Watchguard WSM Upgrade User guide

Brand: Watchguard

Model: WSM Upgrade

Category: Software manuals

Type: User guide

WatchGuard

System Manager

Upgrade Guide

WatchGuard System Manager v8.2

WatchGuard Fireware v8.2

WatchGuard Firebox System v7.4

ii WatchGuard System Manager

ADDRESS:

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

SUPPORT:

www.watchguard.com/support

suppor[email protected]

U.S. and Canada +877.232.3531

All Other Countries +1.206.613.0456

SALES:

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.521.8340

ABOUT WATCHGUARD

WatchGuard is a leading provider of network security solutions for small- to mid-

sized enterprises worldwide, delivering integrated products and services that are

robust as well as easy to buy, deploy and manage. The company’s Firebox X family of

expandable integrated security appliances is designed to be fully upgradeable as an

organization grows and to deliver the industry’s best combination of security,

performance, intuitive interface and value. WatchGuard Intelligent Layered Security

architecture protects against emerging threats effectively and efficiently and provides

the flexibility to integrate additional security functionality and services offered

through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity

Service subscription to help customers stay on top of the security landscape with

vulnerability alerts, software updates, expert security instruction and superior

customer care. For more information, please call (206) 521-8340 or visit

www.watchguard.com

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission of

WatchGuard Technologies, Inc.

All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Guide Version: 8.2-352-2571-001

Complete copyright, trademark, patent, and licensing informa-

tion can be found in the WatchGuard System Manager User

Guide. A copy of this book is automatically installed into a sub-

folder of the installation directory called Documentation. You

can also find it online at:

http://www.watchguard.com/help/documentation/

Upgrade Guide iii

iv WatchGuard System Manager

Upgrade Guide v

Contents

CHAPTER 1 Introduction ............................................................................................................................. 1

Introducing WatchGuard System Manager 8.0, 8.1, and 8.2 .................................................... 1

Appliance Software ................................................................................................................................ 1

Using Fireware appliance software tools ......................................................................................... 2

What’s New with WatchGuard System Manager? ........................................................................ 2

Enhancements to WFS appliance software ..................................................................................... 3

WatchGuard Servers ............................................................................................................................ 3

Comparing WFS and Fireware Pro ..................................................................................................... 4

Appliance software feature matrix ................................................................................................... 5

Planning Your Migration ....................................................................................................................... 8

Upgrading Subscription Services ...................................................................................................... 8

CHAPTER 2 Installing the WatchGuard System Manager Software ...................................... 9

Documenting Your Security Policy ................................................................................................... 9

Installing the Software ........................................................................................................................10

Installation requirements ..................................................................................................................10

Installing the software .......................................................................................................................11

Uninstalling the software ..................................................................................................................12

Setting Up the Management Server ...............................................................................................12

Management Server licenses ...........................................................................................................13

Using the Management Server ........................................................................................................13

Migrating your DVCP Server from a Firebox to a Management Server .............................13

Viewing the Network with WatchGuard System Manager .....................................................15

Using WFS7.4 ..........................................................................................................................................17

Upgrading from WSM 8.0 or WSM 8.1 to WSM 8.2 ....................................................................17

Downgrading Fireware 8.2 to a Previous Version ......................................................................17

CHAPTER 3 Putting Fireware on the Firebox ..................................................................................19

Using the Quick Setup Wizard ..........................................................................................................19

Connecting to the Firebox .................................................................................................................25

vi WatchGuard System Manager

Using fbxinstall.exe ...............................................................................................................................27

Upgrading to Fireware Pro ................................................................................................................27

Restoring a backup image ................................................................................................................28

CHAPTER 4 Fireware Network Configuration .................................................................................29

Working with Interfaces ......................................................................................................................29

DHCP Server .........................................................................................................................................31

Virtual Private Networking .................................................................................................................32

Policy-based NAT ...................................................................................................................................32

Aliases .......................................................................................................................................................33

CHAPTER 5 Fireware Policy Manager ..................................................................................................35

Services .....................................................................................................................................................35

Proxy Migration ......................................................................................................................................36

WebBlocker ..............................................................................................................................................37

Intrusion Prevention/Default Packet Handling .........................................................................38

Blocked Sites ........................................................................................................................................38

Firewall Authentication .......................................................................................................................39

Upgrade Guide 1

Introducing WatchGuard System Manager 8.0, 8.1, and 8.2

CHAPTER 1 Introduction

Introducing WatchGuard System Manager 8.0, 8.1, and 8.2

WatchGuard® System Manager (WSM) 8.0 was an important software release for WatchGuard custom-

ers. This release introduced Fireware™ Pro appliance software and added enhancements to the previous

WSM management software. With WSM 8.0, you can manage Firebox® X Edge, Firebox III, Firebox X Core,

and Firebox X Peak devices at the same time from the same management station. With Fireware Pro

appliance software on a Firebox X Core or Firebox X Peak, you can use advanced network features that

include dynamic routing and a feature-rich IPS (intrusion prevention service).

WatchGuard® System Manager (WSM) 8.1 added the capability to support drop-in mode. Drop-in mode

gives the ability to put a Firebox appliance into a well-established network infrastructure with minimal

disruption.

WatchGuard® System Manager (WSM) 8.2 adds several new capabilities:

•M

anagement for multiple Firebox X Edge devices. WSM 8.2 can apply firmware upgrades,

create and

update global policies, and collect log data for large Edge deployments from a

centralized management station.

•

Optional spamBlocker service. WatchGuard has partnered with Commtouch to deliver a

highly accurate,

user-friendly spamBlocker application for Fireboxes running Fireware Pro.

•

More granular control of web access with WebBlocker. Fireware Pro 8.2 introduces 40

SurfControl

categories for the WebBlocker service.

This Upgrade Guide is for users who must upgrade from WFS 7.x to WSM 8.x.

Appliance Software

Fireware™ Pro is the next generation of security appliance software available from WatchGuard®. Appli-

ance software is a software application stored in the memory of your firewall appliance. The Firebox

uses the appliance software with the configuration file to operate. When you install an upgrade on your

Firebox® X Core or Firebox X Peak device, you write a new version of the appliance software to its mem-

ory.

The WatchGuard® System Manager now supports two versions of appliance software:

• WFS - This is the default appliance software on Firebox III and Firebox X Core appliances. This is an

enhanced version of the appliance software successfully used by WatchGuard customers since

1998. WatchGuard System Manager v8.x includes WFS v7.4.

What’s New with WatchGuard System Manager?

2 WatchGuard System Manager

• Fireware Pro - This is the default appliance software on Firebox X Peak appliances. This next

generation appliance software enables WatchGuard to expand the number of features available

to Firebox X customers. Advanced network features like multi-WAN support, dynamic routing,

and QoS enable customers with complex networks to more effectively protect their networks,

while simultaneously benefiting from WatchGuard’s proactive Deep Application Inspection

capabilities.

Using Fireware appliance software tools

When you install WatchGuard System Manager, it automatically installs the software tools you must

have to configure and manage a Firebox X Core or Firebox X Peak with Fireware Pro appliance software.

These include:

• Fireware Firebox System Manager

• Fireware Policy Manager

• Fireware HostWatch

When you add a device to the WatchGuard System Manager Devices tab, the system identifies which

appliance software the Firebox uses. If you select a Firebox, then click a management tool icon, it auto-

matically starts the correct management tool for the version of appliance software installed on that Fire-

box.

For example, add a Firebox X5000 to the Devices tab using the instructions found in the WatchGuard

System Manager User Guide. Select the Firebox X5000. Click the Policy Manager icon on the WSM tool-

bar. Fireware Policy Manager starts and opens the configuration file.

What’s New with WatchGuard System Manager?

With this release, there are many changes to WatchGuard® System Manager — some large and some

small. In this section we tell you the most important enhancements.

New WatchGuard System Manager features

What was previously the VPN Manager view/workspace is now the the default view for all the Firebox®

devices, Log Servers, and Management Servers in your network. It is now known as WatchGuard System

Manager. From WatchGuard System Manager, you can start monitoring and configuration tools such as

Policy Manager, HostWatch, and Firebox System Manager.

WatchGuard System Manager also includes:

• Simple management of a network with more than one WatchGuard hardware platform:

-Firebox III

-Firebox X Core

- Firebox X Edge and Firebox X Edge Wireless

-Firebox X Peak

- Firebox SOHO6 and Firebox SOHO6 Wireless

- Firebox S6 and Firebox S6 Wireless

• A Management Server that operates on a Windows server instead of on a gateway Firebox. This

solution is more scalable and flexible and lets you easily set up a large network with many offices

and VPN tunnels.

Upgrade Guide 3

What’s New with WatchGuard System Manager?

• A feature that allows you to use SNMP to monitor important device statistics. You can also send

SNMP traps to SNMP servers.

• Log messages written in XML.

New features introduced with Fireware Pro

The Fireware Pro appliance software improves WatchGuard’s ability to supply new features on the same

hardware platform. Fireware Pro is available as an upgrade to WatchGuard System Manager. Contact

your reseller or browse to the WatchGuard web site for more information. Features new to this release

include:

• Enhancements to the Gateway AntiVirus service such as features to examine outgoing messages,

lock attachments with suspicious content, and make better reports

• Interface independence

• Signature-based intrusion prevention with stateful signature matching

• Multi-WAN for more flexibility and network connection time

• Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2

• Quality of Service (QoS) that uses “virtual pipes” to route the traffic to match your business

requirements

• Active Directory and LDAP integration

• Application Server Load Sharing and enhanced policy management interface for advanced

controls and more granular control of your security policy

• New optional spamBlocker service to examine inbound e-mail messages and find spam e-mail

•

40 SurfControl categories for the WebBlocker service

Enhancements to WFS appliance software

The WatchGuard System Manager v8.x includes WFS v7.4 appliance software. This version has two

important features.

• WSM 8.x uses a Management Server that operates on a Windows server rather than a gateway

Firebox. This allows for much more scalability and flexibility when you set up a large, distributed

network.

• Log messages that are written in XML.

WatchGuard Servers

There are three servers in this release that do Firebox management tasks:

• Management Server

•Log Server

• WebBlocker Server

Comparing WFS and Fireware Pro

4 WatchGuard System Manager

You can configure the servers from a Windows toolbar that you install with the servers. The toolbar

appears in the Windows taskbar at the bottom of your computer monitor. The toolbar is used to start,

stop, and configure each server.

Management Server

WatchGuard enabled simple VPN configuration with the Dynamic VPN Configuration Protocol (DVCP). A

DVCP server controls the VPN tunnels of a distributed enterprise from one easy-to-use management

interface. A limit to earlier versions of WSM was that the DVCP server had to operate on a Firebox.

With WSM 8.x, the DVCP Server is replaced with a WatchGuard Management Server. You install the Man-

agement Server on a computer with the Windows operating system. This increases scalability and flexi-

bility for the network administrator. The Management Server has the same functions as the DVCP server

from previous releases of WSM. These functions are:

• Centralized management of VPN tunnel configurations

• Certificate authority for distributing certificates for IPSec tunnels

Log Server

The Log Server collects log messages, event messages, alarms, and diagnostic messages from one or

more Firebox devices. The log messages are now kept in an *.xml format. This allows you to use third-

party XML tools to create your own custom reports. The Log Server was formerly known as the Watch-

Guard Security Event Processor (WSEP).

WebBlocker Server

The WebBlocker Server operates with an HTTP Proxy policy so users cannot browse to specified web

sites. You set the categories of permitted web sites during Firebox configuration. The HTTP Proxy on the

Firebox then uses information on the WebBlocker Server to find out if a web site is in a restricted cate-

gory.

Comparing WFS and Fireware Pro

Many of the tools and features you use in WFS are also in Fireware™ Pro. Some are enhanced with more

settings or improvements in the methods used to configure and enable them. Fireware Pro includes

such features as dynamic routing, multi-WAN support, and a signature-based intrusion prevention sys-

tem. At the same time, we did not move all WFS appliance software features into Fireware Pro.

This table is a summary of the features in each type of appliance software.

Upgrade Guide 5

Comparing WFS and Fireware Pro

Appliance software feature matrix

There are significant differences between the WFS appliance software and the new Fireware Pro appli-

ance software. A summary of these differences is shown in the table below. When both appliance soft-

ware packages include a feature, but Fireware implementation is different from WFS, we include more

information in the last column.

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Upgradeable

Model Upgradeable Yes Yes

Networking

Features

Port Independence No Yes

Secondary IP Address Yes Yes

Traffic Management/

QoS

No Yes

MultiWAN No Yes

WAN Failover No Yes

WAN Load Sharing No Yes

Dynamic Routing No Yes The interface is similar to the Firebox

VController management software

Secondary Networks Yes Yes You cannot configure secondary networks

and external aliases when you use a dynamic

IP address for the external interface

DHCP Client Yes Yes

DHCP Server Yes Yes

Drop-In Mode Yes Yes Added to Fireware 8.2

High

Availability

Active/Standby Option Included

Application

Layer Filtering

HTTP Inbound No Ye s

Fireware includes substantial feature

enhancements

HTTP Outbound Ye s Ye s

WebBlocker Ye s Ye s

Fireware includes 40 categories of web

content

SMTP Inbound Yes Yes Fireware includes substantial feature

enhancements

SMTP Outbound Yes Yes

FTP Inbound Yes Yes Fireware includes substantial feature

enhancements. It does not, however, proxy

the data channel.

FTP Outbound Yes Yes

DNS Yes Yes There are more configuration options.

Outgoing (TCP) Yes Yes

Firewall Based IPS

(protocol anomaly

detection)

Yes Yes Fireware protocol anomaly detection

includes substantial feature enhancements.

Signature-based IPS No Yes

Authentication

RADIUS Yes Yes You cannot use Policy Manager to download

the list of users and groups.

Comparing WFS and Fireware Pro

6 WatchGuard System Manager

LDAP/Active Directory No Yes You cannot use Policy Manager to download

the list of users and groups.

Windows 2000/2003 Yes No

Firebox Yes Yes

Authentication Web

page for other

authentication

Yes Yes

VPN

PPTP Yes Yes You can have only one PPTP client type

behind any NAT device.

PPTP with RADIUS

authentication

Yes Yes

MUVPN Yes Yes External authentication is the only supported

authentication mechanism for MUVPN.

Fireware uses the same MUVPN client

software as WFS.

BOVPN Yes Yes There is no auto-start for VPN tunnels. There

is also no DNS resolution in IKE.

AES Encryption No Yes Fireware enables the hardware-based AES

encryption chip.

IPSec Pass Through Yes Yes This feature is disabled in the default

configuration. To configure IPSec pass

through, you must enable the global setting,

then create an IPSec policy to allow the

traffic.

NAT-Traversal

(UDP encapsulation of

IPSec)

Yes Yes This feature is enabled in the default

configuration.

Management

Unified management

interface

No Yes You can start all management tools from

WatchGuard System Manager.

Manage more than one

device

Yes Yes Use the WatchGuard System Manager to

manage one or more devices.

Certificate Authority Yes Yes Certificate Authority moves from the Firebox

to a Windows computer.

Drag and drop VPN

setup for WatchGuard

appliances

Yes Yes Available for these models: Firebox SOHO6,

Firebox III, Firebox X Edge, Firebox X Core,

and Firebox X Peak

Management Server No Yes Added to 8.0.

SSL/CSKT Gateway

(Firebox SOHO6 and

Firebox X Edge

management)

Yes Yes

Basic DVCP Yes No If you currently use Basic DVCP, you must use

the Management Server Setup Wizard to

migrate your tunnels to the Management

Server.

Monitoring

Tools

Firebox System Manager Yes Yes Enhanced when monitoring Fireware

devices.

HostWatch Yes Yes HostWatch no longer supports playback.

Performance Console No Yes Ability to graphically monitor large number

of system, policy, and VPN parameters.

Policy

Management

Policy Manager Yes Yes Fireware Policy Manager includes substantial

feature enhancements.

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Upgrade Guide 7

Comparing WFS and Fireware Pro

Policies Yes Yes Services are now known as policies.

Firewall Policies Yes Yes Because of port independence, we replaced

“incoming/outgoing” with “from/to”.

Policy Management Yes Yes The Any service no longer has the highest

priority. Firewall policies no longer affect

IPSec policies.

BOVPN Setup Yes Yes There is a new interface design which

enables you to clearly identify policies used

for VPN traffic.

MUVPN Configuration

Wizard

Yes Yes

Tunnel Setup Yes Yes

PPTP Setup Yes Yes

Customer ordered

policies

No Yes

Auto-policy ordering Yes Yes

1:1 NAT Yes Yes

Dyamic NAT Yes Yes

Static NAT Yes Yes When you apply static NAT on an external

interface, the Firebox uses NAT from all

external addresses instead of just the

primary one. If you make a secondary

network on the external network and an alias

on external and make a static NAT in a service

to NAT “external” to a server on trusted

(external-<internal server>), the Firebox

applies NAT to all external addresses,

including the alias and the secondary

network IP.

Logging

Log Server Yes Yes Log Server now keeps files in an XML format.

XML Log Format No Yes Fireware natively generates log messages in

an XML format.

LogViewer Yes Yes

Message Text Yes Yes All log messages are new with Fireware. For

more information, see the Reference Guide.

Reporting

Historical Reports Yes Yes 8.x includes five new reports and support for

XML log files.

Options

SpamScreen Yes No Fireware supports optional spamBlocker

service.

spamBlocker No Yes

WebBlocker Yes Yes Fireware supports 40 WebBlocker categories.

Gateway AntiVirus Yes Yes

Signature-Based IPS No Yes .

Common Criteria CLI No Yes This new feature is available only in Common

Criteria mode.

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Planning Your Migration

8 WatchGuard System Manager

Planning Your Migration

As with any major software migration, a well-designed plan for your upgrade from WFS to Fireware™ Pro

can decrease the effect on your users, improve your experience, and make sure you have a secure instal-

lation of the new product features. If possible, we recommend that you do this migration in a network

lab as an alternative to your production network. You can also do this migration during non-operational

hours when a short time with no connection to the Internet does not harm your business.

The length of the migration depends upon the complexity of your network and of your current Firebox®

configuration. The software installation and Fireware Pro installation should take no more than 30 min-

utes. However, the time necessary to migrate your DVCP server to the Management Server and to create

your new Fireware Pro configuration varies based on the number of tunnels and policies you have. We

recommend that you set aside up to eight hours.

This Upgrade Guide supplies detailed instructions to successfully migrate from WFS to Fireware Pro.

These include steps to:

• Document your current WFS configuration

• Back up your current WFS configuration

• Install WatchGuard System Manager on the management station

• Configure the Management Server and migrate your DVCP server(s)

• Configure the Log Server

• Configure the WebBlocker Server and download the database

• Install Fireware Pro on the device

• Open WSM and connect to the Firebox

•Open Fireware Policy Manager

- Make the changes in Fireware Policy Manager that reflect the WFS configuration

- Network configuration

-NAT settings

- Service configurations

- Create and test VPN tunnels as necessary

• Deploy the Firebox and test the Fireware configuration

Upgrading Subscription Services

When you upgrade to Fireware™ Pro, your current Gateway AntiVirus for E-mail and SpamScreen sub-

scriptions stop. You can move the remaining months of your subscriptions to the Fireware Pro versions

of these services (Gateway AntiVirus/Intrusion Prevention Service (GAV/IPS) and spamBlocker service).

To move the remainder of your subscriptions to the new services, open a technical support incident

with WatchGuard Customer Care at:

www.watchguard.com/support/incidents/newincident.asp

The incident report must include this information:

• Incident description with request to transfer the remaining months of Gateway AntiVirus for E-

mail and/or SpamScreen.

• Firebox serial number

All LiveSecurity and WebBlocker subscriptions continue with no change when you upgrade.

Upgrade Guide 9

Documenting Your Security Policy

CHAPTER 2 Installing the WatchGuard System

Manager Software

Before you can operate a Firebox with WatchGuard® Fireware™ Pro or WFS 7.4, you must install the

WatchGuard System Manager v8.2 upgrade on your management station. If the Firebox® was a DVCP

server, you must move the DVCP server configuration properties to the Management Server. If you com-

pleted these steps and are upgrading to Fireware Pro, you can go to the “Putting Fireware on the Fire-

box” chapter.

In this chapter, we tell how to:

• Document your security policy

• Back up the WFS configuration file and image

• Install WatchGuard System Manager software on a management station

• Migrate your DVCP server from your Firebox to a Management Server

• Set up WatchGuard servers

Documenting Your Security Policy

A good security policy is not just a firewall configuration file. It is a process that a network administrator

documents and that management regularly reviews. Your migration is a good opportunity to examine

your security policy. Because you must make a new configuration file for the Fireware Pro appliance

software, it is a good idea to examine which policies you must have to do business. Use these guide-

lines:

• Each policy you open makes your network less secure

• Policies that allow traffic from the Internet to your network are more dangerous than policies that

allow traffic from your network to the Internet

• To specify source and destination addresses makes a policy more secure

Note

To successfully migrate to WatchGuard Fireware you must start from WFS 7.3 or earlier.

Installing the Software

10 WatchGuard System Manager

Installing the Software

WatchGuard® System Manager 8.0/8.1/8.2 includes many changes to the software. It is important that

you save all of your current settings. In this section, we show you how to:

• Back up the WFS configuration file and image

• Install WatchGuard System Manager software on a management station

You must install all the WatchGuard management software and appliance software before you create a

new configuration.

Installation requirements

Before you install WatchGuard System Manager, make sure that you have these items:

• WatchGuard Firebox security device

• WatchGuard System Manager CD-ROM

• A serial cable (blue)

• Three crossover Ethernet cables (red)

• Three straight Ethernet cables (green)

•Power cable

• LiveSecurity service license key

It is also good to restart your Firebox before you start the upgrade procedure. This clears the RAM com-

ponent and helps to prevent problems during the upgrade.

Software encryption

The management station software is available with two types of encryption.

Base

Uses 40-bit encryption

Strong

Uses 128-bit 3DES encryption

A minimum of 56-bit encryption is necessary for the IPSec standard. To use virtual private networking

with IPSec or PPTP, you must download the strong encryption software.

Strong export limits apply to the strong encryption software. It is possible that it is not available for

download to your region. For more information, log in to the LiveSecurity service and refer to the online

resources at:

https://www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp

Before you install the WatchGuard System Manager v8.2 upgrade, save your current configuration file

and appliance software image.

Upgrade Guide 11

Installing the Software

Saving the configuration file

You can save the configuration file of a Firebox on the Firebox. You can also save it as a file on a local

hard disk drive. Before you install an upgrade, we recommend that you save the configuration file to a

local hard disk drive.

1 From WFS Policy Manager, select File > Save > As File.

2 Type the name of the configuration file. Click Save.

The configuration file has the file extension *.wfg. You can also save this to a network folder.

Saving the Firebox software image

A very important step in the upgrade is to save the Firebox software image. The Firebox keeps this file

on a backup partition of the Firebox flash disk. To create the WFS software backup file:

1 Open Control Center, and connect to the Firebox.

2 Select Tools > Advanced > Flash Disk Management.

3 Select Make Backup of Current Image. Click Continue.

A verification prompt appears. Make sure that the management station can connect to the Firebox Trusted interface

with the network (TCP/IP) or with a modem that uses out-of-band management.

4 Click Ye s .

The Connect To Firebox dialog box appears.

5 From the Firebox drop-down list, select a Firebox or type the IP address used by the management

station to connect to the Firebox. Type the configuration (read/write) passphrase. Click OK.

6 Select a file name for the Firebox backup.

The Enter Encryption Key dialog box appears.

7 Type a key to encrypt the backup file. Click OK.

This makes sure that no one can get sensitive information from the backup file.

8 When the backup is successful, an Operation Complete message appears.

9 Click OK.

It is not necessary to restart the Firebox after this procedure.

Installing the software

With WatchGuard System Manager 8.x, you can have more than one version of the management soft-

ware on one computer. Make sure that you select a different folder name for each installation.

1 Download the WatchGuard System Manager software, if you do not already have it.

Make sure that you write down the name and the path of the file when you save it to your hard disk drive.

Setting Up the Management Server

12 WatchGuard System Manager

2 Open the file and use the instructions on the screens to help you through the installation.

The installation utility includes a screen in which you select the components of the software or the upgrades to install.

A different license is necessary when you install some software components.

3 At the end of the installation wizard, a check box appears that you can select to start the QuickSetup

Wizard. For this upgrade, we recommend that you use the QuickSetup Wizard at this time only if you

do not have VPN tunnels and do not use VPN Manager.

Uninstalling the software

If you decide to remove WatchGuard System Manager from your management station, use Windows

Add or Remove Programs to uninstall.

Note

It is very important to uninstall WatchGuard System Manager using the Windows Add or Remove

Programs tool if you plan to install an earlier version of WatchGuard System Manager after you remove

this version.

To uninstall WatchGuard System Manager:

1 Click Start > Control Panel.

2 Double-click Add or Remove Programs.

3 Select WatchGuard System Manager 8.2 and click Remove.

Use the instructions to complete the procedure.

Setting Up the Management Server

WatchGuard System Manager 8.0/8.1/8.2 has a Management Server Setup Wizard that migrates your

WFS DVCP server configuration to the new WatchGuard Management Server. You start this wizard from

the WatchGuard toolbar in the Windows taskbar.

WatchGuard introduced simple VPN configuration with the Dynamic VPN Configuration Protocol

(DVCP). A DVCP server controls many VPN tunnels with one easy-to-use management interface. A limit

to previous versions of WatchGuard System Manager (WSM) was that you could only use the Firebox® as

a DVCP server.

With WSM 8.2/8.1/8.2, we move the DVCP off the Firebox and on to a computer that uses the Windows

operating system. This makes the Firebox a more scalable and flexible solution for the network adminis-

trator. The Management Server has the same functions as the DVCP server. These functions are:

• Central management of VPN tunnel configurations

• Certificate Authority to make and to send out certificates for IPSec tunnels.

The installation software automatically installs the Management Server on the same computer as the

management station. You can also install it on a different computer. It is a good idea to install the Man-

agement Server software on a computer that is behind a Firebox with a static external IP address. The

Management Server does not operate correctly if it is behind a Firebox with a dynamic IP address on its

external interface.

From the Management Server user interface, you can do these administrative tasks:

• Start and stop the Management Server

• Set Management Server passphrases

• Enter a Management Server license key

• Configure the diagnostic log messages from the Management Server

Upgrade Guide 13

Migrating your DVCP Server from a Firebox to a Management Server

• Set the Certificate Authority properties that include the domain name and publication period

• Start the Certificate Authority user interface

Management Server licenses

You use the VPN Manager license to operate the Management Server. You must have your VPN Manager

license before you can move a DVCP server from a Firebox to a Management Server. You can use a

WatchGuard System Manager license to increase the total number of devices managed by the Manage-

ment Server.

Using the Management Server

You use the Management Server Setup Wizard to configure your Management Server. If you use a Fire-

box as a DVCP server, the wizard also moves the DVCP server features and Certificate Authority from the

Firebox to your Management Server.

1 From the Windows desktop, double-click the Management Server icon in the WatchGuard toolbar..

2 Select Start Service.

If the Management Server has not been configured, then the Management Server Setup Wizard starts

automatically. For information on using this wizard, see the “Configuring and Using the Management

Server” chapter in the WatchGuard System Manager User Guide.

Note

If you change the IP address of the Management Server, you must remove the Management Server

software. Then install the software again.

Migrating your DVCP Server from a Firebox to a Management Server

WatchGuard System Manager 8.2 supplies a wizard that migrates your WFS DVCP server configuration

to the new WatchGuard Management Server. This wizard is known as the Management Server Setup

Wizard and is launched from the WatchGuard toolbar in the Windows taskbar.

This wizard moves your DVCP server from your Firebox to a Windows computer that you designate as

your Management Server. It also converts the Firebox you were using as a DVCP server into a gateway

Firebox that protects the Management Server from the Internet. Finally, it converts any basic DVCP tun-

nels connected to the gateway Firebox into regular tunnels. Basic DVCP tunnels are not supported in

WSM 8.2.

Migrating your DVCP Server from a Firebox to a Management Server

14 WatchGuard System Manager

Note

To do this procedure, the Firebox that you use as a DVCP server must have WatchGuard System Manager

7.3 or earlier appliance software.

The wizard:

• Gets a master encryption key to encrypt the configuration and passphrase files of the

Management Server

• Gets a passphrase to connect to the DVCP server from the management station

• Gets the IP address and configuration passphrase for the Firebox that was used as a DVCP server

•Connects to the Firebox

• Gets the DVCP server configuration file from the Firebox

• Uses this configuration file to find if the Firebox was a basic DVCP server or an advanced DVCP

server

• Changes the “wg_dvcp” and “wg_ca” services of the gateway Firebox, use NAT (network address

translation) to set up on the new Management Server on the management station.

• Saves the changes to the Firebox.

• Starts the Management Server.

If the Firebox was an advanced DVCP server

If the Firebox was an advanced DVCP server, the wizard:

• Uses the configuration properties of the DVCP server to configure the CA on the Management

Server.

• Gets the DVCP configuration file (dvcp.cfg) from the Firebox.

• Uses the DVCP configuration file to set the Management Server license key, policy templates,

security templates, and DVCP clients.

• Removes the DVCP server from the Firebox.

• Removes the DVCP server configuration properties from the Firebox configuration file.

If the Firebox was a basic DVCP server

The wizard converts any basic DVCP tunnels that connect to the gateway Firebox to regular VPN tun-

nels. Basic DVCP tunnels are not supported in WSM 8.0/8.1/8.2.

The Management Server Setup Wizard does not convert all the basic DVCP tunnels that you have in your

network. It only converts the tunnels that use the gateway Firebox as one of the endpoints. Tunnels

without a gateway Firebox endpoint are isolated from the gateway Firebox. If you have basic DVCP tun-

nels in your network that are isolated, you must use one of these two procedures to convert your tun-

nels to WSM 8.0/8.1/8.2.

Procedure #1

To use this procedure, you must disable the tunnels that are isolated before you use the Management

Server Setup Wizard.

1 In Policy Manager, remove the basic DVCP tunnel configuration at each endpoint (Firebox) for the

tunnel.

Do this for each Firebox that is an endpoint for an isolated tunnel.

2 Download the configuration to each Firebox and restart the Firebox.

3 Use the Management Server Setup Wizard to:

• Move your DVCP server to your Management Server

Page is loading ...

Watchguard WSM Upgrade User guide

Brand: Watchguard

Model: WSM Upgrade

Category: Software manuals

Type: User guide

Download PDF

report

Watchguard WSM Upgrade User guide

Watchguard WSM Upgrade User guide

Related papers

Other documents