Watchguard Firebox Vclass User guide

Central Policy Manager

User Guide

Central Policy Manager 4.1

Vcontoller 3.2

ii Central Policy Manager 4.1

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright, Trademark, and Patent Information

Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III,

Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity,

RapidStream, RapidCore, WatchGuard, WatchGuard Technologies, Inc., AppLock, AppLock/Web, Designing peace of

mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate,

ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks

or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.

patents pending.

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United

States and other countries.

RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA

Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data

RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the

United States and/or other countries.

Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United

without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://

www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from

this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without

prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software

developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL

PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young

([email protected]). This product includes software written by Tim

Hudson (tjh@cryptsoft.com).

CPM User Guide iii

This package is an SSL implementation written by Eric Young ([email protected]).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The

following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the

SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that

the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is

used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in

the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

"This product includes cryptographic software written by Eric Young ([email protected])" The word 'cryptographic'

can be left out if the routines from the library being used are not cryptographic related :-).

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you

must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE.

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.

this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The

detailed license information follows.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by Ralf S. Engelschall <[email protected]m> for use in the mod_ssl

project (http://www.modssl.org/)."

4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior

written permission. For written permission, please contact rse@engelschall.com.

5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without

prior written permission of Ralf S. Engelschall.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software

developed by Ralf S. Engelschall <rs[email protected]> for use in the mod_ssl project (http://www.modssl.org/)."

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.

ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

iv Central Policy Manager 4.1

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The Apache Software License, Version 1.1

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:

"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately,

this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally

appear.

4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived

from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without

prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,

BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION

OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE

GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,

EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software

Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Portions of this software are based upon public domain software originally written at the National Center for

Supercomputing Applications, University of Illinois, Urbana-Champaign.

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Part No: 0833-003

CPM User Guide v

Contents

CHAPTER 1 About WatchGuard CPM .......................... 1

Components of CPM ....................................................... 3

CPM Server ................................................................. 4

CPM Client .................................................................. 4

CPM and Network Configuration ...................................... 4

Types of Appliances Administered with CPM ..................... 6

CPM and WatchGuard Vclass/RapidStream security

appliances

................................................................... 6

CPM and RapidStream "Secured by Check Point" security

appliances

................................................................... 6

Remote appliances running MUVPN ................................. 7

CPM and foreign security appliances ................................ 7

CHAPTER 2 Installing or Upgrading CPM Software .... 9

Where You Can Install CPM Server and Client ................... 9

Installation requirements .............................................. 10

System Requirements for CPM Server ............................. 11

System Requirements for CPM Client .............................. 12

Java 2 runtime environment (JRE) .................................. 13

Obtaining the Site License for CPM ................................ 13

Installing the CPM Server Software ................................. 14

vi Central Policy Manager 4.1

Installing the CPM Client Software .................................. 18

Upgrading from a Previous Versions of CPM .................... 22

Backing Up CPM Server ................................................. 23

Uninstalling CPM Server or Client .................................... 24

CHAPTER 3 Starting the CPM Client and Server ....... 25

Starting the CPM Client for the First Time ........................ 25

Changing Your CPM Client Login Password .....................29

If CPM prompts a password change ................................ 29

If you want to replace an existing password ..................... 31

Starting the CPM Client After Initial Log In ....................... 32

Upgrading your CPM License ......................................... 32

Stopping the CPM Server ............................................... 34

Stopping CPM Server at the host computer ...................... 34

Shutting down CPM Server at the CPM Client workstation ... 35

Starting or Restarting CPM Server ................................... 37

CHAPTER 4 Creating CPM Administrator Accounts .. 39

CPM Default Roles ......................................................... 39

Creating New Roles (Optional) ........................................ 40

Creating Administrator Accounts .................................... 43

Completing the Access Setup ......................................... 46

Reviewing the Current CPM Session ................................ 46

Determining Which Other Administrators Are Online ....... 47

Reserving a CPM Window .............................................. 48

If you can’t reserve a window ......................................... 49

CHAPTER 5 Configuring Appliances for Network Use 51

Getting Started .............................................................. 52

Installing and Setting Up a Firebox Vclass Appliance ........ 52

Adding Appliances to CPM ........................................... 52

Discovering devices ..................................................... 53

Adding a new appliance record ..................................... 56

Importing Licenses and Certificates (Optional) ................. 58

Obtaining the x.509 certificate ....................................... 58

Importing the new x.509 certificate ................................. 59

CPM User Guide vii

Importing licenses for extended features ......................... 60

Reviewing the current licenses ....................................... 62

Deleting an out-of-date license ..................................... 63

Restoring the Appliance to a Factory-Default State .......... 63

Configuring the Appliance Hardware .............................. 64

Running the CPM Default Policy Wizard .......................... 66

If you chose the extended network ................................. 67

If you chose the local network ....................................... 68

Creating Network Addresses .......................................... 69

Entering the Security Policies ......................................... 70

Assembling the CPM Policy Components ........................ 72

Assembling a policy from available components ............... 72

Defining the Required Alarms ......................................... 73

Deploying the Profile ..................................................... 74

Compiling the profiles ................................................. 74

Deploying the profiles ................................................. 75

Relocating the Appliance ............................................... 76

CHAPTER 6 Completing the Appliance Configuration 79

Configuring a New WatchGuard Appliance ..................... 79

Completing the General Entries ..................................... 80

Completing the Interfaces Entries ................................... 81

Completing the Routing Entries ...................................... 86

Completing the DNS Entries .......................................... 89

Completing the SNMP Entries ........................................ 90

Completing the Log Settings Entries ............................... 93

Completing the Hacker Prevention Entries ...................... 95

Completing the High Availability Tab .............................. 97

Configuration comparison between Active/Standby

and Active/Active mode

............................................... 98

Completing the Tunnel Switch Entries ........................... 101

Completing the VLAN Forwarding Tab ......................... 103

Completing the NTP Tab ............................................. 104

Completing the Advanced tab ..................................... 105

viii Central Policy Manager 4.1

Completing the System Configuration Setup ................. 106

Reviewing the current licenses ..................................... 106

CHAPTER 7 Defining Security Policies in CPM ......... 109

Security Policy Components ......................................... 109

Traffic specifications .................................................. 109

Policy actions ........................................................... 110

Security Policies in CPM ...............................................110

Scope of policies in CPM ............................................ 111

Addresses and address groups ....................................111

Cataloging Addresses for Use in Policies ....................... 113

Entering a new address group ..................................... 114

Entering a new RAS address ........................................ 115

Creating a New Policy .................................................. 116

Cataloging Services for Use in Policies ...........................118

Adding a new service ................................................. 118

Combining services in a group ..................................... 120

Creating Policy Schedules ............................................ 121

Creating a new schedule ............................................ 121

Applying an existing schedule to a policy ....................... 122

CHAPTER 8 Using Policy Actions ..............................123

Combining Policy Actions ............................................. 123

Blocking and Rejecting Traffic ....................................... 124

About Network Address Translation (NAT) .....................124

Activating Dynamic NAT ............................................. 125

Activating Static NAT ................................................. 125

About Load Balancing .................................................. 126

About QoS Actions ...................................................... 129

Activating port shaping .............................................. 130

Applying a QoS action ...............................................131

Customizing a QoS action ........................................... 131

Activating TOS marking .............................................. 132

CHAPTER 9 About Virtual Private Networks ........... 133

About VPN Policies ...................................................... 134

VPN Policies and IPSec Actions .....................................135

CPM User Guide ix

About Encryption ........................................................ 136

Overview of Creating a VPN ......................................... 136

CHAPTER 10 Creating an Automatic Key IPSec Action 139

An Overview of VPN Policies ........................................ 139

About Bi-directional VPN Policies ................................. 140

Creating a New Automatic Key VPN Policy .................... 141

Making a VPN Policy Bi-directional ............................... 142

Assessing the IKE settings .......................................... 142

Customizing an IPSec Action ........................................ 145

Customizing an IPSec proposal using a single transform ... 146

Customizing an IPSec proposal with more than one

transform

................................................................ 147

Customizing multiple IPSec proposals with one or more

transforms

............................................................... 149

CHAPTER 11 Creating Remote Access VPN Policies 153

Creating a Policy for a Firebox V10 ............................... 153

Creating the Addresses entries .................................... 153

Creating the RAS security policy .................................. 154

Confirming the IKE settings ........................................ 154

Generating and deploying profiles ............................... 154

Creating a Policy for MUVPN Client Software ................ 155

Creating the RAS address group .................................. 155

Creating the security policy ........................................ 155

Confirming the IKE pair settings .................................. 156

Confirming the authentication method .......................... 156

CHAPTER 12 Establishing Tunnel Switching .............. 161

About Tunnel Switching ............................................... 161

Activating Tunnel Switching on the Central Appliance .... 162

Activating Tunnel Switching Between Sites .................... 162

CHAPTER 13 Monitoring Appliances .......................... 165

How CPM Monitors Appliances .................................... 165

About network polling ............................................... 165

About event notification ............................................. 166

Indicators Monitored by CPM ....................................... 166

x Central Policy Manager 4.1

About Appliance Availability .......................................167

About Interface Status ................................................168

Reorganizing Appliance Manager Window Columns ....... 169

Working with Appliance Groups Folders ........................ 170

Reorganizing the Appliance Manager window ................170

Filtering Appliance Manager Window Entries ................. 171

Color-Coding in the Appliance Manager ....................... 172

Changing Appliance Manager Row Colors ..................... 172

Ignoring an Appliance’s Status Reports ......................... 173

Ignoring a specific component ..................................... 174

Ignoring an entire appliance ........................................ 174

Using the Appliance Detail Dialog Box .......................... 174

Using the Performance Graph ....................................... 176

Opening the Performance Graph .................................176

Setting up the Performance Graph ...............................177

Viewing several counters at once .................................. 180

CHAPTER 14 Responding to Alarms ........................... 183

Viewing new alarms ................................................... 183

Using the Alarm Console window ................................ 184

Viewing details on alarms ........................................... 185

Refreshing the Alarm Console window .......................... 185

Acknowledging alarms ............................................... 185

Reopening acknowledged alarms .................................186

Clearing alarms ......................................................... 186

Reopening cleared alarms ........................................... 186

Purging cleared alarms ...............................................186

Reorganizing the list of alarms .....................................187

Filtering alarms ......................................................... 187

Disabling alarm filtering .............................................. 188

Index 189

CPM User Guide 1

CHAPTER 1 About WatchGuard CPM

Congratulations on your purchase of the WatchGuard Central Policy

Manager (CPM). Using this product, you can simplify security policy

deployment with a central console that lets you manage multiple Firebox

Vclass installations across an entire enterprise infrastructure. This

powerful and highly scalable network management platform offers global

management for large enterprises, data centers, and service providers.

You begin your assessment of how to secure a site or network with a

security stance. Simply put, a security stance is a statement of how an

organization protects its assets. An effective organization-wide

security stance considers:

• Implementation and maintenance of the stance, and how the

stance fits in with the organization’s goals and objectives

• The level of access provided to the various users and groups

within the organization

• Whether the organization allows recreational use of facilities and

systems

• What level of remote access communication is allowed

The stance generally accepted by the Internet security community is to

discard all packets not explicitly allowed; stated simply as “that which

is not explicitly allowed is denied.” WatchGuard Vclass Fireboxes, like

Chapter 1: About WatchGuard CPM

2 Central Policy Manager 4.1

most commercial firewalls, adopt this as its default stance. Discarding

all data packets not explicitly allowed through the firewall protects

against attacks based upon new, unfamiliar, or obscure IP services. It

also provides a safety net regarding unknown services and

configuration errors that otherwise threaten network security.

This means that for the Firebox to pass any traffic, it must be

configured to pass the traffic your customer wants to come through

the firewall. The network administrator must actively select the

services and protocols you or your customers want, configure each

one to define which hosts can send and receive them, and set other

individual properties for the service.

Components of CPM

CPM User Guide 3

Components of CPM

CPM consists of two main components, CPM Server and CPM Client. It

can manage many different types of appliances, as shown in the following

figure.

Chapter 1: About WatchGuard CPM

4 Central Policy Manager 4.1

CPM Server

The CPM Server software includes a database that stores the

configurations and policies for all appliances while it actively monitors

the status of each appliance, alerting you if problems arise. WatchGuard

recommends that you install the CPM Server component onto a separate,

high-capacity host computer. You can install both Client and Server onto

a single workstation if your network environment is small and you do not

plan to expand it.

A complex amount of appliance-specific information can be stored in

CPM Server as appliance-specific profiles. When needed, you can prompt

CPM Server to use its secure connections to all your appliances to deploy

new or updated profiles.

CPM Client

The CPM Client application gives administrative workstations access to

CPM Server. You can install and run the Client on any number of

administrative workstations. After an administrator uses the Client to log

into CPM Server, he or she can set up global policies and record

appliance-specific profiles, including policies, system configurations, log

files, alarms, and activity monitors. If the administrator has fewer

privileges, he or she might only be able to review the active alarms and

clear them.

You can assign more than one administrator to manage various aspects of

the overall task load. Your authorized client administrative users do not

have to be “local” to participate in the CPM system. If you load VPN

policies into the relevant appliances that would permit secure

communications between a client workstation and the server host, other

remote administrators can assume their duties from their locations.

CPM and Network Configuration

You can use CPM to maintain and monitor any number of Firebox Vclass

and RapidStream security appliances both within your local firewall and

outside the firewall. The key requirement is an SSL/HTTPS policy on

each appliance that permits CPM to gain complete access to that

CPM and Network Configuration

CPM User Guide 5

appliance through whatever firewalls may exist between the Server and

that appliance. This includes full-strength gateway security appliances,

internal-use appliances that guard private network assets, and VPN client

appliances, distributed throughout the Internet and serviced by ISPs.

Most networks using CPM have one of the two following configurations:

•An extended network has CPM connected to a gateway appliance,

through which it is connected to other appliances outside the local

firewall.

•A local network has CPM connected to a collection of appliances, all

inside the local firewall.

Chapter 1: About WatchGuard CPM

6 Central Policy Manager 4.1

Types of Appliances Administered with CPM

You can administer, monitor, and coordinate network communications

between a number of devices in CPM:

• WatchGuard Firebox Vclass security appliances

• RapidStream appliances

• RapidStream “Secured by Check Point” appliances

• Third-party security appliances

• “Virtual appliances” that represent VLAN or user domain tenants

associated with an operational appliance

• Remote appliances running MUVPN

CPM and WatchGuard Vclass/RapidStream security

appliances

You can use CPM to install and configure the operational profile for any

“factory default” Firebox Vclass appliances from WatchGuard or legacy

appliances manufactured by RapidStream. After the appliances are

deployed and operational, you can monitor and troubleshoot them.

CPM and RapidStream "Secured by Check Point" security

appliances

If you are using RapidStream appliances running pre-installed Check

Point software, you can continue to use RapidStream Navigator to

administer the appliances, while using CPM to identity the location of

these appliances for policy-making purposes. CPM can also be used to

monitor appliance status using SNMP.

Because CPM includes a link to RapidStream Navigator, you can integrate

CPM system—monitoring with the maintenance “Secured by Check Point”

security appliances through RapidStream Navigator.

Recording the Check Point appliances in CPM as network assets allows

you to record security policies that establish traffic between the Check

Point devices and Firebox Vclass or RapidStream devices.

Types of Appliances Administered with CPM

CPM User Guide 7

Remote appliances running MUVPN

Telecommuters working from home and traveling employees who need

corporate network access are common fixtures in today’s business

environment. Mobile User VPN (MUVPN) creates an IPSec tunnel

between an unsecured remote host and your trusted and optional

networks using a standard Internet dial-up or broadband connection

without compromising security. This type of VPN requires only one

Firebox for the private network and the Mobile User VPN software

module.

Maintaining and managing VPN tunnels established between a main

corporate office and one or more branch offices can become an

overwhelming task. CPM centralizes all intersite communication, which

preserves network performance and simplifies maintenance.

Appliances running MUVPN are recorded as “RAS user” in CPM.

CPM and foreign security appliances

You can record all third-party appliances, which include third-party

security appliances or older-model Firebox appliances, as assets in your

extended network. You can then use CPM to configure security policies

for communications between Firebox Vclass appliances and these third-

party appliances.

The following table summarizes all of the CPM management options, by

appliance type:

Use CPM

to

configure

Use CPM

to monitor

Use as

addresses

in CPM

policies

WatchGuard Firebox Vclass

appliances

X X X

WatchGuard Firebox appliances X

RapidStream appliances X X X

RapidStream Check Point

appliances

X X X

Third-part appliances X

Chapter 1: About WatchGuard CPM

8 Central Policy Manager 4.1

CPM User Guide 9

CHAPTER 2 Installing or Upgrading CPM

Software

This chapter describes how to install or upgrade the two components of

the CPM system: the CPM Server software and the CPM Client

application. Each software installation relies on the use of an

InstallShield™ Wizard stored on the CD-ROM enclosed with your

manual and software registration. This chapter also covers backing up

and removing CPM software.

For information on installing CPM Server on a Solaris host, see the CPM

Reference Guide.

Where You Can Install CPM Server and Client

You can install both CPM Server and CPM Client onto any qualifying

computer, workstation, or host/server. Or you can install the components

onto separate machines; the choice depends upon the following

requirements:

Workstation only

If your workstation CPU processor speed is sufficient, you can

install both server and client software onto a workstation/

desktop computer. WatchGuard recommends installing CPM

Chapter 2: Installing or Upgrading CPM Software

10 Central Policy Manager 4.1

Server onto an auxiliary drive with at least fifty (50) megabytes of

free space.

You can install CPM Client onto the main drive of the

workstation. It does not increase in size during use.

Workstation/Server

WatchGuard recommends this mode of installation, in which you

install the CPM Server software separately onto a server with an

auxiliary drive or a separate partition that has at least 50 MB in

free space.

You can install CPM Client onto the main drive of any locally

networked workstation. It doesnot increase in size during use.

Installation requirements

To manage more than one security appliance with CPM, you must have

the appropriate WatchGuard CPM license. This license determines the

number of appliances that you can administer. After the required license

is entered during installation (or later, if needed) CPM Server can contact

and administer the maximum number of licensed appliances. (If you add

more appliances to your network, you can easily obtain and install an

expanded-capacity license.) For information about obtaining a site license

for CPM, see “Obtaining the Site License for CPM” on page 13.

All CPM Clients communicate with CPM Server through a Secure Socket

Layer (SSL) connection, whether the client workstation is located inside or

outside the firewall of the corporate network.

Page is loading ...

Watchguard Firebox Vclass User guide

Watchguard Firebox Vclass User guide

Related papers

Other documents