Watchguard Firebox Vclass User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Firebox Vclass User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Central Policy Manager
User Guide
Central Policy Manager 4.1
Vcontoller 3.2
ii Central Policy Manager 4.1
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved.
Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III,
Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity,
RapidStream, RapidCore, WatchGuard, WatchGuard Technologies, Inc., AppLock, AppLock/Web, Designing peace of
mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate,
ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks
or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.
© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other
patents pending.
Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United
States and other countries.
RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA
Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data
Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the
United States and/or other countries.
Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United
States and other countries. All right reserved.
© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved.
© 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from
this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without
prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young
([email protected]). This product includes software written by Tim
Hudson (tjh@cryptsoft.com).
CPM User Guide iii
© 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young ([email protected]).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The
following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the
SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that
the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in
the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes cryptographic software written by Eric Young ([email protected])" The word 'cryptographic'
can be left out if the routines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you
must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The
detailed license information follows.
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by Ralf S. Engelschall <[email protected]m> for use in the mod_ssl
project (http://www.modssl.org/)."
4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior
written permission. For written permission, please contact rse@engelschall.com.
5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without
prior written permission of Ralf S. Engelschall.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software
developed by Ralf S. Engelschall <rs[email protected]> for use in the mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.
ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
iv Central Policy Manager 4.1
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:
"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately,
this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally
appear.
4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived
from this software without prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without
prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION
OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software
Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.
Portions of this software are based upon public domain software originally written at the National Center for
Supercomputing Applications, University of Illinois, Urbana-Champaign.
All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Part No: 0833-003
CPM User Guide v
Contents
CHAPTER 1 About WatchGuard CPM .......................... 1
Components of CPM ....................................................... 3
CPM Server ................................................................. 4
CPM Client .................................................................. 4
CPM and Network Configuration ...................................... 4
Types of Appliances Administered with CPM ..................... 6
CPM and WatchGuard Vclass/RapidStream security
appliances
................................................................... 6
CPM and RapidStream "Secured by Check Point" security
appliances
................................................................... 6
Remote appliances running MUVPN ................................. 7
CPM and foreign security appliances ................................ 7
CHAPTER 2 Installing or Upgrading CPM Software .... 9
Where You Can Install CPM Server and Client ................... 9
Installation requirements .............................................. 10
System Requirements for CPM Server ............................. 11
System Requirements for CPM Client .............................. 12
Java 2 runtime environment (JRE) .................................. 13
Obtaining the Site License for CPM ................................ 13
Installing the CPM Server Software ................................. 14
vi Central Policy Manager 4.1
Installing the CPM Client Software .................................. 18
Upgrading from a Previous Versions of CPM .................... 22
Backing Up CPM Server ................................................. 23
Uninstalling CPM Server or Client .................................... 24
CHAPTER 3 Starting the CPM Client and Server ....... 25
Starting the CPM Client for the First Time ........................ 25
Changing Your CPM Client Login Password .....................29
If CPM prompts a password change ................................ 29
If you want to replace an existing password ..................... 31
Starting the CPM Client After Initial Log In ....................... 32
Upgrading your CPM License ......................................... 32
Stopping the CPM Server ............................................... 34
Stopping CPM Server at the host computer ...................... 34
Shutting down CPM Server at the CPM Client workstation ... 35
Starting or Restarting CPM Server ................................... 37
CHAPTER 4 Creating CPM Administrator Accounts .. 39
CPM Default Roles ......................................................... 39
Creating New Roles (Optional) ........................................ 40
Creating Administrator Accounts .................................... 43
Completing the Access Setup ......................................... 46
Reviewing the Current CPM Session ................................ 46
Determining Which Other Administrators Are Online ....... 47
Reserving a CPM Window .............................................. 48
If you can’t reserve a window ......................................... 49
CHAPTER 5 Configuring Appliances for Network Use 51
Getting Started .............................................................. 52
Installing and Setting Up a Firebox Vclass Appliance ........ 52
Adding Appliances to CPM ........................................... 52
Discovering devices ..................................................... 53
Adding a new appliance record ..................................... 56
Importing Licenses and Certificates (Optional) ................. 58
Obtaining the x.509 certificate ....................................... 58
Importing the new x.509 certificate ................................. 59
CPM User Guide vii
Importing licenses for extended features ......................... 60
Reviewing the current licenses ....................................... 62
Deleting an out-of-date license ..................................... 63
Restoring the Appliance to a Factory-Default State .......... 63
Configuring the Appliance Hardware .............................. 64
Running the CPM Default Policy Wizard .......................... 66
If you chose the extended network ................................. 67
If you chose the local network ....................................... 68
Creating Network Addresses .......................................... 69
Entering the Security Policies ......................................... 70
Assembling the CPM Policy Components ........................ 72
Assembling a policy from available components ............... 72
Defining the Required Alarms ......................................... 73
Deploying the Profile ..................................................... 74
Compiling the profiles ................................................. 74
Deploying the profiles ................................................. 75
Relocating the Appliance ............................................... 76
CHAPTER 6 Completing the Appliance Configuration 79
Configuring a New WatchGuard Appliance ..................... 79
Completing the General Entries ..................................... 80
Completing the Interfaces Entries ................................... 81
Completing the Routing Entries ...................................... 86
Completing the DNS Entries .......................................... 89
Completing the SNMP Entries ........................................ 90
Completing the Log Settings Entries ............................... 93
Completing the Hacker Prevention Entries ...................... 95
Completing the High Availability Tab .............................. 97
Configuration comparison between Active/Standby
and Active/Active mode
............................................... 98
Completing the Tunnel Switch Entries ........................... 101
Completing the VLAN Forwarding Tab ......................... 103
Completing the NTP Tab ............................................. 104
Completing the Advanced tab ..................................... 105
viii Central Policy Manager 4.1
Completing the System Configuration Setup ................. 106
Reviewing the current licenses ..................................... 106
CHAPTER 7 Defining Security Policies in CPM ......... 109
Security Policy Components ......................................... 109
Traffic specifications .................................................. 109
Policy actions ........................................................... 110
Security Policies in CPM ...............................................110
Scope of policies in CPM ............................................ 111
Addresses and address groups ....................................111
Cataloging Addresses for Use in Policies ....................... 113
Entering a new address group ..................................... 114
Entering a new RAS address ........................................ 115
Creating a New Policy .................................................. 116
Cataloging Services for Use in Policies ...........................118
Adding a new service ................................................. 118
Combining services in a group ..................................... 120
Creating Policy Schedules ............................................ 121
Creating a new schedule ............................................ 121
Applying an existing schedule to a policy ....................... 122
CHAPTER 8 Using Policy Actions ..............................123
Combining Policy Actions ............................................. 123
Blocking and Rejecting Traffic ....................................... 124
About Network Address Translation (NAT) .....................124
Activating Dynamic NAT ............................................. 125
Activating Static NAT ................................................. 125
About Load Balancing .................................................. 126
About QoS Actions ...................................................... 129
Activating port shaping .............................................. 130
Applying a QoS action ...............................................131
Customizing a QoS action ........................................... 131
Activating TOS marking .............................................. 132
CHAPTER 9 About Virtual Private Networks ........... 133
About VPN Policies ...................................................... 134
VPN Policies and IPSec Actions .....................................135
CPM User Guide ix
About Encryption ........................................................ 136
Overview of Creating a VPN ......................................... 136
CHAPTER 10 Creating an Automatic Key IPSec Action 139
An Overview of VPN Policies ........................................ 139
About Bi-directional VPN Policies ................................. 140
Creating a New Automatic Key VPN Policy .................... 141
Making a VPN Policy Bi-directional ............................... 142
Assessing the IKE settings .......................................... 142
Customizing an IPSec Action ........................................ 145
Customizing an IPSec proposal using a single transform ... 146
Customizing an IPSec proposal with more than one
transform
................................................................ 147
Customizing multiple IPSec proposals with one or more
transforms
............................................................... 149
CHAPTER 11 Creating Remote Access VPN Policies 153
Creating a Policy for a Firebox V10 ............................... 153
Creating the Addresses entries .................................... 153
Creating the RAS security policy .................................. 154
Confirming the IKE settings ........................................ 154
Generating and deploying profiles ............................... 154
Creating a Policy for MUVPN Client Software ................ 155
Creating the RAS address group .................................. 155
Creating the security policy ........................................ 155
Confirming the IKE pair settings .................................. 156
Confirming the authentication method .......................... 156
CHAPTER 12 Establishing Tunnel Switching .............. 161
About Tunnel Switching ............................................... 161
Activating Tunnel Switching on the Central Appliance .... 162
Activating Tunnel Switching Between Sites .................... 162
CHAPTER 13 Monitoring Appliances .......................... 165
How CPM Monitors Appliances .................................... 165
About network polling ............................................... 165
About event notification ............................................. 166
Indicators Monitored by CPM ....................................... 166
x Central Policy Manager 4.1
About Appliance Availability .......................................167
About Interface Status ................................................168
Reorganizing Appliance Manager Window Columns ....... 169
Working with Appliance Groups Folders ........................ 170
Reorganizing the Appliance Manager window ................170
Filtering Appliance Manager Window Entries ................. 171
Color-Coding in the Appliance Manager ....................... 172
Changing Appliance Manager Row Colors ..................... 172
Ignoring an Appliance’s Status Reports ......................... 173
Ignoring a specific component ..................................... 174
Ignoring an entire appliance ........................................ 174
Using the Appliance Detail Dialog Box .......................... 174
Using the Performance Graph ....................................... 176
Opening the Performance Graph .................................176
Setting up the Performance Graph ...............................177
Viewing several counters at once .................................. 180
CHAPTER 14 Responding to Alarms ........................... 183
Viewing new alarms ................................................... 183
Using the Alarm Console window ................................ 184
Viewing details on alarms ........................................... 185
Refreshing the Alarm Console window .......................... 185
Acknowledging alarms ............................................... 185
Reopening acknowledged alarms .................................186
Clearing alarms ......................................................... 186
Reopening cleared alarms ........................................... 186
Purging cleared alarms ...............................................186
Reorganizing the list of alarms .....................................187
Filtering alarms ......................................................... 187
Disabling alarm filtering .............................................. 188
Index 189
CPM User Guide 1
CHAPTER 1 About WatchGuard CPM
Congratulations on your purchase of the WatchGuard Central Policy
Manager (CPM). Using this product, you can simplify security policy
deployment with a central console that lets you manage multiple Firebox
Vclass installations across an entire enterprise infrastructure. This
powerful and highly scalable network management platform offers global
management for large enterprises, data centers, and service providers.
You begin your assessment of how to secure a site or network with a
security stance. Simply put, a security stance is a statement of how an
organization protects its assets. An effective organization-wide
security stance considers:
Implementation and maintenance of the stance, and how the
stance fits in with the organization’s goals and objectives
The level of access provided to the various users and groups
within the organization
Whether the organization allows recreational use of facilities and
systems
What level of remote access communication is allowed
The stance generally accepted by the Internet security community is to
discard all packets not explicitly allowed; stated simply as “that which
is not explicitly allowed is denied.” WatchGuard Vclass Fireboxes, like
Chapter 1: About WatchGuard CPM
2 Central Policy Manager 4.1
most commercial firewalls, adopt this as its default stance. Discarding
all data packets not explicitly allowed through the firewall protects
against attacks based upon new, unfamiliar, or obscure IP services. It
also provides a safety net regarding unknown services and
configuration errors that otherwise threaten network security.
This means that for the Firebox to pass any traffic, it must be
configured to pass the traffic your customer wants to come through
the firewall. The network administrator must actively select the
services and protocols you or your customers want, configure each
one to define which hosts can send and receive them, and set other
individual properties for the service.
Components of CPM
CPM User Guide 3
Components of CPM
CPM consists of two main components, CPM Server and CPM Client. It
can manage many different types of appliances, as shown in the following
figure.
Chapter 1: About WatchGuard CPM
4 Central Policy Manager 4.1
CPM Server
The CPM Server software includes a database that stores the
configurations and policies for all appliances while it actively monitors
the status of each appliance, alerting you if problems arise. WatchGuard
recommends that you install the CPM Server component onto a separate,
high-capacity host computer. You can install both Client and Server onto
a single workstation if your network environment is small and you do not
plan to expand it.
A complex amount of appliance-specific information can be stored in
CPM Server as appliance-specific profiles. When needed, you can prompt
CPM Server to use its secure connections to all your appliances to deploy
new or updated profiles.
CPM Client
The CPM Client application gives administrative workstations access to
CPM Server. You can install and run the Client on any number of
administrative workstations. After an administrator uses the Client to log
into CPM Server, he or she can set up global policies and record
appliance-specific profiles, including policies, system configurations, log
files, alarms, and activity monitors. If the administrator has fewer
privileges, he or she might only be able to review the active alarms and
clear them.
You can assign more than one administrator to manage various aspects of
the overall task load. Your authorized client administrative users do not
have to be “local” to participate in the CPM system. If you load VPN
policies into the relevant appliances that would permit secure
communications between a client workstation and the server host, other
remote administrators can assume their duties from their locations.
CPM and Network Configuration
You can use CPM to maintain and monitor any number of Firebox Vclass
and RapidStream security appliances both within your local firewall and
outside the firewall. The key requirement is an SSL/HTTPS policy on
each appliance that permits CPM to gain complete access to that
CPM and Network Configuration
CPM User Guide 5
appliance through whatever firewalls may exist between the Server and
that appliance. This includes full-strength gateway security appliances,
internal-use appliances that guard private network assets, and VPN client
appliances, distributed throughout the Internet and serviced by ISPs.
Most networks using CPM have one of the two following configurations:
•An extended network has CPM connected to a gateway appliance,
through which it is connected to other appliances outside the local
firewall.
•A local network has CPM connected to a collection of appliances, all
inside the local firewall.
Chapter 1: About WatchGuard CPM
6 Central Policy Manager 4.1
Types of Appliances Administered with CPM
You can administer, monitor, and coordinate network communications
between a number of devices in CPM:
WatchGuard Firebox Vclass security appliances
RapidStream appliances
RapidStream “Secured by Check Point” appliances
Third-party security appliances
“Virtual appliances” that represent VLAN or user domain tenants
associated with an operational appliance
Remote appliances running MUVPN
CPM and WatchGuard Vclass/RapidStream security
appliances
You can use CPM to install and configure the operational profile for any
“factory default” Firebox Vclass appliances from WatchGuard or legacy
appliances manufactured by RapidStream. After the appliances are
deployed and operational, you can monitor and troubleshoot them.
CPM and RapidStream "Secured by Check Point" security
appliances
If you are using RapidStream appliances running pre-installed Check
Point software, you can continue to use RapidStream Navigator to
administer the appliances, while using CPM to identity the location of
these appliances for policy-making purposes. CPM can also be used to
monitor appliance status using SNMP.
Because CPM includes a link to RapidStream Navigator, you can integrate
CPM system—monitoring with the maintenance “Secured by Check Point”
security appliances through RapidStream Navigator.
Recording the Check Point appliances in CPM as network assets allows
you to record security policies that establish traffic between the Check
Point devices and Firebox Vclass or RapidStream devices.
Types of Appliances Administered with CPM
CPM User Guide 7
Remote appliances running MUVPN
Telecommuters working from home and traveling employees who need
corporate network access are common fixtures in today’s business
environment. Mobile User VPN (MUVPN) creates an IPSec tunnel
between an unsecured remote host and your trusted and optional
networks using a standard Internet dial-up or broadband connection
without compromising security. This type of VPN requires only one
Firebox for the private network and the Mobile User VPN software
module.
Maintaining and managing VPN tunnels established between a main
corporate office and one or more branch offices can become an
overwhelming task. CPM centralizes all intersite communication, which
preserves network performance and simplifies maintenance.
Appliances running MUVPN are recorded as “RAS user” in CPM.
CPM and foreign security appliances
You can record all third-party appliances, which include third-party
security appliances or older-model Firebox appliances, as assets in your
extended network. You can then use CPM to configure security policies
for communications between Firebox Vclass appliances and these third-
party appliances.
The following table summarizes all of the CPM management options, by
appliance type:
Use CPM
to
configure
Use CPM
to monitor
Use as
addresses
in CPM
policies
WatchGuard Firebox Vclass
appliances
X X X
WatchGuard Firebox appliances X
RapidStream appliances X X X
RapidStream Check Point
appliances
X X X
Third-part appliances X
Chapter 1: About WatchGuard CPM
8 Central Policy Manager 4.1
CPM User Guide 9
CHAPTER 2 Installing or Upgrading CPM
Software
This chapter describes how to install or upgrade the two components of
the CPM system: the CPM Server software and the CPM Client
application. Each software installation relies on the use of an
InstallShield™ Wizard stored on the CD-ROM enclosed with your
manual and software registration. This chapter also covers backing up
and removing CPM software.
For information on installing CPM Server on a Solaris host, see the CPM
Reference Guide.
Where You Can Install CPM Server and Client
You can install both CPM Server and CPM Client onto any qualifying
computer, workstation, or host/server. Or you can install the components
onto separate machines; the choice depends upon the following
requirements:
Workstation only
If your workstation CPU processor speed is sufficient, you can
install both server and client software onto a workstation/
desktop computer. WatchGuard recommends installing CPM
Chapter 2: Installing or Upgrading CPM Software
10 Central Policy Manager 4.1
Server onto an auxiliary drive with at least fifty (50) megabytes of
free space.
You can install CPM Client onto the main drive of the
workstation. It does not increase in size during use.
Workstation/Server
WatchGuard recommends this mode of installation, in which you
install the CPM Server software separately onto a server with an
auxiliary drive or a separate partition that has at least 50 MB in
free space.
You can install CPM Client onto the main drive of any locally
networked workstation. It doesnot increase in size during use.
Installation requirements
To manage more than one security appliance with CPM, you must have
the appropriate WatchGuard CPM license. This license determines the
number of appliances that you can administer. After the required license
is entered during installation (or later, if needed) CPM Server can contact
and administer the maximum number of licensed appliances. (If you add
more appliances to your network, you can easily obtain and install an
expanded-capacity license.) For information about obtaining a site license
for CPM, see “Obtaining the Site License for CPM” on page 13.
All CPM Clients communicate with CPM Server through a Secure Socket
Layer (SSL) connection, whether the client workstation is located inside or
outside the firewall of the corporate network.
/