Watchguard Firebox Vclass User guide

Central Policy Manager

Guide

Central Policy Manager 4.0

Vcontoller 3.2

ii Central Policy Manager 4.0

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright, Trademark, and Patent Information

Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III,

Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity,

RapidStream, RapidCore, WatchGuard, WatchGuard Technologies, Inc., AppLock, AppLock/Web, Designing peace of

mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate,

ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks

or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.

patents pending.

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United

States and other countries.

RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA

Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data

RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the

United States and/or other countries.

Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United

without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://

www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from

this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without

prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software

developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL

PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young

(eay@cryptsoft.com). This product includes software written by Tim

Hudson (tjh@cryptsoft.com).

Central Policy Manager Guide iii

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The

following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the

SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that

the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is

used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in

the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic'

can be left out if the routines from the library being used are not cryptographic related :-).

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you

must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE.

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.

this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The

detailed license information follows.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl

project (http://www.modssl.org/)."

4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior

written permission. For written permission, please contact rse@engelschall.com.

5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without

prior written permission of Ralf S. Engelschall.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software

developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/)."

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.

ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

iv Central Policy Manager 4.0

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The Apache Software License, Version 1.1

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:

"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately,

this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally

appear.

4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived

from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without

prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,

BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION

OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE

GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,

EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software

Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Portions of this software are based upon public domain software originally written at the National Center for

Supercomputing Applications, University of Illinois, Urbana-Champaign.

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Part No: 0833-003

Central Policy Manager Guide v

Contents

CHAPTER 1 About WatchGuard CPM .......................... 1

About the CPM Server ................................................... 1

About the CPM Client ................................................... 2

Network Scope of CPM .................................................... 2

Types of Appliances Administered with CPM ..................... 2

CPM and WatchGuard/RapidStream security appliances ....... 3

CPM and RapidStream "Secured by Check Point" security

appliances ........................................................................

3

CPM and foreign security appliances ................................ 3

CHAPTER 2 Installing or Upgrading CPM Software .... 5

Installing and Setting Up a Firebox Vclass Appliance .......... 5

Where You Can Install CPM Server and Client .................... 6

Requirements for CPM Installation .................................... 7

Server specifics ............................................................ 7

Client specifics ............................................................. 7

Hardware and software specifics ...................................... 8

Java 2 runtime environment .......................................... 10

Obtaining the Site License for CPM ................................ 10

Installing the CPM Server Software ................................. 11

Installing CPM Server on a Windows NT platform .............. 16

vi Central Policy Manager 4.0

Installing CPM Server on a Solaris host ............................ 16

Installing the CPM Client Software .................................. 18

Upgrading from Previous Versions of CPM ....................... 21

Uninstalling the CPM Server or Client .............................. 22

CHAPTER 3 Starting the CPM Client and Server ....... 23

Starting the CPM Client for the First Time ........................ 23

Starting the CPM Client After Initial Log In ....................... 27

Changing Your CPM Client Login Password ..................... 27

If CPM prompts a password change ................................ 28

If you want to replace an existing password ..................... 29

Upgrading your CPM Server License ............................... 30

Stopping the CPM Server ............................................... 32

Stopping CPM Server at the host computer ...................... 32

Shutting down CPM Server at the CPM Client workstation ... 33

Starting or Restarting the CPM Server ............................. 35

CHAPTER 4 Creating CPM Administrator Accounts .. 37

CPM Default Roles ......................................................... 37

Setting Up New Roles (Optional) ..................................... 38

Creating Administrator Accounts ..................................... 41

Completing the Access Setup ......................................... 44

Determining Which Other Administrators Are Online ....... 44

Reserving a CPM Window .............................................. 45

If you can’t reserve a window ......................................... 47

CHAPTER 5 Discovering and Deploying Appliances .49

Before You Begin ........................................................... 50

Discovering A New Appliance ......................................... 50

Deploying Profiles to New Appliances ............................. 51

CHAPTER 6 Mapping your Network in CPM .............. 55

Map Out Your Network on Paper .................................... 55

About the Appliance Manager Window ........................... 56

Transcribing the Map Into CPM ....................................... 57

Central Poicy Manager Guide vii

CHAPTER 7 Creating Appliance Records ................... 61

Creating CPM-Managed Appliance Records .................... 62

Creating Non-CPM–Managed Appliance Records ............ 63

CHAPTER 8 Configuring Appliances for Network Use 69

Getting Started ............................................................. 69

Importing Licenses and Certificates ................................ 70

Obtaining the x.509 certificate ...................................... 72

Importing the new x.509 certificate ................................ 73

To import licenses for extended features ......................... 74

Restoring the Appliance to a Factory-Default State .......... 75

Creating the New Appliance Record ............................... 76

Configuring the Appliance Hardware .............................. 78

Running the CPM Default Policy Wizard .......................... 80

Entering the Security Policies ......................................... 80

Creating the Network Addresses Required ...................... 81

Assembling the CPM Policy Components ........................ 82

Defining the Required Alarms ......................................... 83

Deploying the Profile ..................................................... 83

Compiling the profiles ................................................. 83

Discovering the profile-ready appliances ......................... 84

Deploying profiles to new appliances ............................. 85

Deploying the profiles ................................................. 87

Relocating the Appliance ............................................... 89

Copying a Configuration to New Appliance .................... 90

CHAPTER 9 Completing the Appliance Configuration 93

Running the CPM Default Policy Wizard .......................... 93

If you can chose the extended network ........................... 95

If you chose the local network ....................................... 96

Assembling the CPM Policy Components ........................ 98

Assembling a policy from available components ............... 98

CHAPTER 10 Completing the System Configuration 101

Configuring a New WatchGuard Appliance ................... 101

Completing the General Entries ................................... 102

viii Central Policy Manager 4.0

Completing the Interfaces Entries ................................. 103

Completing the Routing Entries .................................... 106

Verifying the routes ................................................... 109

Completing the DNS Entries ......................................... 111

Completing the SNMP Entries ...................................... 112

Completing the Log Settings Entries ............................. 115

Completing the Hacker Prevention Entries ..................... 116

About the High Availability Tab ..................................... 118

About the VLAN Forwarding Tab ................................... 119

Completing the Tunnel Switch Entries ........................... 121

Saving the System Configuration Entries ........................ 122

Importing a New License .............................................. 122

Reviewing the current licenses ..................................... 124

Deleting an out-of-date license .................................... 126

Index .......................................................................... 127

Central Policy Manager Guide 1

CHAPTER 1 About WatchGuard CPM

Congratulations on your purchase of the WatchGuard Central Policy

Manager (CPM). Using this product, you can simplify policy analysis

deployment with a central console that lets you manage multiple Firebox

Vclass installations across an entire enterprise infrastructure. This

powerful and highly scalable network management platform offers global

management for large enterprises, data centers, and service providers.

About the CPM Server

The CPM Server software includes a database that stores the

configurations and policies for all appliances while it actively monitors

the status of each appliance, alerting you if problems arise. You can assign

more than one administrator (who would use the CPM Client) to manage

various aspects of the overall task load. WatchGuard recommends that

you install the CPM Server component onto a separate, high-capacity host

computer. You can install both Client and Server onto a single

workstation if your network environment is small and you do not plan to

expand it.

Your authorized client administrative users do not have to be “local” to

participate in the CPM system. If you load VPN policies into the relevant

appliances that would permit secure communications between a client

CHAPTER 1: About WatchGuard CPM

2 Central Policy Manager 4.0

workstation and the server host, other remote administrators can assume

their duties from their locations.

About the CPM Client

The stand-alone CPM Client application provides the primary access to

the CPM Server. You can install and run the Client on any number of

administrative workstations. After an administrator uses the Client to log

into the CPM Server, he or she can record appliance-specific profiles,

including policies, system configurations, log files, alarms, and activity

monitors. If the administrator has fewer privileges, he or she might only

be able to review the active alarms and clear them.

A complex amount of RapidStream or Firebox Vclass appliance-specific

information can be stored in the CPM Server database as appliance-

specific profiles. When needed, you can prompt the database to use its

secure connections to all your appliances to deploy new or updated

profiles.

Network Scope of CPM

You can use CPM to maintain and monitor any number of Firebox Vclass

and RapidStream security appliances both within your local firewall and

outside the firewall. The key requirement is an SSL/HTTPS policy on

each appliance that permits CPM to gain complete access to that

appliance through whatever firewalls may exist between the Server and

that appliance. This includes full-strength gateway security appliances,

internal-use appliances that guard private network assets, and VPN client

appliances, distributed throughout the Internet and serviced by ISPs.

Types of Appliances Administered with CPM

You can administer, monitor, and coordinate network communications

between a number of devices in CPM:

• WatchGuard Firebox Vclass security appliances

• RapidStream appliances

Types of Appliances Administered with CPM

Central Policy Manager Guide 3

• RapidStream "Secured by Check Point" appliances

• Third-Party security appliances

• "Virtual appliances" that represent VLAN or user domain tenants

associated with an operational appliance

CPM and WatchGuard/RapidStream security appliances

You can use CPM to install and configure the operational profile for any

“factory default” Firebox Vclass appliances from WatchGuard or legacy

appliances manufactured by RapidStream. After the appliances are

deployed and operational, you can monitor and troubleshoot them.

CPM and RapidStream "Secured by Check Point" security

appliances

If you are using RapidStream appliances running pre-installed Check

Point software, you can continue to use RapidStream Navigator to

administer the appliances, while using CPM to identity the location of

these appliances for policy-making purposes. (CPM can also be used to

monitor certain SNMP status-indicating communications.)

Because CPM includes a link to RapidStream Navigator, you can integrate

CPM system—monitoring with the maintenance of Check Point-

preinstalled security appliances through RapidStream Navigator.

Recording the Check Point appliances in CPM as network assets allows

you to record security policies that establish traffic between the Check

Point devices and Firebox Vclass or RapidStream devices.

CPM and foreign security appliances

You can record all third-party appliances, which include third-party

security appliances or older-model Firebox appliances, as assets in your

extended network. You can then use CPM to configure security policies

for communications between Firebox Vclass appliances and these third-

party appliances.

CHAPTER 1: About WatchGuard CPM

4 Central Policy Manager 4.0

The following table summarizes all of the CPM management options, by

appliance type:

= via link to RapidStream Navigator

Central Policy Manager Guide 5

CHAPTER 2 Installing or Upgrading CPM

Software

This chapter describes how to install or upgrade the two components of

the CPM system: the CPM Server software and the CPM Client

application. Each software installation relies on the use of an

InstallShield™ Wizard stored on the CD-ROM enclosed with your

manual and software registration. This chapter also covers software

shutdown and removal of CPM software.

Installing and Setting Up a Firebox Vclass Appliance

If you plan to use the WatchGuard CPM system to configure “factory

default” appliances, you must mount, connect, and power up the

appliance before any initial configuration can occur. Use the WatchGuard

Vcontroller Installation Guide that came with your appliances to guide you

through these tasks:

• Mounting the appliance in a network setting

• Connecting the network cabling to the appropriate data interfaces

• Powering up the security appliance

Be sure to mount any new Firebox Vclass appliance in the same subnet as

the CPM Server host computer, so that you can proceed with the full CPM

profile creation and deployment process.

CHAPTER 2: Installing or Upgrading CPM Software

6 Central Policy Manager 4.0

Where You Can Install CPM Server and Client

You can install both CPM Server and CPM Client onto any qualifying

computer, workstation, or host/server. Or you can install the components

onto separate machines; the choice depends upon the following

requirements:

Workstation only

If your workstation CPU processor speed is sufficient, you can

install both server and client software onto a workstation/

desktop computer. WatchGuard recommends installing the CPM

Server onto an auxiliary drive with at least fifty (50) megabytes of

free space.

You can install the CPM Client onto the main drive of the

workstation. It will not increase in size during use.

Workstation/Server

WatchGuard recommends this mode of installation, in which you

install the CPM Server software separately onto a server with an

auxiliary drive or a separate partition that has at least 50 MB in

free space.

You can install the CPM Client onto the main drive of any locally

networked workstation. It will not increase in size during use.

Requirements for CPM Installation

Central Policy Manager Guide 7

Requirements for CPM Installation

Server specifics

• The computer hosting the CPM Server must be running one of the

following operating systems:

- Sun Solaris, v2.8 (Sparc)

- Microsoft Windows NT, Windows 2000 Professional, or

Windows XP Professional. Do not install Server software onto

any non-NT computers such as Windows 98.

• The computer that will host the CPM Server software should be

located inside a corporate network/firewall.

• The CPM Server software cannot be installed onto more than one host

computer.

• The CPM Server software must have been installed on the host

computer and be currently active before any CPM Client can be

installed and started.

Client specifics

• The workstation (or computer) onto which you’ll be installing the

initial CPM Client must be inside the same corporate network/

firewall as the CPM Server. Any subsequent Client installations (for

other administrators) can be on workstations located either inside or

outside the corporate network/firewall.

• The workstation designated for CPM Client use can be running the

Windows 98/2000/Me/XP operating system.

• You can install the CPM Client application onto multiple

workstations, giving access to as many administrative users as you

want. Although, the CPM Server permits multiple logins, a lock-out

feature prevents data manipulation conflicts within appliance

profiles.

• To manage more than one security appliance with CPM, you must

have the appropriate WatchGuard CPM license. This license

determines the number of appliances that you can administer. After

the requisite license is entered during installation (or later, if needed)

the CPM Server can contact and administer the maximum number of

CHAPTER 2: Installing or Upgrading CPM Software

8 Central Policy Manager 4.0

licensed appliances. (If you add more appliances to your network,

you can easily obtain and install an expanded-capacity license.)

• All CPM Clients communicate with the CPM Server database through

a Secure Socket Layer (SSL) connection, whether the client workstation

is located inside or outside the firewall of the corporate network.

If any client applications are intended for use outside the firewall, you

must open a specific SSL connection has to be opened through the

firewall. The SSL port can be customized by opening and editing the

cpm_server.conf and cpm_client.conf files.

• If you’ve installed several separate CPM Server software packages,

you can connect to any number of them with the same CPM Client

application. However, you must have an access account for each

server.

• After logging into a CPM Server on a separate host computer, you

must have the IP address of that host. Once you have initially logged

in, the CPM Client stores the IP address of this CPM Server host (and

all other subsequent host connections) in its configuration file. This

will make reconnection much more efficient.

N

OTE

You can review “About the CPM Configuration Files" in the

CPM Policy

and Administration Guide

for complete details of both cpm_server.conf

and cpm_client.conf files.

Hardware and software specifics

The following lists provide the current system requirements for both CPM

Server and Client.

CPM Server

Host computer

Any PC-compatible workstation or server with sufficient hard

drive capacity. A standalone server is recommended.

Requirements for CPM Installation

Central Policy Manager Guide 9

Operating System

Sun Solaris, v2.8 (Sparc)

Windows NT 4.0 Server / NT Workstation (Service Pack 6a),

Windows 2000 Server / 2000 Professional, or Windows XP

Professional.

Processor Type

Pentium II or later version of Pentium CPU

Processor Speed

700 MHz minimum

Memory

256 Mb minimum

Hard Disk Space

50 MB minimum (for CPM Server database software)

20 MB minimum (for CPM Client software)

Input Device

CD-ROM or DVD

Network Interface

NICs or embedded network connections

CPM Client

Host Computer

Any desktop computer matching the following qualifications

Operating System

MS Windows 98/ME/XP or NT/2000/XP

Processor Type

Pentium II or later version of Pentium CPU

Processor Speed

500 MHz or faster

Memory

128 Mb minimum

Input Device

CD-ROM or DVD

CHAPTER 2: Installing or Upgrading CPM Software

10 Central Policy Manager 4.0

Hard Disk Space

10 Mb minimum (for CPM software)

Network Interface

NICs or embedded network connections

Java 2 runtime environment

Both CPM Server and Client require JRE Standard Edition v1.3.1 on their

Microsoft Windows host computers. JRE v1.3.1 will run on most recent

versions of Windows, including Windows 98, NT 4.0, and later. If it is not

present, or if an older version is present, the Installer will detect this state

and alert you. You can then choose to install JRE 1.3.1 at this time, or (if an

older version of JRE is present) retain that older version. However,

WatchGuard does not recommend using the older version with CPM.

Obtaining the Site License for CPM

Before you proceed with installation, you must obtain the license for

CPM. To do so, follow these steps:

1 Find the license key certificate that was included with your CPM

package. This item contains the text of a code you must enter at a

particular WatchGuard Web site.

2 Use a Web browser to connect to the URL printed on the same card.

3 Make all the relevant entries in that Web page, including your

company’s name and the host name of the computer on which the

CPM Server will be installed.

After you successfully submit the entries:

- You will be automatically sent an email with the license key text.

- The license text will be printed in the browser, which you should

cut and paste into a text file stored on your workstation.

4 After you have obtained the license text and stored it safely on your

workstation, you can proceed with the CPM installations. You won’t

need the license text until you first start the CPM Client and attempt

to log into the CPM Server.

Installing the CPM Server Software

Central Policy Manager Guide 11

Installing the CPM Server Software

You must install the CPM Server software directly onto the host, whether

it is your administrative workstation or a network-accessible host server.

This process cannot be done through a network connection to a local

computer.

To install the CPM Server software onto the target host computer, follow

these steps:

1 Take the WatchGuard CPM Software CD-ROM out of the package

and insert it into the CD-ROM drive of either the administrative

workstation or the host server.

2 Locate and double-click the CD-ROM drive icon.

N

OTE

The CD-ROM may not start automatically on some computers. If this is

the case, open the Run dialog box and enter the CD-ROM drive letter and

setup.exe to start the process.

3 Open the CPM Server folder (inside the Windows folder).

4 Double-click the Server installer icon (Setup.exe).

The CPM Server Setup wizard appears, displaying the initial Welcome screen.

CHAPTER 2: Installing or Upgrading CPM Software

12 Central Policy Manager 4.0

5 Click Next.

The Wizard now displays the text of the WatchGuard CPM Server Software

License.

6 Read the complete agreement before proceeding. Click Yes to accept

the terms of the agreement.

Page is loading ...

Watchguard Firebox Vclass User guide

Watchguard Firebox Vclass User guide

Related papers

Other documents