Watchguard WFS to Fireware Pro Migration User guide

Type
User guide
WatchGuard
®
Fireware
Pro
Migration Guide
WatchGuard Fireware v8.0
WatchGuard System Manager v8.0
2 WatchGuard Fireware Pro
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT:
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.521.8340
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to mid-
sized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
organization grows and to deliver the industry’s best combination of security,
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
architecture protects against emerging threats effectively and efficiently and provides
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with
vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 521-8340 or visit
www.watchguard.com
.
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Guide Version: 8.0-050420
Complete copyright, trademark, patent, and licensing informa-
tion can be found in the
WatchGuard System Manager User
Guide
. A copy of this book is automatically installed into a sub-
folder of the installation directory called Documentation. You
can also find it online at:
http://www.watchguard.com/help/documentation/
Migration Guide 3
Contents
CHAPTER 1 Introducing WatchGuard System Manager with Fireware Pro .1
Introducing WatchGuard System Manager 8.0 ........................................1
New WatchGuard System Manager features .............................................1
Enhancements to WFS appliance software ...............................................2
WatchGuard Ser vers ...........................................................................2
What is Fireware Pro? ...........................................................................2
Using Fireware appliance software tools ..................................................3
What’s New with WatchGuard System Manager? .....................................3
Enhancements to WFS appliance software ...............................................4
WatchGuard Ser vers ...........................................................................4
Comparing WFS and Fireware Pro ..........................................................5
Appliance Software Feature Matrix .........................................................5
Planning Your Migration ........................................................................8
CHAPTER 2 Installing the WatchGuard System Manager Software .........11
Documenting Your Security Policy ........................................................11
Installing the management station software .........................................11
Installation requirements ...................................................................12
Installation requirements ...................................................................13
Installing the software .......................................................................14
Setting Up the Management Server .....................................................14
Passwords and the Key Files ...............................................................15
Migrating Basic DVCP Tunnels while setting up a Management Server ....16
Procedure #1 ...................................................................................16
Procedure #2 ...................................................................................16
Viewing the network with WatchGuard System Manager ...........................17
Upgrade appliance software to WFS 7.4 ................................................18
Setting Up the Log Server ...................................................................19
4 WatchGuard Fireware Pro
Introducing the new Log Viewer ...........................................................19
Merging log files from WFS 7.3 and before into the new XML format ...........20
Setting Up the WebBlocker Server .......................................................20
CHAPTER 3 Putting Fireware on the Firebox ...........................................23
Using the Quick Setup Wizard .............................................................23
Connecting to the Firebox ...................................................................31
Using fbxinstall.exe ............................................................................33
Restoring a Backup Image ..................................................................33
Upgrading to Fireware Pro ..................................................................33
CHAPTER 4 Making a Fireware Configuration .........................................35
Basic Configuration Properties ............................................................36
Connecting to a Firebox with Fireware Pro .............................................36
Working with Interfaces .....................................................................36
Configuring your Network ...................................................................38
DHCP Server ...................................................................................39
Intrusion Prevention/Default Packet Handling ......................................41
Blocked Sites ...................................................................................41
Network Address Translation (NAT) ......................................................43
Logging ..........................................................................................44
Firewall Authentication .......................................................................45
Virtual Private Networking ...................................................................46
Firebox Managed Clients ....................................................................46
Remote User ...................................................................................46
Mobile User VPN ...............................................................................46
Gateways ........................................................................................47
Tunnels ...........................................................................................48
IPSec Routing Policies .......................................................................48
Services ............................................................................................50
Service-based NAT ............................................................................50
CHAPTER 5 Working with Proxies ...........................................................53
Proxy Migration ..................................................................................53
Configuring the HTTP Proxy .................................................................55
Configuring the Incoming SMTP Proxy ..................................................62
Clone the SMTP-Incoming Proxy Action ..................................................62
Outgoing SMTP ..................................................................................66
Clone the SMTP Outgoing proxy action ..................................................66
FTP Proxy ..........................................................................................69
Clone the FTP-Client or FTP-Server proxy action. ......................................70
Migration Guide 1
Introducing WatchGuard System Manager 8.0
CHAPTER 1 Introducing WatchGuard System
Manager with Fireware Pro
Introducing WatchGuard System Manager 8.0
WatchGuard® System Manager (WSM) 8.0 is an important software release for WatchGuard customers.
This release introduces our next-generation, Fireware™ Pro appliance software. It also enhances the cur-
rent WSM management software. With WSM 8.0, you can manage Firebox® X Edge, Firebox III, Firebox X
Core, and Firebox X Peak devices at the same time from the same management station. With Fireware Pro
appliance software on a Firebox X Core or Peak, you can use advanced network features such as dynamic
routing and a feature-rich IPS.
This document introduces the features of WatchGuard System Manager 8.0. It also shows you how to:
Install the software
Configure WatchGuard servers
Move your DVCP server from a Firebox to the Management Server
New WatchGuard System Manager features
We made the VPN Manager Device view the default view for all the Firebox devices, log servers, and Man-
agement Servers in your network. From WatchGuard System Manager, you can start monitor and config-
uration tools such as Policy Manager, HostWatch, and the Firebox System Manager.
WatchGuard System Manager also includes:
Simple management of a network with more than one WatchGuard hardware platform:
- Firebox III
-Firebox X Core
- Firebox X Edge (VPN management only)
-Firebox X Peak
- Firebox SOHO6 and Firebox SOHO6 Wireless (VPN management only)
- Firebox S6 and Firebox S6 Wireless (VPN management only)
A Management Server that operates on a Windows server instead of on a gateway Firebox. This
solution is more scalable and flexible and lets you easily set up a large network with many offices
and VPN tunnels.
Support for SNMP to monitor important device statistics. You can also transmit SNMP traps to
SNMP servers.
What is Fireware Pro?
2 WatchGuard Fireware Pro
Log messages in XML format.
New features introduced with Fireware Pro
The Fireware Pro appliance software improves WatchGuard's ability to supply new features on the same
hardware platform. Fireware Pro is available for all Firebox® X Core and Firebox X Peak devices. It is an
upgrade for the Firebox X Core model line. Features of Fireware Pro include:
Enhancements to the Gateway AntiVirus service such as a feature to examine outgoing messages,
lock attachments with suspicious content, and better reports
Interface independence
Signature-based intrusion prevention with stateful signature matching
Multi-WAN for more flexibility and network connection time
Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2
Quality of Service (QoS) which uses “virtual pipes” to regulate the traffic to align with your
business requirements
Active Directory and LDAP integration
Enhanced policy management interface for support of Fireware Pro features, and more granular
control of your security policy
Enhancements to WFS appliance software
The WatchGuard System Manager 8.0 includes WFS 7.4 appliance software. This version has two impor-
tant features.
WSM 8.0 uses a Management Server that operates on a Windows server instead of on a gateway
Firebox. This allows for much more scalability and flexibility when you set up a large network with
many locations.
The Log Server keeps log messages in an XML format.
WatchGuard Servers
There are three servers in this release that do Firebox management functions:
Management server
Log server
WebBlocker server
You can configure the servers from a Windows toolbar which you install with the servers. The toolbar
appears in the Windows taskbar at the bottom of your computer monitor. The toolbar is used to start,
stop, and configure each server.
What is Fireware Pro?
Fireware™ Pro is the next generation of security appliance software available from WatchGuard. Appliance
software is a software application stored in the memory of your firewall appliance. The Firebox uses the
appliance software with the configuration file to operate. When you install an upgrade on your Firebo
X Core or Firebox X Peak device, you write a new version of the appliance software to its memory.
The WatchGuard® System Manager now supports two versions of appliance software:
WFS - This is the default appliance software on Firebox III and Firebox X Core appliances. This is an
enhanced version of the appliance software successfully used by WatchGuard customers since
1998. WatchGuard System Manager v8.0 includes WFS v7.4.
Migration Guide 3
What’s New with WatchGuard System Manager?
Fireware Pro - This is the default appliance software on Firebox X Peak appliances. This next
generation appliance software enables WatchGuard to expand the number of features available to
Firebox X customers. Advanced network features like multi-WAN support, dynamic routing, and
QoS enable customers with complex networks to more effectively protect their networks, while
simultaneously benefiting from WatchGuard’s proactive Deep Application Inspection capabilities.
Using Fireware appliance software tools
When you install WatchGuard System Manager, it automatically installs the software tools you must have
to configure and manage a Firebox X Core or Firebox X Peak with Fireware Pro appliance software. These
include:
Fireware Firebox System Manager
Fireware Policy Manager
Fireware HostWatch
When you add a device to the WatchGuard System Manager Devices tab, the system identifies which
appliance software the Firebox uses. If you select a Firebox, then click a management tool icon, it auto-
matically starts the correct management tool for the version of appliance software installed on that Fire-
box.
For example, add a Firebox X5000 to the Devices tab using the instructions found in the WatchGuard
System Manager User Guide. Select the Firebox X5000. Click the Policy Manager icon on the WSM tool-
bar. Fireware Policy Manager starts and opens the configuration file.
What’s New with WatchGuard System Manager?
With this release, there are many changes to the WatchGuard® System Manager — some large and some
small. In this section we tell you the most important enhancements.
New WatchGuard System Manager features
We made the VPN Manager the primary management software for all the Firebox devices, log servers, and
management servers in your network. It is now known as the WatchGuard System Manager. From Watch-
Guard System Manager, you can start monitoring and configuration tools such as Policy Manager, Host-
Watch, and the Firebox System Manager.
WatchGuard System Manager also includes:
Simple management of a network with more than one WatchGuard hardware platforms:
- Firebox III
-Firebox X Core
- Firebox X Edge and Firebox X Edge Wireless
-Firebox X Peak
- Firebox SOHO6 and Firebox SOHO6 Wireless
- Firebox S6 and Firebox S6 Wireless
A Management Server that operates on a Windows server instead of on a gateway Firebox. This
solution is more scalable and flexible and lets you easily set up a large network with many offices
and VPN tunnels.
A feature that allows you to use SNMP to monitor important device statistics. You can also
transmit SNMP traps to SNMP servers.
Log messages stored in an XML format.
What’s New with WatchGuard System Manager?
4 WatchGuard Fireware Pro
New features introduced with Fireware Pro
The Fireware Pro appliance software improves WatchGuard’s ability to supply new features on the same
hardware platform. Fireware Pro is available as an upgrade to the WatchGuard System Manager. Contact
your reseller or browse to the WatchGuard Web site for more information. Features new to this release
include:
Enhancements to the Gateway AntiVirus service such as a feature to examine outgoing messages,
to lock attachments with suspicious content and better reports
Interface independence
Signature-based intrusion prevention with stateful signature matching
Multi-WAN for more flexibility and network connection time
Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2
Quality of Service (QoS) which uses “virtual pipes” to route the traffic to align with your business
requirements
Active Directory and LDAP integration
Application Server Load Sharing and enhanced policy management interface for advanced controls
and more granular control of your security policy
Enhancements to WFS appliance software
The WatchGuard System Manager v8.0 includes WFS v7.4 appliance software. This version has two
important features.
WSM 8.0 uses a Management Server that operates on a Windows server rather than a gateway
Firebox. This allows for much more scalability and flexibility when you set up a large, distributed
network.
You can now use Remote User VPN with PPTP and Mobile User VPN to a Firebox that gets its
external IP address from an ISP, which uses static DHCP or static PPPoE.
WatchGuard Servers
There are three servers in this release that do Firebox management tasks:
Management server
Log server
WebBlocker server
You can configure the servers from a Windows toolbar which you install with the servers. The toolbar
appears in the Windows taskbar at the bottom of your computer monitor. The toolbar is used to start,
stop, and configure each server.
Migration Guide 5
Comparing WFS and Fireware Pro
Management Server
WatchGuard pioneered simple, 1*2*3 VPN configuration with the Dynamic VPN Configuration Protocol
(DVCP). A DVCP server controls the VPN tunnels of a distributed enterprise from one, easy to use man-
agement interface. A limit to earlier versions of WSM was that you could only use the Firebox as a DVCP
server.
With WSM 8.0, we move the DVCP off the Firebox and on to a computer using the Windows operating
system. This gives increased scalability and flexibility for the network administrator. The management
server has the same functions as the DVCP/CA server from previous releases of WSM. These functions are:
Centralized management of VPN tunnel configurations
Certificate authority for distributing certificates for IPSec tunnels
Log Server
The Log Server collects log messages, event messages, alarms, and diagnostic messages from one or more
Firebox devices. The log messages are now kept in an *.xml format. This allows you to use third-party
XML tools to create your own custom reports. The Log Server was formerly known as the WatchGuard
Security Event Processor (WSEP).
WebBlocker Server
The WebBlocker server operates with an HTTP Proxy policy to prevent users from browsing to specified
Web sites. You set the categories of permitted Web sites during Firebox configuration. The HTTP Proxy on
the Firebox then uses information on the WebBlocker server to find out if a Web site is in a restricted cat-
egory.
Comparing WFS and Fireware Pro
Many of the tools and features you use in WFS are also in Fireware Pro. Some are enhanced with more
settings or improvements in the methods used to configure and enable them. We also added features
such as dynamic routing, multi-WAN support, and a signature-based intrusion prevention system. At the
same time, we did not move all of the WFS appliance software features into Fireware Pro.
This table is a summary of the features in each type of appliance software.
Appliance Software Feature Matrix
There are significant differences between the WFS appliance software and the new Fireware Pro appliance
software. A summary of these differences is below. When both appliance software packages include a fea-
ture but Fireware implementation is different from WFS, we include more information in the last column.
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Upgradeable Model Upgradeable Ye s Ye s
Networking
Features
Port Independence No Ye s
Secondary IP Address Ye s Ye s
Traffic Management/
QoS
No Ye s
MultiWAN No Ye s
WAN Failover No Ye s
WAN Load Sharing No Ye s
Comparing WFS and Fireware Pro
6 WatchGuard Fireware Pro
Dynamic Routing No Ye s The user interface is similar to the
Firebox VController management
software.
Secondary Networks Ye s Ye s You can not configure secondary
networks and external aliases when you
use a dynamic IP address for the
external interface.
DHCP Client Ye s Ye s Ye s
DHCP Server Ye s Ye s
Drop-In Mode Ye s No
High
Availability
Active/Standby Option Included
Application
Layer Filtering
HTTP Inbound No Ye s Fireware includes substantial feature
enhancements.
HTTP Outbound Ye s Ye s
WebBlocker Ye s Ye s
SMTP Inbound Ye s Ye s Fireware includes substantial feature
enhancements.
SMTP Outbound Ye s Ye s
FTP Inbound Ye s Ye s Fireware includes substantial feature
enhancements. It does not, however,
proxy the data channel.
FTP Outbound Ye s Ye s
DNS Ye s Ye s There are more configuration options.
Outgoing (TCP) Ye s Ye s
Firewall Based IPS
(protocol anomaly detection)
Ye s Ye s Fireware protocol anomaly detection
includes substantial feature
enhancements.
Signature Based IPS No Ye s This new feature is available in
Fireware.
Authentication Radius Ye s Ye s You can not use the Policy Manager to
download the list of users and groups.
LDAP/
Active Directory
No Ye s You can not use the Policy Manager to
download the list of users and groups.
Windows 2000/2003 Ye s No
Firebox Ye s Ye s
Authentication Web
page for other
authentication
Ye s Ye s
VPN PPTP Ye s Ye s You can only have one PPTP client type
behind any NAT device.
PPTP with Radius
authentication
Ye s Ye s
MUVPN Ye s Ye s External authentication is the only
supported authentication mechanism for
MUVPN. Fireware uses the same
MUVPN client software as WFS.
BOVPN Ye s Ye s There is no auto-start for VPN tunnels.
There is also no DNS resolution in IKE.
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Migration Guide 7
Comparing WFS and Fireware Pro
AES Encryption No
Yes
Fireware enables the hardware based
AES encryption chip.
IPSec Pass Through Ye s Ye s This feature is off in the default
configuration. To configure IPSec Pass
Through, you must enable the global
setting then create an IPSec policy to
allow the traffic.
NAT-Traversal
(UDP encapsulation of IPSec)
Ye s Ye s This feature is on in the default
configuration.
Management Central management
interface
No Ye s You can start all management tools from
the WatchGuard System Manager.
Manage more than
one device
Ye s Ye s Use the WatchGuard System Manager
to manage one or more devices.
Certificate Authority Ye s
Yes
Certificate Authority moves from the
Firebox to a Windows computer.
Drag and drop VPN
setup for WatchGuard
appliances
Ye s Ye s Available for these models: Firebox
SOHO6, Firebox III, Firebox X Edge,
Firebox X Core, and Firebox X Peak.
Management Server No Ye s This is new feature is available with
WSM v8.0.
SSL/CSKT Gateway
(Firebox SOHO6 and Firebox X
Edge management)
Ye s Ye s
Basic DVCP Ye s No If you currently use Basic DVCP, you
must use the Management Server Setup
Wizard to migrate your tunnels to the
Management Server.
Monitoring
Tools
Firebox System
Manager
Ye s Ye s Only active VPN tunnels appear in the
list on the Front Panel tab.
HostWatch Yes Ye s HostWatch no longer supports WFS log
file playback.
Policy
Management
Policy Manager Ye s Ye s There are many enhancements to the
Fireware Policy Manager.
Policies Ye s Ye s Services are now known as policies.
Firewall Policies Ye s Ye s Because of port independence, we
replaced “incoming/outgoing” with
“from/to”.
Policy Management Ye s Ye s The Any service no longer has the
highest priority. Firewall policies no
longer affect the IPSec policies.
BOVPN Setup Ye s Ye s There is a new interface design which
enables you to clearly identify policies
used for VPN traffic.
MUVPN
Configuration Wizard
Ye s Ye s
Tunnel Setup Yes Ye s
PPTP Setup Ye s Ye s
Customer ordered
policies
No Ye s
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Planning Your Migration
8 WatchGuard Fireware Pro
Planning Your Migration
As with any major software migration, a well-designed plan for your upgrade from WFS to Fireware™ Pro
can decrease the effect on your users, improve your experience, and make sure a secure installation of the
new product features. If possible, we recommend that you do this migration in a network lab as an alter-
native to your production network. You can also do this migration during non-operational hours when a
short time with no connection to the Internet does not harm your business.
The length of the migration depends upon the complexity of your network and of your current Firebo
configuration. The software installation and Fireware Pro installation should take no more than 30 min-
utes. However, the time necessary to migrate your DVCP server to the Management Station and to create
your new Fireware Pro configuration varies based on the number of tunnels and policies you have. We
recommend that you set aside up to eight hours.
Auto-policy ordering Ye s Ye s
1:1 NAT Ye s Ye s
Dynamic NAT Ye s Ye s
Static NAT Ye s Ye s When you apply static NAT on an
external interface, the Firebox uses NAT
from all external addresses instead of
just the primary one. If you make a
secondary network on the external
network and an alias on external and
make a static-NAT in a service to NAT
“external” to a server on trusted
(external-<internal server>), the
Firebox NATs ALL external addresses,
including the alias and the secondary
network IP.
Logging Log Server Ye s Ye s The WSM log server now keeps files in
an XML format.
XML Log Format No Ye s Fireware natively generates log
messages in an XML format.
LogViewer Ye s Ye s
Message Text Ye s New All log messages are new with Fireware.
For more information, see the
Reference
Guide
.
Reporting Historical Reports Ye s Ye s WSM v8.0 includes five new reports and
support for XML log files.
Options SpamScreen Ye s No
WebBlocker Ye s Ye s Fireware uses the same database as
WFS.
Gateway AntiVirus for
E-mail
Ye s Ye s
Signature Based IPS No Ye s This new feature is available in Fireware
Common Criteria CLI No Ye s This new feature is only available in
Common Criteria mode.
Feature or Functional Area WFS Fireware Notes on Fireware Implementation
Migration Guide 9
Planning Your Migration
This Migration Guide supplies detailed instructions to successfully migrate from WFS to Fireware Pro.
These include steps to:
Document your current WFS configuration
Backup your current WFS configuration
Install WatchGuard System Manager on the management station
Configure the Management Server and migrate your DVCP server(s)
Configure the Log Server
Configure the WebBlocker Server and download the database
Install Fireware Pro on the device
Open WSM and connect to the Firebox
Open Fireware Policy Manager
- Make the changes in Fireware Policy Manager that reflect the WFS configuration
- Network configuration
- NAT settings
- Service configurations
- Create and test VPN tunnels as necessary
Deploy the Firebox and test the Fireware configuration
Planning Your Migration
10 WatchGuard Fireware Pro
Fireware Configuration Guide 11
Documenting Your Security Policy
CHAPTER 2 Installing the WatchGuard System
Manager Software
Before you can operate a Firebox with WatchGuard® Fireware™ Pro, you must install the WatchGuard Sys-
tem Manager v8.0 upgrade on your management station. If the Firebox® was a DVCP server, you must
move the configuration properties to the Management Server. If you completed these steps, you can go to
Chapter 3, “Putting Fireware on the Firebox”.
In this chapter, we tell how to:
Document your security policy
Back up the WFS configuration file and image
Install WatchGuard System Manager software on a management station
Set up WatchGuard servers
Documenting Your Security Policy
A good security policy is not just a firewall configuration file. It is a process which a network administra-
tor documents and which management regularly reviews. Your Fireware Pro migration is a good opportu-
nity to revisit your security policy. Because you must make a new configuration file for the Fireware Pro
appliance software, you should examine which policies you need to do business. Use these guidelines:
Each policy you open makes your network less secure
Polices from the Internet into your network are more dangerous than policies from your network
out to the Internet
Adding specific source and destination addresses makes a policy more secure
Note
To successfully migrate to WatchGuard Fireware you must begin from WFS 7.3.
Installing the management station software
WatchGuard® System Manager 8.0 is an important release with many changes to the software. It is
important that you save all of your current settings. In this section, we show how to:
Installing the management station software
12 WatchGuard Fireware Pro
Back up the WFS configuration file and image
Install WatchGuard System Manager software on a management station
You must install all the WatchGuard management software and appliance software before you create a
new configuration.
Installation requirements
Before you install WatchGuard System Manager, make sure that you have these items:
WatchGuard Firebox security device
WatchGuard System Manager CD-ROM
A serial cable (blue)
Three crossover Ethernet cables (red)
Three straight Ethernet cables (green)
Power cable
LiveSecurity service license key
It is also good to restart your Firebox before you start the upgrade procedure. This clears the RAM compo-
nent and helps to prevent problems during the upgrade.
Software encryption
The management station software is available with three types of encryption.
Base
Uses 40-bit encryption
Medium
Uses 56-bit DES encryption
Strong
Uses 128-bit 3DES encryption
A minimum of 56-bit encryption is necessary for the IPSec standard. To use virtual private networking
with IPSec or PPTP, you must download the strong encryption software.
Strong export limits apply to the strong encryption software. It is possible that it is not available for
download. For more information, log in to the LiveSecurity service and refer to the online resources at:
https://www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp
Before you install the WatchGuard System Manager v8.0 upgrade, save your current configuration file and
appliance software image.
Fireware Configuration Guide 13
Installing the management station software
Saving the configuration file
You can save the configuration file of a Firebox on the device. You can also save it as a file on a local hard
disk drive. Before you install an upgrade, we recommend that you save the configuration file to a local
hard disk drive.
1 From WFS Policy Manager, select File > Save > As File.
2 Type the name of the configuration file. Click Save.
The configuration file has the file extension *.wfg. You can also save this to a network folder.
Saving the appliance software image
A very important step in the upgrade is to save the appliance software image. The Firebox keeps this file
on a backup partition of the Firebox flash disk. To create the WFS backup file:
1 Open Control Center, and connect to the Firebox.
2 Select Tools > Advanced > Flash Disk Management.
3 Select Make Backup of Current Image. Click Continue.
A verification prompt appears. Verify that the Management Station connects to the Firebox Trusted interface
either over the network (TCP/IP) or via a modem using out-of-band management.
4 Click Yes.
The Connect To Firebox dialog box appears.
5 Use the Firebox drop list to select a Firebox or type the IP address used by the Management Station
to communicate with the Firebox. Enter the configuration (read/write) passphrase. Click OK.
6 Select a file name for the Firebox backup.
The Enter Encryption Key dialog box appears.
7 Enter a key for encrypting the backup file. Click OK.
This ensures that no one can obtain sensitive information from the backup file.
8 When the backup is successful, an Operation Complete alert appears.
9 Click OK.
You do not need to reboot the Firebox.
Installation requirements
Before you install WatchGuard System Manager, make sure that you have these items:
WatchGuard Firebox appliance
WatchGuard System Manager installation software
A serial cable (blue)
Three crossover Ethernet cables (red)
Setting Up the Management Server
14 WatchGuard Fireware Pro
Three straight Ethernet cables (green)
Power cable
LiveSecurity service license key
It is also good to restart your Firebox before you start the upgrade procedure. This clears the RAM compo-
nent and helps to prevent problems during the upgrade.
Software encryption
The management station software is available with two types of encryption.
Base
Uses 40-bit encryption
Strong
Uses 128-bit 3DES encryption
To use virtual private networking with IPSec or PPTP, you must download the strong encryption software.
Strong export limits apply to the strong encryption software. It is possible that it is not available for
download. For more information, log in to the LiveSecurity service and refer to the online resources at:
https://www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp
Installing the software
With WatchGuard System Manager 8.0, you can have more than one version of the management software
on one computer. Make sure that you select a different folder name for each installation.
1 If it is necessary, download the WatchGuard System Manager software.
Make sure that you write down the name and the path of the file when you save it to your hard disk drive.
2 Open the file and use the instructions on the screens to help you through the installation.
The installation utility includes a screen in which you select the components of the software or the upgrades to
install. A different license is necessary when you install some software components.
3 At the end of the installation wizard, a check box appears that you can select to start the QuickSetup
Wizard. For this upgrade, we recommend that you use the QuickSetup Wizard at this time only if you
do not have VPN tunnels and do not use VPN Manager.
Setting Up the Management Server
WatchGuard® pioneered simple, 1*2*3 VPN configuration with the Dynamic VPN Configuration Protocol
(DVCP). A DVCP server controls the VPN tunnels of a distributed enterprise from one, easy to use man-
agement interface. A limit to earlier versions of WatchGuard System Manager (WSM) was that you could
only use the Firebox® as a DVCP server.
With WSM 8.0, we move the DVCP off the Firebox and on to a computer which uses the Windows oper-
ating system. This gives increased scalability and flexibility for the network administrator. The Manage-
ment Server has the same functions as the DVCP server from previous releases of WSM. These functions
are:
Centralized management of VPN tunnel configurations
Certificate Authority to make and to send out certificates for IPSec tunnels.
The installation software automatically installs the Management Server on the same computer as the
management station. You can also install it on a different computer. You must install the Management
Server software on a computer that is behind a Firebox with a static external IP address. The Management
Server does not operate correctly if it is behind a Firebox with a dynamic IP address on its external inter-
face.
Fireware Configuration Guide 15
Setting Up the Management Server
Management Server tasks include:
Start and stop the Management Server
Set Management Server passphrases
Enter a Management Server license key
Configure diagnostic log messages from the Management Server
Set the Certificate Authority properties such as domain name and publication period
Start the Certificate Authority user interface
Passwords and the Key Files
The WatchGuard Management Server encrypts important information that it keeps on the Firebox and on
your local hard disk drive. It uses a number of passwords to protect sensitive information stored on disk or
to secure traffic with client systems. During configuration, you set two passwords and the system creates
system passwords:
Master password — The Management Server uses the master password to encrypt the password file.
This protects all of the other passwords. Select and save the master password carefully and safely. Use
best practices when you select the password. Do not use the same string for the master password and
the administrator password. It is necessary to use the master password to:
- Move the Management Server data to a different computer
- Restore a lost or damaged master key file
- Change the master password
Administrative password — You use the administrative password to connect to the WatchGuard
System Manager software. You use this password frequently. Use best practices when you select the
password.
System passwords — The Management Server automatically makes other passwords. It uses these
passwords to encrypt files, traffic on VPN tunnels, and for the Certificate Authority private keys. You
cannot see these passwords with the user interface.
Using the Management Server
You use the Management Server Setup Wizard to configure your Management Server. If you use a Firebox
as a DVCP server, the wizard also moves the DVCP server features and Certificate Authority from the Fire-
box to your Management Server.
1 From the Windows desktop, double-click the Management Server icon on the WatchGuard toolbar.
The Management Server Setup Wizard appears.
2Select Start Service.
If the Management Server has not been configured, then the Management Server Setup Wizard starts
automatically. The wizard goes through these steps:
Migrating Basic DVCP Tunnels while setting up a Management Server
16 WatchGuard Fireware Pro
Note
If you change the IP address of the Management Server, you must remove the Management Server
software. Then install the software again.
Migrating Basic DVCP Tunnels while setting up a Management Server
WatchGuard System Manager 8.0 provides a wizard that migrates your WFS DVCP server configuration to
the new WatchGuard management server. This wizard is called the Management Server Setup Wizard and
is launched from the WatchGuard toolbar in the Windows taskbar.
This wizard moves your DVCP server from your Firebox to a Windows based computer that you designate
as your management server. It also converts the Firebox you were using as a DVCP server into a gateway
Firebox that protects the management server from the Internet. Finally, it converts any basic DVCP tun-
nels connected to the gateway Firebox into regular tunnels. Basic DVCP tunnels are not supported in
WSM 8.0.
However, the Management Server Setup Wizard is not able to convert all the basic DVCP tunnels that you
have in your network. It only converts the tunnels that use the gateway Firebox as one of the endpoints.
These tunnels are isolated from the gateway Firebox. If you have any isolated basic DVCP tunnels in your
network, you need to use one of these two procedures to convert your tunnels so they are managed by
WSM 8.0.
Procedure #1
This workaround requires you to disable any isolated basic DVCP tunnels before using the Management
Server Setup Wizard.
1 Using the Policy Manager, remove the basic DVCP tunnel configuration at each endpoint (Firebox) for
the tunnel.
Do this for each Firebox that is an endpoint for an isolated tunnel.
2 Download the configuration to each Firebox and restart the Firebox.
3 Use the Management Server Setup Wizard to:
Move your DVCP server to your management server
Convert your old DVCP server into a gateway Firebox
Convert any Basic DVCP tunnels connected to the gateway Firebox to regular tunnels
4 Reestablish previously disabled tunnels.
5 Launch WatchGuard System Manager
6 Add each endpoint Firebox to the management server
7 Drag-n-drop a Firebox onto another Firebox to create a tunnel between the two firewalls.
8 Do this for each tunnel that needs to be reestablished.
Procedure
#2
This workaround allows you to minimize the downtime for your isolated Basic DVCP tunnels.
1 Acquire a VPN Manager license key with enough capacity to convert all of your Basic DVCP tunnels
to Advanced DVCP tunnels.
2 Install the license key into VPN Manager.
3 Use VPN Manager to convert all your Basic DVCP tunnels to Advanced DVCP tunnels.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76

Watchguard WFS to Fireware Pro Migration User guide

Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI