Watchguard Firebox Vclass User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Firebox Vclass User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
WatchGuard
®
Central Policy
Manager User
Guide
Central Policy Manager 5.1
ii Central Policy Manager 5.1
Copyright
Copyright © 1998-2003 WatchGuard Technologies, Inc.
All rights reserved.
Notice to Users
Information in this document is subject to change and
revision without notice. This documentation and the software
described herein is subject to and may only be used and
copied as outlined in the Firebox System software end-user
license agreement. No part of this manual may be reproduced
by any means, electronic or mechanical, for any purpose
other than the purchaser’s personal use, without prior written
permission from WatchGuard Technologies, Inc.
TRADEMARK NOTES
WatchGuard and LiveSecurity are either trademarks or
registered trademarks of WatchGuard Technologies, Inc. in
the United States and other countries. Firebox, ServerLock,
DVCP, and Designing peace of mind are trademarks of
WatchGuard Technologies, Inc. All other trademarks or
trade names mentioned herein, if any, are the property of
their respective owners.
Part No: 1200016
Central Policy Manager User Guide iii
WatchGuard Technologies, Inc.
Firebox System Software
End-User License Agreement
WatchGuard Central Policy Manager (CPM) End-User
License Agreement
IMPORTANT - READ CAREFULLY BEFORE ACCESSING
WATCHGUARD SOFTWARE:
This Central Policy Manager End-User License Agreement
('AGREEMENT') is a legal agreement between you (either an
individual or a single entity) and WatchGuard Technologies,
Inc. ('WATCHGUARD') for the WATCHGUARD optional
software product for the WatchGuard Firebox product you
have purchased, which includes computer software
components (whether installed separately on a computer
workstation or on the WATCHGUARD hardware product)
and may include associated media, printed materials, and on-
line or electronic documentation, and any updates or
modifications thereto, including those received through the
WatchGuard LiveSecurity Service (or its equivalent), (the '
OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is
willing to license the OPTIONAL SOFTWARE PRODUCT to
you only on the condition that you accept all of the terms
contained in this Agreement. Please read this Agreement
carefully. By installing, activating or using the OPTIONAL
SOFTWARE PRODUCT you agree to be bound by the terms
of this Agreement. If you do not agree to the terms of this
AGREEMENT, WATCHGUARD will not license the
OPTIONAL SOFTWARE PRODUCT to you, and you will not
have any rights in the OPTIONAL SOFTWARE PRODUCT.
In that case, promptly return the OPTIONAL SOFTWARE
PRODUCT/license key certificate, along with proof of
payment, to the authorized dealer from whom you obtained
the OPTIONAL SOFTWARE PRODUCT/license key
certificate for a full refund of the price you paid.
iv Central Policy Manager 5.1
1. Ownership and License. The OPTIONAL SOFTWARE
PRODUCT is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws
and treaties. This is a license agreement and NOT an
agreement for sale. All title and copyrights in and to the
OPTIONAL SOFTWARE PRODUCT (including but not
limited to any images, photographs, animations, video,
audio, music, text, and pallets incorporated into the
OPTIONAL SOFTWARE PRODUCT), the accompanying
printed materials, and any copies of the OPTIONAL
SOFTWARE PRODUCT are owned by WATCHGUARD or its
licensors. Your rights to use the OPTIONAL SOFTWARE
PRODUCT are as specified in this AGREEMENT, and
WATCHGUARD retains all rights not expressly granted to
you in this AGREEMENT. Nothing in this AGREEMENT
constitutes a waiver of our rights under U.S. copyright law or
any other law or treaty.
2. Permitted Uses. You are granted the following rights to
the OPTIONAL SOFTWARE PRODUCT:
(A) You may install and use the OPTIONAL SOFTWARE
PRODUCT on that number of WATCHGUARD hardware
products (or manage that number of WATCHGUARD
hardware products) at any one time as permitted in the
license key certificate that you have purchased and may
install and use the OPTIONAL SOFTWARE PRODUCT on
multiple workstation computers. You must also maintain a
current subscription to the WatchGuard LiveSecurity Service
(or its equivalent) for each additional WATCHGUARD
hardware product on which you will use a copy of an updated
or modified version of the OPTIONAL SOFTWARE
PRODUCT received through the WatchGuard LiveSecurity
Service (or its equivalent).
(B) To use the OPTIONAL SOFTWARE PRODUCT on more
WATCHGUARD hardware products than provided for in
Section 2(A), you must license additional copies of the
OPTIONAL SOFTWARE PRODUCT as required.
(C) In addition to the copies described in Section 2(A), you
may make a single copy of the OPTIONAL SOFTWARE
PRODUCT for backup or archival purposes only.
Central Policy Manager User Guide v
3. Prohibited Uses. You may not, without express written
permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the
OPTIONAL SOFTWARE PRODUCT or printed materials
except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the OPTIONAL
SOFTWARE PRODUCT (or allow someone else to use such a
copy) for any purpose other than to replace the original copy
in the event it is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the OPTIONAL
SOFTWARE PRODUCT;
(D) Transfer this license to another party unless
(i) the transfer is permanent,
(ii) the third party recipient agrees to the terms of this
AGREEMENT, and
(iii) you do not retain any copies of the OPTIONAL
SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the
OPTIONAL SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following
limited warranties for a period of ninety (90) days from the
date you obtained the OPTIONAL SOFTWARE PRODUCT
from WATCHGUARD or an authorized dealer:
(A) Media. The disks and documentation will be free from
defects in materials and workmanship under normal use. If
the disks or documentation fail to conform to this warranty,
you may, as your sole and exclusive remedy, obtain a
replacement free of charge if you return the defective disk or
documentation to us with a dated proof of purchase.
(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL
SOFTWARE PRODUCT will materially conform to the
documentation that accompanies it or its license key
certificate. If the OPTIONAL SOFTWARE PRODUCT fails
vi Central Policy Manager 5.1
to operate in accordance with this warranty, you may, as your
sole and exclusive remedy, return all of the OPTIONAL
SOFTWARE PRODUCT and the documentation to the
authorized dealer from whom you obtained it, along with a
dated proof of purchase, specifying the problems, and they
will provide you with a new version of the OPTIONAL
SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES,
OBLIGATIONS AND LIABILITIES OF WATCHGUARD,
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS
4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN
SUBSTITUTION FOR, AND YOU HEREBY WAIVE,
DISCLAIM AND RELEASE ANY AND ALL OTHER
WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD AND ITS LICENSORS AND ALL OTHER
RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE
AGAINST WATCHGUARD AND ITS LICENSORS,
EXPRESS OR IMPLIED, ARISING BY LAW OR
OTHERWISE, WITH RESPECT TO ANY
NONCONFORMANCE OR DEFECT IN THE OPTIONAL
SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED
TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE, ANY
IMPLIED WARRANTY ARISING FROM COURSE OF
PERFORMANCE, COURSE OF DEALING, OR USAGE OF
TRADE, ANY WARRANTY OF NONINFRINGEMENT,
ANY WARRANTY THAT THE OPTIONAL SOFTWARE
PRODUCT WILL MEET YOUR REQUIREMENTS, ANY
WARRANTY OF UNINTERRUPTED OR ERROR-FREE
OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,
CLAIM OR REMEDY IN TORT, WHETHER OR NOT
ARISING FROM THE NEGLIGENCE (WHETHER
ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF
WATCHGUARD AND ITS LICENSORS AND ANY
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY
FOR LOSS OR DAMAGE TO, OR CAUSED BY OR
CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE
PRODUCT).
Central Policy Manager User Guide vii
Limitation of Liability. WATCHGUARD'S LIABILITY
(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND
NOTWITHSTANDING ANY FAULT, NEGLIGENCE,
STRICT LIABILITY OR PRODUCT LIABILITY) WITH
REGARD TO THE OPTIONAL SOFTWARE PRODUCT
WILL IN NO EVENT EXCEED THE PURCHASE PRICE
PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY. IN NO EVENT WILL WATCHGUARD
BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER
ARISING IN CONTRACT (INCLUDING WARRANTY),
TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED
NEGLIGENCE AND STRICT LIABILITY AND FAULT),
FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT
LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION) ARISING OUT OF OR IN CONNECTION
WITH THIS WARRANTY OR THE USE OF OR INABILITY
TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF
WATCHGUARD HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY.
5.United States Government Restricted Rights. The
OPTIONAL SOFTWARE PRODUCT is provided with
Restricted Rights. Use, duplication or disclosure by the U.S.
Government or any agency or instrumentality thereof is
subject to restrictions as set forth in subdivision (c)(1)(ii) of
the Rights in Technical Data and Computer Software clause
at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of
the Commercial Computer Software -- Restricted Rights
Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer
is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite
500, Seattle, WA 98104.
6.Export Controls. You agree not to directly or indirectly
transfer the OPTIONAL SOFTWARE PRODUCT or
viii Central Policy Manager 5.1
documentation to any country to which such transfer would
be prohibited by the U.S. Export Administration Act and the
regulations issued thereunder.
7.Termination. This license and your right to use the
SOFTWARE PRODUCT will automatically terminate if you
fail to comply with any provisions of this AGREEMENT,
destroy all copies of the OPTIONAL SOFTWARE PRODUCT
in your possession, or voluntarily return the OPTIONAL
SOFTWARE PRODUCT to WATCHGUARD. Upon
termination you will destroy all copies of the OPTIONAL
SOFTWARE PRODUCT and documentation remaining in
your control or possession.
8.Miscellaneous Provisions. This AGREEMENT will be
governed by and construed in accordance with the
substantive laws of Washington excluding the 1980 United
National Convention on Contracts for the International Sale
of Goods, as amended. This is the entire AGREEMENT
between us relating to the OPTIONAL SOFTWARE
PRODUCT, and supersedes any prior purchase order,
communications, advertising or representations concerning
the OPTIONAL SOFTWARE PRODUCT AND BY USING
THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO
THESE TERMS. IF THE SOFTWARE PRODUCT IS
BEING USED BY AN ENTITY, THE INDIVIDUAL
INDICATING AGREEMENT TO THESE TERMS
REPRESENTS AND WARRANTS THAT (A) SUCH
INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS
AGREEMENT ON BEHALF OF THE ENTITY AND TO
BIND THE ENTITY TO THE TERMS OF THIS
AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,
CORPORATE OR OTHERWISE, TO ENTER INTO THIS
AGREEMENT AND PERFORM ITS OBLIGATIONS
UNDER THIS AGREEMENT AND; (C) THIS
AGREEMENT AND THE PERFORMANCE OF THE
ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO
NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO
WHICH THE ENTITY IS A PARTY. No change or
modification of this AGREEMENT will be valid unless it is in
writing and is signed by WATCHGUARD.
Central Policy Manager User Guide ix
Contents
CHAPTER 1 About WatchGuard CPM ...........................1
Why Use WatchGuard CPM? .............................................1
Components of CPM ........................................................2
CPM Server ..................................................................2
CPM Client ..................................................................3
Network Security Basics ....................................................3
Offline and Online Configuration ......................................4
Address Objects in CPM Security Policies ..........................5
CPM Policy Examples .....................................................6
CPM and Network Configuration .....................................10
Types of Appliances Administered with CPM ....................12
CPM and WatchGuard Vclass/RapidStream security appliances
...........................................................................12
CPM and RapidStream "Secured by Check Point" security
appliances
..........................................................12
Remote appliances running MUVPN ................................13
CPM and third-party security appliances ..........................13
About Router Mode and Transparent Mode .....................14
Router Mode ..............................................................14
Transparent Mode .......................................................16
x Central Policy Manager 5.1
More information ........................................................ 17
CHAPTER 2 Installing or Upgrading CPM Software .. 19
Where You Can Install CPM Server and Client .................. 19
Installation requirements .............................................. 20
System Requirements for CPM Server ............................. 21
System Requirements for CPM Client .............................. 22
Java 2 runtime environment (JRE) .................................. 23
Obtaining the Site License for CPM ................................ 24
Installing the CPM Server Software ................................. 25
Installing the CPM Client Software .................................. 29
Upgrading from a Previous Versions of CPM .................... 34
Backing Up CPM Server ................................................. 35
Uninstalling CPM Server or Client ................................... 36
CHAPTER 3 Starting the CPM Client and Server ....... 37
Starting the CPM Client for the First Time ....................... 37
Changing Your CPM Client Login Password ..................... 41
If CPM prompts a password change ............................... 41
If you want to replace an existing password ..................... 42
Starting the CPM Client After Initial Log In ...................... 44
Upgrading your CPM License ......................................... 44
Stopping the CPM Server ............................................... 46
Stopping CPM Server at the host computer ..................... 46
Shutting down CPM Server at the CPM Client workstation .. 48
Starting or Restarting CPM Server ................................... 49
CHAPTER 4 Creating CPM Administrator Accounts .51
CPM Default Roles ......................................................... 52
Creating New Roles (Optional) ....................................... 52
Creating Administrator Accounts .................................... 56
Completing the Access Setup ........................................ 58
Reviewing the Current CPM Session ............................... 58
Determining Which Other Administrators Are Online ....... 59
Reserving a CPM Window .............................................. 60
If you can’t reserve a window ........................................ 62
Central Policy Manager User Guide xi
CHAPTER 5 Configuring Appliances for Network Use ..
.......................................................................63
Getting Started ..............................................................64
Installing and Setting Up a Firebox Vclass Appliance ........64
Adding Appliances to CPM .............................................65
Discovering devices .....................................................65
Adding a new appliance record ......................................68
Importing Licenses and Certificates (Optional) ..................70
Obtaining the x.509 certificate .......................................70
Importing the new x.509 certificate .................................71
Importing licenses for extended features ..........................72
Reviewing the current licenses .......................................74
Deleting an out-of-date license ......................................76
Installing multiple licenses .............................................76
Restoring the Appliance to a Factory-Default State ...........78
Configuring the Appliance Hardware ...............................78
Running the CPM Default Policy Wizard ...........................80
If you chose the extended network .................................81
If you chose the local network ........................................83
Creating Network Addresses ...........................................85
Entering the Security Policies ..........................................86
Assembling the CPM Policy Components ........................87
Assembling a policy from available components ................88
Defining the Required Alarms .........................................90
Deploying the Profile ......................................................90
Compiling the profiles ..................................................90
Deploying the profiles ..................................................91
Relocating the Appliance ................................................92
CHAPTER 6 Completing the Appliance Configuration ..
.......................................................................95
Configuring a New WatchGuard Appliance ......................95
Completing the General Entries ......................................96
Completing the Interfaces Entries ....................................98
Completing the Routing Entries ....................................109
xii Central Policy Manager 5.1
Completing the DNS Entries ........................................ 111
Completing the SNMP Entries ...................................... 113
Completing the Log Settings Entries ............................. 114
Completing the Hacker Prevention Entries .................... 117
Completing the High Availability Tab ............................ 120
Configuration comparison between Active/Standby and Active/
Active mode
.................................................... 122
Completing the Tunnel Switch Entries ........................... 125
Completing the VLAN Forwarding Tab .......................... 127
Completing the NTP Tab .............................................. 129
Completing the Blocked Sites tab ................................. 130
Global Blocked Sites ................................................. 133
Completing the Advanced tab ..................................... 134
Completing the System Configuration Setup ................. 137
Reviewing the current licenses ..................................... 137
CHAPTER 7 Defining Security Policies in CPM ........ 139
Security Policy Components ......................................... 139
Traffic specifications .................................................. 140
Policy actions ........................................................... 140
Security Policies in CPM ............................................... 141
Scope of policies in CPM ............................................ 141
Addresses and address groups .................................... 141
Cataloging Addresses for Use in Policies ....................... 144
Entering a new address group ..................................... 145
Entering a new RAS address ....................................... 146
Creating a New Policy .................................................. 147
Cataloging Services for Use in Policies .......................... 150
Adding a new service ................................................ 150
Adding a new protocol .............................................. 151
Combining services in a group .................................... 153
Creating Policy Schedules ............................................ 154
Creating a new schedule ............................................ 154
Applying an existing schedule to a policy ...................... 155
Central Policy Manager User Guide xiii
CHAPTER 8 Using Policy Actions ...............................157
Combining Policy Actions .............................................157
Blocking and Rejecting Traffic .......................................158
About Network Address Translation (NAT) .....................159
Activating Dynamic NAT .............................................159
Activating Static NAT .................................................160
About Load Balancing ..................................................161
About QoS Actions ......................................................164
Activating port shaping ..............................................166
Applying a QoS action ...............................................166
Customizing a QoS action ...........................................166
Activating TOS marking ..............................................167
CHAPTER 9 Defining Proxies in CPM ........................169
In This Chapter ............................................................170
Proxy Description .........................................................170
HTTP Client proxy .....................................................170
SMTP proxy ..............................................................171
Rules and rulesets .....................................................171
General Proxy Configuration .........................................173
Using a proxy action in the configuration editor ...............173
Creating a proxy action ..............................................173
Editing an existing proxy action ....................................175
Configuring proxy rules ..............................................177
Ordering listed rules in a proxy action ...........................180
Proxy Parameters Reference ..........................................182
HTTP Client proxy .....................................................182
SMTP Proxy ..............................................................203
Reference Sources ........................................................219
CHAPTER 10 About Virtual Private Networks ...........221
About VPN Policies ......................................................222
VPN Policies and IPSec Actions .....................................224
About Encryption .........................................................225
Overview of Creating a VPN .........................................225
xiv Central Policy Manager 5.1
CHAPTER 11 Creating an Automatic Key IPSec Action ..
.................................................................... 229
An Overview of VPN Policies ........................................ 229
Creating a New Automatic Key VPN Policy .................... 230
Making a VPN Policy Bi-directional ............................... 232
Assessing the IKE settings .......................................... 232
Customizing an IPSec Action ........................................ 235
Customizing an IPSec proposal using a single transform ... 236
Customizing an IPSec proposal with more than one transform .
........................................................................ 237
Customizing multiple IPSec proposals with one or more
transforms
....................................................... 240
CHAPTER 12 Creating Remote Access VPN Policies 243
Creating a Policy for a Firebox V10 ............................... 243
Creating the Addresses entries .................................... 243
Creating the RAS security policy .................................. 244
Confirming the IKE settings ........................................ 244
Generating and deploying profiles ............................... 245
Creating a Policy for MUVPN Client Software ................ 245
Creating the RAS address group .................................. 245
Creating the security policy ......................................... 246
Confirming the IKE pair settings .................................. 246
Confirming the authentication method .......................... 246
CHAPTER 13 Establishing Tunnel Switching .............. 251
About Tunnel Switching ............................................... 251
Activating Tunnel Switching on the Central Appliance .... 252
Activating Tunnel Switching Between Sites .................... 252
CHAPTER 14 Monitoring Appliances .......................... 255
How CPM Monitors Appliances .................................... 255
About network polling ............................................... 255
About event notification ............................................. 256
Indicators Monitored by CPM ....................................... 257
About Appliance Availability ....................................... 257
About Interface Status ............................................... 259
Central Policy Manager User Guide xv
Reorganizing Appliance Manager Window Columns .......259
Working with Appliance Groups Folders ........................261
Reorganizing the Appliance Manager window ................261
Filtering Appliance Manager Window Entries .................262
Color-Coding in the Appliance Manager ........................263
Changing Appliance Manager Row Colors .....................263
Ignoring an Appliance’s Status Reports ..........................265
Ignoring a specific component .....................................265
Ignoring an entire appliance ........................................265
Using the Appliance Detail Dialog Box ..........................266
Using the Performance Graph .......................................267
Opening the Performance Graph ..................................268
Setting up the Performance Graph ................................268
Viewing several counters at once ..................................272
CHAPTER 15 Responding to Alarms ...........................275
Viewing new alarms ...................................................275
Using the Alarm Console window ................................276
Viewing details on alarms ............................................277
Acknowledging alarms ...............................................277
Reopening acknowledged alarms .................................277
Clearing alarms .........................................................278
Reopening cleared alarms ...........................................278
Purging cleared alarms ...............................................278
Reorganizing the list of alarms .....................................279
Filtering alarms .........................................................279
Disabling alarm filtering ..............................................280
Index ......................................................................... 281
xvi Central Policy Manager 5.1
Central Policy Manager User Guide 1
CHAPTER 1 About WatchGuard
CPM
Congratulations on your purchase of the WatchGuard
Central Policy Manager (CPM). Using this product,
you can simplify security policy deployment with a
central console that lets you manage multiple Firebox
Vclass installations across an entire enterprise infra-
structure. This powerful and highly scalable network
management platform offers global management for
large enterprises, data centers, and service providers.
Why Use WatchGuard CPM?
With WatchGuard CPM, you can configure and moni-
tor hundreds of Firebox Vclass appliances. It is the
ideal global management solution for distributed
enterprises, data centers, and service providers who
depend on Firebox Vclass appliances for their high-
speed security.
CHAPTER 1: About WatchGuard CPM
2 Central Policy Manager 5.1
Components of CPM
CPM consists of two main components, CPM Server and
CPM Client. CPM can be used to manage many different
types of appliances, as shown in the following figure.
CPM Server
The CPM Server software includes a database that stores
the configurations and policies for all appliances while it
actively monitors the status of each appliance, alerting you
if problems arise. WatchGuard recommends that you
install the CPM Server component onto a separate, high-
Network Security Basics
Central Policy Manager User Guide 3
capacity host computer. You can install both Client and
Server onto a single workstation if your network environ-
ment is small and you do not plan to expand it.
A large amount of appliance-specific information can be
stored in CPM Server as appliance-specific profiles. When
needed, you can prompt CPM Server to use its secure con-
nections to all your appliances to deploy new or updated
profiles.
CPM Client
The CPM Client application gives administrative worksta-
tions access to CPM Server. You can install and run the Cli-
ent on any number of administrative workstations. After
an administrator uses the Client to log into CPM Server, he
or she can set up global policies and record appliance-spe-
cific profiles, including policies, system configurations, log
files, alarms, and activity monitors. If the administrator has
fewer privileges, he or she might only be able to review the
active alarms and clear them.
You can assign more than one administrator to manage
various aspects of the overall task load. Your authorized
client administrative users do not have to be “local” to par-
ticipate in the CPM system. If you load VPN policies into
the relevant appliances that would permit secure commu-
nications between a client workstation and the server host,
other remote administrators can assume their duties from
their locations.
Network Security Basics
You begin your assessment of how to secure a site or
network with a security stance. Simply put, a security
stance is a statement of how an organization protects its
assets. An effective organization-wide security stance
considers:
CHAPTER 1: About WatchGuard CPM
4 Central Policy Manager 5.1
Implementation and maintenance of the stance, and
how the stance fits in with the organization’s goals and
objectives
The level of access provided to the various users and
groups within the organization
Whether the organization allows recreational use of
facilities and systems
What level of remote access communication is allowed
The stance generally accepted by the Internet security
community is to discard all packets not explicitly
allowed; stated simply, “that which is not explicitly
allowed is denied.” WatchGuard Firebox Vclass appli-
ances, like most commercial firewalls, adopt this as the
default stance. Discarding all data packets not explicitly
allowed through the firewall protects against attacks
based upon new, unfamiliar, or obscure IP services. It
also provides a safety net regarding unknown services
and configuration errors that can threaten network secu-
rity.
This means that for the Firebox to pass any traffic, it
must be configured to pass the traffic your customer
wants to allow through the firewall. The network
administrator must actively select the services and pro-
tocols you or your customers want, configure each one
to define which hosts can send and receive them, and set
other individual properties for the service.
Offline and Online Configuration
Unlike WatchGuard Vcontroller and other single-appliance
management tools, CPM performs most configuration
tasks offline. During offline configuration, CPM does not
need a connection to an appliance. All configuration for an
appliance is completed on the CPM server, compiled into a
profile for the appliance, and deployed to the appliance at
/