses a Management Server that operates on a Windows server rather than a gateway
Firebox. This allows for much more scalability and flexibility when you set up a large, distributed
network.
Log messages that are written in XML.
WatchGuard Servers
There are three servers in this release that do Firebox management tasks:
Management Server
•Log Server
WebBlocker Server
Comparing WFS and Fireware Pro
4 WatchGuard System Manager
You can configure the servers from a Windows toolbar that you install with the servers. The toolbar
appears in the Windows taskbar at the bottom of your computer monitor. The toolbar is used to start,
stop, and configure each server.
Management Server
WatchGuard enabled simple VPN configuration with the Dynamic VPN Configuration Protocol (DVCP). A
DVCP server controls the VPN tunnels of a distributed enterprise from one easy-to-use management
interface. A limit to earlier versions of WSM was that the DVCP server had to operate on a Firebox.
With WSM 8.x, the DVCP Server is replaced with a WatchGuard Management Server. You install the Man-
agement Server on a computer with the Windows operating system. This increases scalability and flexi-
bility for the network administrator. The Management Server has the same functions as the DVCP server
from previous releases of WSM. These functions are:
Centralized management of VPN tunnel configurations
Certificate authority for distributing certificates for IPSec tunnels
Log Server
The Log Server collects log messages, event messages, alarms, and diagnostic messages from one or
more Firebox devices. The log messages are now kept in an *.xml format. This allows you to use third-
party XML tools to create your own custom reports. The Log Server was formerly known as the Watch-
Guard Security Event Processor (WSEP).
WebBlocker Server
The WebBlocker Server operates with an HTTP Proxy policy so users cannot browse to specified web
sites. You set the categories of permitted web sites during Firebox configuration. The HTTP Proxy on the
Firebox then uses information on the WebBlocker Server to find out if a web site is in a restricted cate-
gory.
Comparing WFS and Fireware Pro
Many of the tools and features you use in WFS are also in Fireware™ Pro. Some are enhanced with more
settings or improvements in the methods used to configure and enable them. Fireware Pro includes
such features as dynamic routing, multi-WAN support, and a signature-based intrusion prevention sys-
tem. At the same time, we did not move all WFS appliance software features into Fireware Pro.
This table is a summary of the features in each type of appliance software.
Upgrade Guide 5
Comparing WFS and Fireware Pro
Appliance software feature matrix
There are significant differences between the WFS appliance software and the new Fireware Pro appli-
ance software. A summary of these differences is shown in the table below. When both appliance soft-
ware packages include a feature, but Fireware implementation is different from WFS, we include more
information in the last column.
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Upgradeable
Model Upgradeable Yes Yes
Networking
Features
Port Independence No Yes
Secondary IP Address Yes Yes
Traffic Management/
QoS
No Yes
MultiWAN No Yes
WAN Failover No Yes
WAN Load Sharing No Yes
Dynamic Routing No Yes The interface is similar to the Firebox
VController management software
Secondary Networks Yes Yes You cannot configure secondary networks
and external aliases when you use a dynamic
IP address for the external interface
DHCP Client Yes Yes
DHCP Server Yes Yes
Drop-In Mode Yes Yes Added to Fireware 8.2
High
Availability
Active/Standby Option Included
Application
Layer Filtering
HTTP Inbound No Ye s
Fireware includes substantial feature
enhancements
HTTP Outbound Ye s Ye s
WebBlocker Ye s Ye s
Fireware includes 40 categories of web
content
SMTP Inbound Yes Yes Fireware includes substantial feature
enhancements
SMTP Outbound Yes Yes
FTP Inbound Yes Yes Fireware includes substantial feature
enhancements. It does not, however, proxy
the data channel.
FTP Outbound Yes Yes
DNS Yes Yes There are more configuration options.
Outgoing (TCP) Yes Yes
Firewall Based IPS
(protocol anomaly
detection)
Yes Yes Fireware protocol anomaly detection
includes substantial feature enhancements.
Signature-based IPS No Yes
Authentication
RADIUS Yes Yes You cannot use Policy Manager to download
the list of users and groups.
Comparing WFS and Fireware Pro
6 WatchGuard System Manager
LDAP/Active Directory No Yes You cannot use Policy Manager to download
the list of users and groups.
Windows 2000/2003 Yes No
Firebox Yes Yes
Authentication Web
page for other
authentication
Yes Yes
VPN
PPTP Yes Yes You can have only one PPTP client type
behind any NAT device.
PPTP with RADIUS
authentication
Yes Yes
MUVPN Yes Yes External authentication is the only supported
authentication mechanism for MUVPN.
Fireware uses the same MUVPN client
software as WFS.
BOVPN Yes Yes There is no auto-start for VPN tunnels. There
is also no DNS resolution in IKE.
AES Encryption No Yes Fireware enables the hardware-based AES
encryption chip.
IPSec Pass Through Yes Yes This feature is disabled in the default
configuration. To configure IPSec pass
through, you must enable the global setting,
then create an IPSec policy to allow the
traffic.
NAT-Traversal
(UDP encapsulation of
IPSec)
Yes Yes This feature is enabled in the default
configuration.
Management
Unified management
interface
No Yes You can start all management tools from
WatchGuard System Manager.
Manage more than one
device
Yes Yes Use the WatchGuard System Manager to
manage one or more devices.
Certificate Authority Yes Yes Certificate Authority moves from the Firebox
to a Windows computer.
Drag and drop VPN
setup for WatchGuard
appliances
Yes Yes Available for these models: Firebox SOHO6,
Firebox III, Firebox X Edge, Firebox X Core,
and Firebox X Peak
Management Server No Yes Added to 8.0.
SSL/CSKT Gateway
(Firebox SOHO6 and
Firebox X Edge
management)
Yes Yes
Basic DVCP Yes No If you currently use Basic DVCP, you must use
the Management Server Setup Wizard to
migrate your tunnels to the Management
Server.
Monitoring
Tools
Firebox System Manager Yes Yes Enhanced when monitoring Fireware
devices.
HostWatch Yes Yes HostWatch no longer supports playback.
Performance Console No Yes Ability to graphically monitor large number
of system, policy, and VPN parameters.
Policy
Management
Policy Manager Yes Yes Fireware Policy Manager includes substantial
feature enhancements.
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Upgrade Guide 7
Comparing WFS and Fireware Pro
Policies Yes Yes Services are now known as policies.
Firewall Policies Yes Yes Because of port independence, we replaced
“incoming/outgoing” with “from/to.
Policy Management Yes Yes The Any service no longer has the highest
priority. Firewall policies no longer affect
IPSec policies.
BOVPN Setup Yes Yes There is a new interface design which
enables you to clearly identify policies used
for VPN traffic.
MUVPN Configuration
Wizard
Yes Yes
Tunnel Setup Yes Yes
PPTP Setup Yes Yes
Customer ordered
policies
No Yes
Auto-policy ordering Yes Yes
1:1 NAT Yes Yes
Dyamic NAT Yes Yes
Static NAT Yes Yes When you apply static NAT on an external
interface, the Firebox uses NAT from all
external addresses instead of just the
primary one. If you make a secondary
network on the external network and an alias
on external and make a static NAT in a service
to NAT “external” to a server on trusted
(external-<internal server>), the Firebox
applies NAT to all external addresses,
including the alias and the secondary
network IP.
Logging
Log Server Yes Yes Log Server now keeps files in an XML format.
XML Log Format No Yes Fireware natively generates log messages in
an XML format.
LogViewer Yes Yes
Message Text Yes Yes All log messages are new with Fireware. For
more information, see the Reference Guide.
Reporting
Historical Reports Yes Yes 8.x includes five new reports and support for
XML log files.
Options
SpamScreen Yes No Fireware supports optional spamBlocker
service.
spamBlocker No Yes
WebBlocker Yes Yes Fireware supports 40 WebBlocker categories.
Gateway AntiVirus Yes Yes
Signature-Based IPS No Yes .
Common Criteria CLI No Yes This new feature is available only in Common
Criteria mode.
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Planning Your Migration
8 WatchGuard System Manager
Planning Your Migration
As with any major software migration, a well-designed plan for your upgrade from WFS to Fireware™ Pro
can decrease the effect on your users, improve your experience, and make sure you have a secure instal-
lation of the new product features. If possible, we recommend that you do this migration in a network
lab as an alternative to your production network. You can also do this migration during non-operational
hours when a short time with no connection to the Internet does not harm your business.
The length of the migration depends upon the complexity of your network and of your current Firebox®
configuration. The software installation and Fireware Pro installation should take no more than 30 min-
utes. However, the time necessary to migrate your DVCP server to the Management Server and to create
your new Fireware Pro configuration varies based on the number of tunnels and policies you have. We
recommend that you set aside up to eight hours.
This Upgrade Guide supplies detailed instructions to successfully migrate from WFS to Fireware Pro.
These include steps to:
Document your current WFS configuration
Back up your current WFS configuration
Install WatchGuard System Manager on the management station
Configure the Management Server and migrate your DVCP server(s)
Configure the Log Server
Configure the WebBlocker Server and download the database
Install Fireware Pro on the device
Open WSM and connect to the Firebox
•Open Fireware Policy Manager
- Make the changes in Fireware Policy Manager that reflect the WFS configuration
- Network configuration
-NAT settings
- Service configurations
- Create and test VPN tunnels as necessary
Deploy the Firebox and test the Fireware configuration
Upgrading Subscription Services
When you upgrade to Fireware™ Pro, your current Gateway AntiVirus for E-mail and SpamScreen sub-
scriptions stop. You can move the remaining months of your subscriptions to the Fireware Pro versions
of these services (Gateway AntiVirus/Intrusion Prevention Service (GAV/IPS) and spamBlocker service).
To move the remainder of your subscriptions to the new services, open a technical support incident
with WatchGuard Customer Care at:
www.watchguard.com/support/incidents/newincident.asp
The incident report must include this information:
Incident description with request to transfer the remaining months of Gateway AntiVirus for E-
mail and/or SpamScreen.
Firebox serial number
All LiveSecurity and WebBlocker subscriptions continue with no change when you upgrade.
Upgrade Guide 9
Documenting Your Security Policy
CHAPTER 2 Installing the WatchGuard System
Manager Software
Before you can operate a Firebox with WatchGuard® Fireware™ Pro or WFS 7.4, you must install the
WatchGuard System Manager v8.2 upgrade on your management station. If the Firebox® was a DVCP
server, you must move the DVCP server configuration properties to the Management Server. If you com-
pleted these steps and are upgrading to Fireware Pro, you can go to the “Putting Fireware on the Fire-
box” chapter.
In this chapter, we tell how to:
Document your security policy
Back up the WFS configuration file and image
Install WatchGuard System Manager software on a management station
Migrate your DVCP server from your Firebox to a Management Server
Set up WatchGuard servers
Documenting Your Security Policy
A good security policy is not just a firewall configuration file. It is a process that a network administrator
documents and that management regularly reviews. Your migration is a good opportunity to examine
your security policy. Because you must make a new configuration file for the Fireware Pro appliance
software, it is a good idea to examine which policies you must have to do business. Use these guide-
lines:
Each policy you open makes your network less secure
Policies that allow traffic from the Internet to your network are more dangerous than policies that
allow traffic from your network to the Internet
To specify source and destination addresses makes a policy more secure
Note
To successfully migrate to WatchGuard Fireware you must start from WFS 7.3 or earlier.
Installing the Software
10 WatchGuard System Manager
Installing the Software
WatchGuard® System Manager 8.0/8.1/8.2 includes many changes to the software. It is important that
you save all of your current settings. In this section, we show you how to:
Back up the WFS configuration file and image
Install WatchGuard System Manager software on a management station
You must install all the WatchGuard management software and appliance software before you create a
new configuration.
Installation requirements
Before you install WatchGuard System Manager, make sure that you have these items:
WatchGuard Firebox security device
WatchGuard System Manager CD-ROM
A serial cable (blue)
Three crossover Ethernet cables (red)
Three straight Ethernet cables (green)
•Power cable
LiveSecurity service license key
It is also good to restart your Firebox before you start the upgrade procedure. This clears the RAM com-
ponent and helps to prevent problems during the upgrade.
Software encryption
The management station software is available with two types of encryption.
Base
Uses 40-bit encryption
Strong
Uses 128-bit 3DES encryption
A minimum of 56-bit encryption is necessary for the IPSec standard. To use virtual private networking
with IPSec or PPTP, you must download the strong encryption software.
Strong export limits apply to the strong encryption software. It is possible that it is not available for
download to your region. For more information, log in to the LiveSecurity service and refer to the online
resources at:
https://www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp
Before you install the WatchGuard System Manager v8.2 upgrade, save your current configuration file
and appliance software image.
Upgrade Guide 11
Installing the Software
Saving the configuration file
You can save the configuration file of a Firebox on the Firebox. You can also save it as a file on a local
hard disk drive. Before you install an upgrade, we recommend that you save the configuration file to a
local hard disk drive.
1 From WFS Policy Manager, select File > Save > As File.
2 Type the name of the configuration file. Click Save.
The configuration file has the file extension *.wfg. You can also save this to a network folder.
Saving the Firebox software image
A very important step in the upgrade is to save the Firebox software image. The Firebox keeps this file
on a backup partition of the Firebox flash disk. To create the WFS software backup file:
1 Open Control Center, and connect to the Firebox.
2 Select Tools > Advanced > Flash Disk Management.
3 Select Make Backup of Current Image. Click Continue.
A verification prompt appears. Make sure that the management station can connect to the Firebox Trusted interface
with the network (TCP/IP) or with a modem that uses out-of-band management.
4 Click Ye s .
The Connect To Firebox dialog box appears.
5 From the Firebox drop-down list, select a Firebox or type the IP address used by the management
station to connect to the Firebox. Type the configuration (read/write) passphrase. Click OK.
6 Select a file name for the Firebox backup.
The Enter Encryption Key dialog box appears.
7 Type a key to encrypt the backup file. Click OK.
This makes sure that no one can get sensitive information from the backup file.
8 When the backup is successful, an Operation Complete message appears.
9 Click OK.
It is not necessary to restart the Firebox after this procedure.
Installing the software
With WatchGuard System Manager 8.x, you can have more than one version of the management soft-
ware on one computer. Make sure that you select a different folder name for each installation.
1 Download the WatchGuard System Manager software, if you do not already have it.
Make sure that you write down the name and the path of the file when you save it to your hard disk drive.
Setting Up the Management Server
12 WatchGuard System Manager
2 Open the file and use the instructions on the screens to help you through the installation.
The installation utility includes a screen in which you select the components of the software or the upgrades to install.
A different license is necessary when you install some software components.
3 At the end of the installation wizard, a check box appears that you can select to start the QuickSetup
Wizard. For this upgrade, we recommend that you use the QuickSetup Wizard at this time only if you
do not have VPN tunnels and do not use VPN Manager.
Uninstalling the software
If you decide to remove WatchGuard System Manager from your management station, use Windows
Add or Remove Programs to uninstall.
Note
It is very important to uninstall WatchGuard System Manager using the Windows Add or Remove
Programs tool if you plan to install an earlier version of WatchGuard System Manager after you remove
this version.
To uninstall WatchGuard System Manager:
1 Click Start > Control Panel.
2 Double-click Add or Remove Programs.
3 Select WatchGuard System Manager 8.2 and click Remove.
Use the instructions to complete the procedure.
Setting Up the Management Server
WatchGuard System Manager 8.0/8.1/8.2 has a Management Server Setup Wizard that migrates your
WFS DVCP server configuration to the new WatchGuard Management Server. You start this wizard from
the WatchGuard toolbar in the Windows taskbar.
WatchGuard introduced simple VPN configuration with the Dynamic VPN Configuration Protocol
(DVCP). A DVCP server controls many VPN tunnels with one easy-to-use management interface. A limit
to previous versions of WatchGuard System Manager (WSM) was that you could only use the Firebox® as
a DVCP server.
With WSM 8.2/8.1/8.2, we move the DVCP off the Firebox and on to a computer that uses the Windows
operating system. This makes the Firebox a more scalable and flexible solution for the network adminis-
trator. The Management Server has the same functions as the DVCP server. These functions are:
Central management of VPN tunnel configurations
Certificate Authority to make and to send out certificates for IPSec tunnels.
The installation software automatically installs the Management Server on the same computer as the
management station. You can also install it on a different computer. It is a good idea to install the Man-
agement Server software on a computer that is behind a Firebox with a static external IP address. The
Management Server does not operate correctly if it is behind a Firebox with a dynamic IP address on its
external interface.
From the Management Server user interface, you can do these administrative tasks:
Start and stop the Management Server
Set Management Server passphrases
Enter a Management Server license key
Configure the diagnostic log messages from the Management Server
Upgrade Guide 13
Migrating your DVCP Server from a Firebox to a Management Server
Set the Certificate Authority properties that include the domain name and publication period
Start the Certificate Authority user interface
Management Server licenses
You use the VPN Manager license to operate the Management Server. You must have your VPN Manager
license before you can move a DVCP server from a Firebox to a Management Server. You can use a
WatchGuard System Manager license to increase the total number of devices managed by the Manage-
ment Server.
Using the Management Server
You use the Management Server Setup Wizard to configure your Management Server. If you use a Fire-
box as a DVCP server, the wizard also moves the DVCP server features and Certificate Authority from the
Firebox to your Management Server.
1 From the Windows desktop, double-click the Management Server icon in the WatchGuard toolbar..
2 Select Start Service.
If the Management Server has not been configured, then the Management Server Setup Wizard starts
automatically. For information on using this wizard, see the “Configuring and Using the Management
Server” chapter in the WatchGuard System Manager User Guide.
Note
If you change the IP address of the Management Server, you must remove the Management Server
software. Then install the software again.
Migrating your DVCP Server from a Firebox to a Management Server
WatchGuard System Manager 8.2 supplies a wizard that migrates your WFS DVCP server configuration
to the new WatchGuard Management Server. This wizard is known as the Management Server Setup
Wizard and is launched from the WatchGuard toolbar in the Windows taskbar.
This wizard moves your DVCP server from your Firebox to a Windows computer that you designate as
your Management Server. It also converts the Firebox you were using as a DVCP server into a gateway
Firebox that protects the Management Server from the Internet. Finally, it converts any basic DVCP tun-
nels connected to the gateway Firebox into regular tunnels. Basic DVCP tunnels are not supported in
WSM 8.2.
Migrating your DVCP Server from a Firebox to a Management Server
14 WatchGuard System Manager
Note
To do this procedure, the Firebox that you use as a DVCP server must have WatchGuard System Manager
7.3 or earlier appliance software.
The wizard:
Gets a master encryption key to encrypt the configuration and passphrase files of the
Management Server
Gets a passphrase to connect to the DVCP server from the management station
Gets the IP address and configuration passphrase for the Firebox that was used as a DVCP server
•Connects to the Firebox
Gets the DVCP server configuration file from the Firebox
Uses this configuration file to find if the Firebox was a basic DVCP server or an advanced DVCP
server
Changes the “wg_dvcp” and “wg_ca” services of the gateway Firebox, use NAT (network address
translation) to set up on the new Management Server on the management station.
Saves the changes to the Firebox.
Starts the Management Server.
If the Firebox was an advanced DVCP server
If the Firebox was an advanced DVCP server, the wizard:
Uses the configuration properties of the DVCP server to configure the CA on the Management
Server.
Gets the DVCP configuration file (dvcp.cfg) from the Firebox.
Uses the DVCP configuration file to set the Management Server license key, policy templates,
security templates, and DVCP clients.
Removes the DVCP server from the Firebox.
Removes the DVCP server configuration properties from the Firebox configuration file.
If the Firebox was a basic DVCP server
The wizard converts any basic DVCP tunnels that connect to the gateway Firebox to regular VPN tun-
nels. Basic DVCP tunnels are not supported in WSM 8.0/8.1/8.2.
The Management Server Setup Wizard does not convert all the basic DVCP tunnels that you have in your
network. It only converts the tunnels that use the gateway Firebox as one of the endpoints. Tunnels
without a gateway Firebox endpoint are isolated from the gateway Firebox. If you have basic DVCP tun-
nels in your network that are isolated, you must use one of these two procedures to convert your tun-
nels to WSM 8.0/8.1/8.2.
Procedure #1
To use this procedure, you must disable the tunnels that are isolated before you use the Management
Server Setup Wizard.
1 In Policy Manager, remove the basic DVCP tunnel configuration at each endpoint (Firebox) for the
tunnel.
Do this for each Firebox that is an endpoint for an isolated tunnel.
2 Download the configuration to each Firebox and restart the Firebox.
3 Use the Management Server Setup Wizard to:
Move your DVCP server to your Management Server
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46

Watchguard WSM Upgrade User guide

Category
Software manuals
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI