Watchguard WFS to Fireware Pro Migration User guide

WatchGuard

®

Fireware

™

Pro

Migration Guide

WatchGuard Fireware v8.0

WatchGuard System Manager v8.0

2 WatchGuard Fireware Pro

ADDRESS:

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

SUPPORT:

www.watchguard.com/support

suppor[email protected]

U.S. and Canada +877.232.3531

All Other Countries +1.206.613.0456

SALES:

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.521.8340

ABOUT WATCHGUARD

WatchGuard is a leading provider of network security solutions for small- to mid-

sized enterprises worldwide, delivering integrated products and services that are

robust as well as easy to buy, deploy and manage. The company’s Firebox X family of

expandable integrated security appliances is designed to be fully upgradeable as an

organization grows and to deliver the industry’s best combination of security,

performance, intuitive interface and value. WatchGuard Intelligent Layered Security

architecture protects against emerging threats effectively and efficiently and provides

the flexibility to integrate additional security functionality and services offered

through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity

Service subscription to help customers stay on top of the security landscape with

vulnerability alerts, software updates, expert security instruction and superior

customer care. For more information, please call (206) 521-8340 or visit

www.watchguard.com

.

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission of

WatchGuard Technologies, Inc.

Copyright, Trademark, and Patent Information

All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Guide Version: 8.0-050420

Complete copyright, trademark, patent, and licensing informa-

tion can be found in the

WatchGuard System Manager User

Guide

. A copy of this book is automatically installed into a sub-

folder of the installation directory called Documentation. You

can also find it online at:

http://www.watchguard.com/help/documentation/

Migration Guide 3

Contents

CHAPTER 1 Introducing WatchGuard System Manager with Fireware Pro .1

Introducing WatchGuard System Manager 8.0 ........................................1

New WatchGuard System Manager features .............................................1

Enhancements to WFS appliance software ...............................................2

WatchGuard Ser vers ...........................................................................2

What is Fireware Pro? ...........................................................................2

Using Fireware appliance software tools ..................................................3

What’s New with WatchGuard System Manager? .....................................3

Enhancements to WFS appliance software ...............................................4

WatchGuard Ser vers ...........................................................................4

Comparing WFS and Fireware Pro ..........................................................5

Appliance Software Feature Matrix .........................................................5

Planning Your Migration ........................................................................8

CHAPTER 2 Installing the WatchGuard System Manager Software .........11

Documenting Your Security Policy ........................................................11

Installing the management station software .........................................11

Installation requirements ...................................................................12

Installation requirements ...................................................................13

Installing the software .......................................................................14

Setting Up the Management Server .....................................................14

Passwords and the Key Files ...............................................................15

Migrating Basic DVCP Tunnels while setting up a Management Server ....16

Procedure #1 ...................................................................................16

Procedure #2 ...................................................................................16

Viewing the network with WatchGuard System Manager ...........................17

Upgrade appliance software to WFS 7.4 ................................................18

Setting Up the Log Server ...................................................................19

4 WatchGuard Fireware Pro

Introducing the new Log Viewer ...........................................................19

Merging log files from WFS 7.3 and before into the new XML format ...........20

Setting Up the WebBlocker Server .......................................................20

CHAPTER 3 Putting Fireware on the Firebox ...........................................23

Using the Quick Setup Wizard .............................................................23

Connecting to the Firebox ...................................................................31

Using fbxinstall.exe ............................................................................33

Restoring a Backup Image ..................................................................33

Upgrading to Fireware Pro ..................................................................33

CHAPTER 4 Making a Fireware Configuration .........................................35

Basic Configuration Properties ............................................................36

Connecting to a Firebox with Fireware Pro .............................................36

Working with Interfaces .....................................................................36

Configuring your Network ...................................................................38

DHCP Server ...................................................................................39

Intrusion Prevention/Default Packet Handling ......................................41

Blocked Sites ...................................................................................41

Network Address Translation (NAT) ......................................................43

Logging ..........................................................................................44

Firewall Authentication .......................................................................45

Virtual Private Networking ...................................................................46

Firebox Managed Clients ....................................................................46

Remote User ...................................................................................46

Mobile User VPN ...............................................................................46

Gateways ........................................................................................47

Tunnels ...........................................................................................48

IPSec Routing Policies .......................................................................48

Services ............................................................................................50

Service-based NAT ............................................................................50

CHAPTER 5 Working with Proxies ...........................................................53

Proxy Migration ..................................................................................53

Configuring the HTTP Proxy .................................................................55

Configuring the Incoming SMTP Proxy ..................................................62

Clone the SMTP-Incoming Proxy Action ..................................................62

Outgoing SMTP ..................................................................................66

Clone the SMTP Outgoing proxy action ..................................................66

FTP Proxy ..........................................................................................69

Clone the FTP-Client or FTP-Server proxy action. ......................................70

Migration Guide 1

Introducing WatchGuard System Manager 8.0

CHAPTER 1 Introducing WatchGuard System

Manager with Fireware Pro

Introducing WatchGuard System Manager 8.0

WatchGuard® System Manager (WSM) 8.0 is an important software release for WatchGuard customers.

This release introduces our next-generation, Fireware™ Pro appliance software. It also enhances the cur-

rent WSM management software. With WSM 8.0, you can manage Firebox® X Edge, Firebox III, Firebox X

Core, and Firebox X Peak devices at the same time from the same management station. With Fireware Pro

appliance software on a Firebox X Core or Peak, you can use advanced network features such as dynamic

routing and a feature-rich IPS.

This document introduces the features of WatchGuard System Manager 8.0. It also shows you how to:

• Install the software

• Configure WatchGuard servers

• Move your DVCP server from a Firebox to the Management Server

New WatchGuard System Manager features

We made the VPN Manager Device view the default view for all the Firebox devices, log servers, and Man-

agement Servers in your network. From WatchGuard System Manager, you can start monitor and config-

uration tools such as Policy Manager, HostWatch, and the Firebox System Manager.

WatchGuard System Manager also includes:

• Simple management of a network with more than one WatchGuard hardware platform:

- Firebox III

-Firebox X Core

- Firebox X Edge (VPN management only)

-Firebox X Peak

- Firebox SOHO6 and Firebox SOHO6 Wireless (VPN management only)

- Firebox S6 and Firebox S6 Wireless (VPN management only)

• A Management Server that operates on a Windows server instead of on a gateway Firebox. This

solution is more scalable and flexible and lets you easily set up a large network with many offices

and VPN tunnels.

• Support for SNMP to monitor important device statistics. You can also transmit SNMP traps to

SNMP servers.

What is Fireware Pro?

2 WatchGuard Fireware Pro

• Log messages in XML format.

New features introduced with Fireware Pro

The Fireware Pro appliance software improves WatchGuard's ability to supply new features on the same

hardware platform. Fireware Pro is available for all Firebox® X Core and Firebox X Peak devices. It is an

upgrade for the Firebox X Core model line. Features of Fireware Pro include:

• Enhancements to the Gateway AntiVirus service such as a feature to examine outgoing messages,

lock attachments with suspicious content, and better reports

• Interface independence

• Signature-based intrusion prevention with stateful signature matching

• Multi-WAN for more flexibility and network connection time

• Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2

• Quality of Service (QoS) which uses “virtual pipes” to regulate the traffic to align with your

business requirements

• Active Directory and LDAP integration

• Enhanced policy management interface for support of Fireware Pro features, and more granular

control of your security policy

Enhancements to WFS appliance software

The WatchGuard System Manager 8.0 includes WFS 7.4 appliance software. This version has two impor-

tant features.

• WSM 8.0 uses a Management Server that operates on a Windows server instead of on a gateway

Firebox. This allows for much more scalability and flexibility when you set up a large network with

many locations.

• The Log Server keeps log messages in an XML format.

WatchGuard Servers

There are three servers in this release that do Firebox management functions:

• Management server

• Log server

• WebBlocker server

You can configure the servers from a Windows toolbar which you install with the servers. The toolbar

appears in the Windows taskbar at the bottom of your computer monitor. The toolbar is used to start,

stop, and configure each server.

What is Fireware Pro?

Fireware™ Pro is the next generation of security appliance software available from WatchGuard. Appliance

software is a software application stored in the memory of your firewall appliance. The Firebox uses the

appliance software with the configuration file to operate. When you install an upgrade on your Firebox®

X Core or Firebox X Peak device, you write a new version of the appliance software to its memory.

The WatchGuard® System Manager now supports two versions of appliance software:

• WFS - This is the default appliance software on Firebox III and Firebox X Core appliances. This is an

enhanced version of the appliance software successfully used by WatchGuard customers since

1998. WatchGuard System Manager v8.0 includes WFS v7.4.

Migration Guide 3

What’s New with WatchGuard System Manager?

• Fireware Pro - This is the default appliance software on Firebox X Peak appliances. This next

generation appliance software enables WatchGuard to expand the number of features available to

Firebox X customers. Advanced network features like multi-WAN support, dynamic routing, and

QoS enable customers with complex networks to more effectively protect their networks, while

simultaneously benefiting from WatchGuard’s proactive Deep Application Inspection capabilities.

Using Fireware appliance software tools

When you install WatchGuard System Manager, it automatically installs the software tools you must have

to configure and manage a Firebox X Core or Firebox X Peak with Fireware Pro appliance software. These

include:

• Fireware Firebox System Manager

• Fireware Policy Manager

• Fireware HostWatch

When you add a device to the WatchGuard System Manager Devices tab, the system identifies which

appliance software the Firebox uses. If you select a Firebox, then click a management tool icon, it auto-

matically starts the correct management tool for the version of appliance software installed on that Fire-

box.

For example, add a Firebox X5000 to the Devices tab using the instructions found in the WatchGuard

System Manager User Guide. Select the Firebox X5000. Click the Policy Manager icon on the WSM tool-

bar. Fireware Policy Manager starts and opens the configuration file.

What’s New with WatchGuard System Manager?

With this release, there are many changes to the WatchGuard® System Manager — some large and some

small. In this section we tell you the most important enhancements.

New WatchGuard System Manager features

We made the VPN Manager the primary management software for all the Firebox devices, log servers, and

management servers in your network. It is now known as the WatchGuard System Manager. From Watch-

Guard System Manager, you can start monitoring and configuration tools such as Policy Manager, Host-

Watch, and the Firebox System Manager.

WatchGuard System Manager also includes:

• Simple management of a network with more than one WatchGuard hardware platforms:

- Firebox III

-Firebox X Core

- Firebox X Edge and Firebox X Edge Wireless

-Firebox X Peak

- Firebox SOHO6 and Firebox SOHO6 Wireless

- Firebox S6 and Firebox S6 Wireless

• A Management Server that operates on a Windows server instead of on a gateway Firebox. This

solution is more scalable and flexible and lets you easily set up a large network with many offices

and VPN tunnels.

• A feature that allows you to use SNMP to monitor important device statistics. You can also

transmit SNMP traps to SNMP servers.

• Log messages stored in an XML format.

What’s New with WatchGuard System Manager?

4 WatchGuard Fireware Pro

New features introduced with Fireware Pro

The Fireware Pro appliance software improves WatchGuard’s ability to supply new features on the same

hardware platform. Fireware Pro is available as an upgrade to the WatchGuard System Manager. Contact

your reseller or browse to the WatchGuard Web site for more information. Features new to this release

include:

• Enhancements to the Gateway AntiVirus service such as a feature to examine outgoing messages,

to lock attachments with suspicious content and better reports

• Interface independence

• Signature-based intrusion prevention with stateful signature matching

• Multi-WAN for more flexibility and network connection time

• Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2

• Quality of Service (QoS) which uses “virtual pipes” to route the traffic to align with your business

requirements

• Active Directory and LDAP integration

• Application Server Load Sharing and enhanced policy management interface for advanced controls

and more granular control of your security policy

Enhancements to WFS appliance software

The WatchGuard System Manager v8.0 includes WFS v7.4 appliance software. This version has two

important features.

• WSM 8.0 uses a Management Server that operates on a Windows server rather than a gateway

Firebox. This allows for much more scalability and flexibility when you set up a large, distributed

network.

• You can now use Remote User VPN with PPTP and Mobile User VPN to a Firebox that gets its

external IP address from an ISP, which uses static DHCP or static PPPoE.

WatchGuard Servers

There are three servers in this release that do Firebox management tasks:

• Management server

• Log server

• WebBlocker server

You can configure the servers from a Windows toolbar which you install with the servers. The toolbar

appears in the Windows taskbar at the bottom of your computer monitor. The toolbar is used to start,

stop, and configure each server.

Migration Guide 5

Comparing WFS and Fireware Pro

Management Server

WatchGuard pioneered simple, 1*2*3 VPN configuration with the Dynamic VPN Configuration Protocol

(DVCP). A DVCP server controls the VPN tunnels of a distributed enterprise from one, easy to use man-

agement interface. A limit to earlier versions of WSM was that you could only use the Firebox as a DVCP

server.

With WSM 8.0, we move the DVCP off the Firebox and on to a computer using the Windows operating

system. This gives increased scalability and flexibility for the network administrator. The management

server has the same functions as the DVCP/CA server from previous releases of WSM. These functions are:

• Centralized management of VPN tunnel configurations

• Certificate authority for distributing certificates for IPSec tunnels

Log Server

The Log Server collects log messages, event messages, alarms, and diagnostic messages from one or more

Firebox devices. The log messages are now kept in an *.xml format. This allows you to use third-party

XML tools to create your own custom reports. The Log Server was formerly known as the WatchGuard

Security Event Processor (WSEP).

WebBlocker Server

The WebBlocker server operates with an HTTP Proxy policy to prevent users from browsing to specified

Web sites. You set the categories of permitted Web sites during Firebox configuration. The HTTP Proxy on

the Firebox then uses information on the WebBlocker server to find out if a Web site is in a restricted cat-

egory.

Comparing WFS and Fireware Pro

Many of the tools and features you use in WFS are also in Fireware Pro. Some are enhanced with more

settings or improvements in the methods used to configure and enable them. We also added features

such as dynamic routing, multi-WAN support, and a signature-based intrusion prevention system. At the

same time, we did not move all of the WFS appliance software features into Fireware Pro.

This table is a summary of the features in each type of appliance software.

Appliance Software Feature Matrix

There are significant differences between the WFS appliance software and the new Fireware Pro appliance

software. A summary of these differences is below. When both appliance software packages include a fea-

ture but Fireware implementation is different from WFS, we include more information in the last column.

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Upgradeable Model Upgradeable Ye s Ye s

Networking

Features

Port Independence No Ye s

Secondary IP Address Ye s Ye s

Traffic Management/

QoS

No Ye s

MultiWAN No Ye s

WAN Failover No Ye s

WAN Load Sharing No Ye s

Comparing WFS and Fireware Pro

6 WatchGuard Fireware Pro

Dynamic Routing No Ye s The user interface is similar to the

Firebox VController management

software.

Secondary Networks Ye s Ye s You can not configure secondary

networks and external aliases when you

use a dynamic IP address for the

external interface.

DHCP Client Ye s Ye s Ye s

DHCP Server Ye s Ye s

Drop-In Mode Ye s No

High

Availability

Active/Standby Option Included

Application

Layer Filtering

HTTP Inbound No Ye s Fireware includes substantial feature

enhancements.

HTTP Outbound Ye s Ye s

WebBlocker Ye s Ye s

SMTP Inbound Ye s Ye s Fireware includes substantial feature

enhancements.

SMTP Outbound Ye s Ye s

FTP Inbound Ye s Ye s Fireware includes substantial feature

enhancements. It does not, however,

proxy the data channel.

FTP Outbound Ye s Ye s

DNS Ye s Ye s There are more configuration options.

Outgoing (TCP) Ye s Ye s

Firewall Based IPS

(protocol anomaly detection)

Ye s Ye s Fireware protocol anomaly detection

includes substantial feature

enhancements.

Signature Based IPS No Ye s This new feature is available in

Fireware.

Authentication Radius Ye s Ye s You can not use the Policy Manager to

download the list of users and groups.

LDAP/

Active Directory

No Ye s You can not use the Policy Manager to

download the list of users and groups.

Windows 2000/2003 Ye s No

Firebox Ye s Ye s

Authentication Web

page for other

authentication

Ye s Ye s

VPN PPTP Ye s Ye s You can only have one PPTP client type

behind any NAT device.

PPTP with Radius

authentication

Ye s Ye s

MUVPN Ye s Ye s External authentication is the only

supported authentication mechanism for

MUVPN. Fireware uses the same

MUVPN client software as WFS.

BOVPN Ye s Ye s There is no auto-start for VPN tunnels.

There is also no DNS resolution in IKE.

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Migration Guide 7

Comparing WFS and Fireware Pro

AES Encryption No

Yes

Fireware enables the hardware based

AES encryption chip.

IPSec Pass Through Ye s Ye s This feature is off in the default

configuration. To configure IPSec Pass

Through, you must enable the global

setting then create an IPSec policy to

allow the traffic.

NAT-Traversal

(UDP encapsulation of IPSec)

Ye s Ye s This feature is on in the default

configuration.

Management Central management

interface

No Ye s You can start all management tools from

the WatchGuard System Manager.

Manage more than

one device

Ye s Ye s Use the WatchGuard System Manager

to manage one or more devices.

Certificate Authority Ye s

Yes

Certificate Authority moves from the

Firebox to a Windows computer.

Drag and drop VPN

setup for WatchGuard

appliances

Ye s Ye s Available for these models: Firebox

SOHO6, Firebox III, Firebox X Edge,

Firebox X Core, and Firebox X Peak.

Management Server No Ye s This is new feature is available with

WSM v8.0.

SSL/CSKT Gateway

(Firebox SOHO6 and Firebox X

Edge management)

Ye s Ye s

Basic DVCP Ye s No If you currently use Basic DVCP, you

must use the Management Server Setup

Wizard to migrate your tunnels to the

Management Server.

Monitoring

Tools

Firebox System

Manager

Ye s Ye s Only active VPN tunnels appear in the

list on the Front Panel tab.

HostWatch Yes Ye s HostWatch no longer supports WFS log

file playback.

Policy

Management

Policy Manager Ye s Ye s There are many enhancements to the

Fireware Policy Manager.

Policies Ye s Ye s Services are now known as policies.

Firewall Policies Ye s Ye s Because of port independence, we

replaced “incoming/outgoing” with

“from/to”.

Policy Management Ye s Ye s The Any service no longer has the

highest priority. Firewall policies no

longer affect the IPSec policies.

BOVPN Setup Ye s Ye s There is a new interface design which

enables you to clearly identify policies

used for VPN traffic.

MUVPN

Configuration Wizard

Ye s Ye s

Tunnel Setup Yes Ye s

PPTP Setup Ye s Ye s

Customer ordered

policies

No Ye s

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Planning Your Migration

8 WatchGuard Fireware Pro

Planning Your Migration

As with any major software migration, a well-designed plan for your upgrade from WFS to Fireware™ Pro

can decrease the effect on your users, improve your experience, and make sure a secure installation of the

new product features. If possible, we recommend that you do this migration in a network lab as an alter-

native to your production network. You can also do this migration during non-operational hours when a

short time with no connection to the Internet does not harm your business.

The length of the migration depends upon the complexity of your network and of your current Firebox®

configuration. The software installation and Fireware Pro installation should take no more than 30 min-

utes. However, the time necessary to migrate your DVCP server to the Management Station and to create

your new Fireware Pro configuration varies based on the number of tunnels and policies you have. We

recommend that you set aside up to eight hours.

Auto-policy ordering Ye s Ye s

1:1 NAT Ye s Ye s

Dynamic NAT Ye s Ye s

Static NAT Ye s Ye s When you apply static NAT on an

external interface, the Firebox uses NAT

from all external addresses instead of

just the primary one. If you make a

secondary network on the external

network and an alias on external and

make a static-NAT in a service to NAT

“external” to a server on trusted

(external-<internal server>), the

Firebox NATs ALL external addresses,

including the alias and the secondary

network IP.

Logging Log Server Ye s Ye s The WSM log server now keeps files in

an XML format.

XML Log Format No Ye s Fireware natively generates log

messages in an XML format.

LogViewer Ye s Ye s

Message Text Ye s New All log messages are new with Fireware.

For more information, see the

Reference

Guide

.

Reporting Historical Reports Ye s Ye s WSM v8.0 includes five new reports and

support for XML log files.

Options SpamScreen Ye s No

WebBlocker Ye s Ye s Fireware uses the same database as

WFS.

Gateway AntiVirus for

E-mail

Ye s Ye s

Signature Based IPS No Ye s This new feature is available in Fireware

Common Criteria CLI No Ye s This new feature is only available in

Common Criteria mode.

Feature or Functional Area WFS Fireware Notes on Fireware Implementation

Migration Guide 9

Planning Your Migration

This Migration Guide supplies detailed instructions to successfully migrate from WFS to Fireware Pro.

These include steps to:

• Document your current WFS configuration

• Backup your current WFS configuration

• Install WatchGuard System Manager on the management station

• Configure the Management Server and migrate your DVCP server(s)

• Configure the Log Server

• Configure the WebBlocker Server and download the database

• Install Fireware Pro on the device

• Open WSM and connect to the Firebox

• Open Fireware Policy Manager

- Make the changes in Fireware Policy Manager that reflect the WFS configuration

- Network configuration

- NAT settings

- Service configurations

- Create and test VPN tunnels as necessary

• Deploy the Firebox and test the Fireware configuration

Planning Your Migration

10 WatchGuard Fireware Pro

Fireware Configuration Guide 11

Documenting Your Security Policy

CHAPTER 2 Installing the WatchGuard System

Manager Software

Before you can operate a Firebox with WatchGuard® Fireware™ Pro, you must install the WatchGuard Sys-

tem Manager v8.0 upgrade on your management station. If the Firebox® was a DVCP server, you must

move the configuration properties to the Management Server. If you completed these steps, you can go to

Chapter 3, “Putting Fireware on the Firebox”.

In this chapter, we tell how to:

• Document your security policy

• Back up the WFS configuration file and image

• Install WatchGuard System Manager software on a management station

• Set up WatchGuard servers

Documenting Your Security Policy

A good security policy is not just a firewall configuration file. It is a process which a network administra-

tor documents and which management regularly reviews. Your Fireware Pro migration is a good opportu-

nity to revisit your security policy. Because you must make a new configuration file for the Fireware Pro

appliance software, you should examine which policies you need to do business. Use these guidelines:

• Each policy you open makes your network less secure

• Polices from the Internet into your network are more dangerous than policies from your network

out to the Internet

• Adding specific source and destination addresses makes a policy more secure

Note

To successfully migrate to WatchGuard Fireware you must begin from WFS 7.3.

Installing the management station software

WatchGuard® System Manager 8.0 is an important release with many changes to the software. It is

important that you save all of your current settings. In this section, we show how to:

Installing the management station software

12 WatchGuard Fireware Pro

• Back up the WFS configuration file and image

• Install WatchGuard System Manager software on a management station

You must install all the WatchGuard management software and appliance software before you create a

new configuration.

Installation requirements

Before you install WatchGuard System Manager, make sure that you have these items:

• WatchGuard Firebox security device

• WatchGuard System Manager CD-ROM

• A serial cable (blue)

• Three crossover Ethernet cables (red)

• Three straight Ethernet cables (green)

• Power cable

• LiveSecurity service license key

It is also good to restart your Firebox before you start the upgrade procedure. This clears the RAM compo-

nent and helps to prevent problems during the upgrade.

Software encryption

The management station software is available with three types of encryption.

Base

Uses 40-bit encryption

Medium

Uses 56-bit DES encryption

Strong

Uses 128-bit 3DES encryption

A minimum of 56-bit encryption is necessary for the IPSec standard. To use virtual private networking

with IPSec or PPTP, you must download the strong encryption software.

Strong export limits apply to the strong encryption software. It is possible that it is not available for

download. For more information, log in to the LiveSecurity service and refer to the online resources at:

https://www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp

Before you install the WatchGuard System Manager v8.0 upgrade, save your current configuration file and

appliance software image.

Fireware Configuration Guide 13

Installing the management station software

Saving the configuration file

You can save the configuration file of a Firebox on the device. You can also save it as a file on a local hard

disk drive. Before you install an upgrade, we recommend that you save the configuration file to a local

hard disk drive.

1 From WFS Policy Manager, select File > Save > As File.

2 Type the name of the configuration file. Click Save.

The configuration file has the file extension *.wfg. You can also save this to a network folder.

Saving the appliance software image

A very important step in the upgrade is to save the appliance software image. The Firebox keeps this file

on a backup partition of the Firebox flash disk. To create the WFS backup file:

1 Open Control Center, and connect to the Firebox.

2 Select Tools > Advanced > Flash Disk Management.

3 Select Make Backup of Current Image. Click Continue.

A verification prompt appears. Verify that the Management Station connects to the Firebox Trusted interface

either over the network (TCP/IP) or via a modem using out-of-band management.

4 Click Yes.

The Connect To Firebox dialog box appears.

5 Use the Firebox drop list to select a Firebox or type the IP address used by the Management Station

to communicate with the Firebox. Enter the configuration (read/write) passphrase. Click OK.

6 Select a file name for the Firebox backup.

The Enter Encryption Key dialog box appears.

7 Enter a key for encrypting the backup file. Click OK.

This ensures that no one can obtain sensitive information from the backup file.

8 When the backup is successful, an Operation Complete alert appears.

9 Click OK.

You do not need to reboot the Firebox.

Installation requirements

Before you install WatchGuard System Manager, make sure that you have these items:

• WatchGuard Firebox appliance

• WatchGuard System Manager installation software

• A serial cable (blue)

• Three crossover Ethernet cables (red)

Setting Up the Management Server

14 WatchGuard Fireware Pro

• Three straight Ethernet cables (green)

• Power cable

• LiveSecurity service license key

It is also good to restart your Firebox before you start the upgrade procedure. This clears the RAM compo-

nent and helps to prevent problems during the upgrade.

Software encryption

The management station software is available with two types of encryption.

Base

Uses 40-bit encryption

Strong

Uses 128-bit 3DES encryption

To use virtual private networking with IPSec or PPTP, you must download the strong encryption software.

Strong export limits apply to the strong encryption software. It is possible that it is not available for

download. For more information, log in to the LiveSecurity service and refer to the online resources at:

https://www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp

Installing the software

With WatchGuard System Manager 8.0, you can have more than one version of the management software

on one computer. Make sure that you select a different folder name for each installation.

1 If it is necessary, download the WatchGuard System Manager software.

Make sure that you write down the name and the path of the file when you save it to your hard disk drive.

2 Open the file and use the instructions on the screens to help you through the installation.

The installation utility includes a screen in which you select the components of the software or the upgrades to

install. A different license is necessary when you install some software components.

3 At the end of the installation wizard, a check box appears that you can select to start the QuickSetup

Wizard. For this upgrade, we recommend that you use the QuickSetup Wizard at this time only if you

do not have VPN tunnels and do not use VPN Manager.

Setting Up the Management Server

WatchGuard® pioneered simple, 1*2*3 VPN configuration with the Dynamic VPN Configuration Protocol

(DVCP). A DVCP server controls the VPN tunnels of a distributed enterprise from one, easy to use man-

agement interface. A limit to earlier versions of WatchGuard System Manager (WSM) was that you could

only use the Firebox® as a DVCP server.

With WSM 8.0, we move the DVCP off the Firebox and on to a computer which uses the Windows oper-

ating system. This gives increased scalability and flexibility for the network administrator. The Manage-

ment Server has the same functions as the DVCP server from previous releases of WSM. These functions

are:

• Centralized management of VPN tunnel configurations

• Certificate Authority to make and to send out certificates for IPSec tunnels.

The installation software automatically installs the Management Server on the same computer as the

management station. You can also install it on a different computer. You must install the Management

Server software on a computer that is behind a Firebox with a static external IP address. The Management

Server does not operate correctly if it is behind a Firebox with a dynamic IP address on its external inter-

face.

Fireware Configuration Guide 15

Setting Up the Management Server

Management Server tasks include:

• Start and stop the Management Server

• Set Management Server passphrases

• Enter a Management Server license key

• Configure diagnostic log messages from the Management Server

• Set the Certificate Authority properties such as domain name and publication period

• Start the Certificate Authority user interface

Passwords and the Key Files

The WatchGuard Management Server encrypts important information that it keeps on the Firebox and on

your local hard disk drive. It uses a number of passwords to protect sensitive information stored on disk or

to secure traffic with client systems. During configuration, you set two passwords and the system creates

system passwords:

• Master password — The Management Server uses the master password to encrypt the password file.

This protects all of the other passwords. Select and save the master password carefully and safely. Use

best practices when you select the password. Do not use the same string for the master password and

the administrator password. It is necessary to use the master password to:

- Move the Management Server data to a different computer

- Restore a lost or damaged master key file

- Change the master password

• Administrative password — You use the administrative password to connect to the WatchGuard

System Manager software. You use this password frequently. Use best practices when you select the

password.

• System passwords — The Management Server automatically makes other passwords. It uses these

passwords to encrypt files, traffic on VPN tunnels, and for the Certificate Authority private keys. You

cannot see these passwords with the user interface.

Using the Management Server

You use the Management Server Setup Wizard to configure your Management Server. If you use a Firebox

as a DVCP server, the wizard also moves the DVCP server features and Certificate Authority from the Fire-

box to your Management Server.

1 From the Windows desktop, double-click the Management Server icon on the WatchGuard toolbar.

The Management Server Setup Wizard appears.

2Select Start Service.

If the Management Server has not been configured, then the Management Server Setup Wizard starts

automatically. The wizard goes through these steps:

Migrating Basic DVCP Tunnels while setting up a Management Server

16 WatchGuard Fireware Pro

Note

If you change the IP address of the Management Server, you must remove the Management Server

software. Then install the software again.

Migrating Basic DVCP Tunnels while setting up a Management Server

WatchGuard System Manager 8.0 provides a wizard that migrates your WFS DVCP server configuration to

the new WatchGuard management server. This wizard is called the Management Server Setup Wizard and

is launched from the WatchGuard toolbar in the Windows taskbar.

This wizard moves your DVCP server from your Firebox to a Windows based computer that you designate

as your management server. It also converts the Firebox you were using as a DVCP server into a gateway

Firebox that protects the management server from the Internet. Finally, it converts any basic DVCP tun-

nels connected to the gateway Firebox into regular tunnels. Basic DVCP tunnels are not supported in

WSM 8.0.

However, the Management Server Setup Wizard is not able to convert all the basic DVCP tunnels that you

have in your network. It only converts the tunnels that use the gateway Firebox as one of the endpoints.

These tunnels are isolated from the gateway Firebox. If you have any isolated basic DVCP tunnels in your

network, you need to use one of these two procedures to convert your tunnels so they are managed by

WSM 8.0.

Procedure #1

This workaround requires you to disable any isolated basic DVCP tunnels before using the Management

Server Setup Wizard.

1 Using the Policy Manager, remove the basic DVCP tunnel configuration at each endpoint (Firebox) for

the tunnel.

Do this for each Firebox that is an endpoint for an isolated tunnel.

2 Download the configuration to each Firebox and restart the Firebox.

3 Use the Management Server Setup Wizard to:

• Move your DVCP server to your management server

• Convert your old DVCP server into a gateway Firebox

• Convert any Basic DVCP tunnels connected to the gateway Firebox to regular tunnels

4 Reestablish previously disabled tunnels.

5 Launch WatchGuard System Manager

6 Add each endpoint Firebox to the management server

7 Drag-n-drop a Firebox onto another Firebox to create a tunnel between the two firewalls.

8 Do this for each tunnel that needs to be reestablished.

Procedure

#2

This workaround allows you to minimize the downtime for your isolated Basic DVCP tunnels.

1 Acquire a VPN Manager license key with enough capacity to convert all of your Basic DVCP tunnels

to Advanced DVCP tunnels.

2 Install the license key into VPN Manager.

3 Use VPN Manager to convert all your Basic DVCP tunnels to Advanced DVCP tunnels.

Page is loading ...

Watchguard WFS to Fireware Pro Migration User guide

Watchguard WFS to Fireware Pro Migration User guide

Related papers

Other documents