Watchguard Firebox Vclass User guide

WatchGuard

®

Central Policy

Manager User

Guide

Central Policy Manager 5.1

ii Central Policy Manager 5.1

Copyright

Notice to Users

Information in this document is subject to change and

revision without notice. This documentation and the software

described herein is subject to and may only be used and

copied as outlined in the Firebox System software end-user

license agreement. No part of this manual may be reproduced

by any means, electronic or mechanical, for any purpose

other than the purchaser’s personal use, without prior written

permission from WatchGuard Technologies, Inc.

TRADEMARK NOTES

WatchGuard and LiveSecurity are either trademarks or

registered trademarks of WatchGuard Technologies, Inc. in

the United States and other countries. Firebox, ServerLock,

DVCP, and Designing peace of mind are trademarks of

WatchGuard Technologies, Inc. All other trademarks or

trade names mentioned herein, if any, are the property of

their respective owners.

Part No: 1200016

Central Policy Manager User Guide iii

WatchGuard Technologies, Inc.

Firebox System Software

End-User License Agreement

WatchGuard Central Policy Manager (CPM) End-User

License Agreement

IMPORTANT - READ CAREFULLY BEFORE ACCESSING

WATCHGUARD SOFTWARE:

This Central Policy Manager End-User License Agreement

('AGREEMENT') is a legal agreement between you (either an

individual or a single entity) and WatchGuard Technologies,

Inc. ('WATCHGUARD') for the WATCHGUARD optional

software product for the WatchGuard Firebox product you

have purchased, which includes computer software

components (whether installed separately on a computer

workstation or on the WATCHGUARD hardware product)

and may include associated media, printed materials, and on-

line or electronic documentation, and any updates or

modifications thereto, including those received through the

WatchGuard LiveSecurity Service (or its equivalent), (the '

OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is

willing to license the OPTIONAL SOFTWARE PRODUCT to

you only on the condition that you accept all of the terms

contained in this Agreement. Please read this Agreement

carefully. By installing, activating or using the OPTIONAL

SOFTWARE PRODUCT you agree to be bound by the terms

of this Agreement. If you do not agree to the terms of this

AGREEMENT, WATCHGUARD will not license the

OPTIONAL SOFTWARE PRODUCT to you, and you will not

have any rights in the OPTIONAL SOFTWARE PRODUCT.

In that case, promptly return the OPTIONAL SOFTWARE

PRODUCT/license key certificate, along with proof of

payment, to the authorized dealer from whom you obtained

the OPTIONAL SOFTWARE PRODUCT/license key

certificate for a full refund of the price you paid.

iv Central Policy Manager 5.1

1. Ownership and License. The OPTIONAL SOFTWARE

PRODUCT is protected by copyright laws and international

copyright treaties, as well as other intellectual property laws

and treaties. This is a license agreement and NOT an

agreement for sale. All title and copyrights in and to the

OPTIONAL SOFTWARE PRODUCT (including but not

limited to any images, photographs, animations, video,

audio, music, text, and pallets incorporated into the

OPTIONAL SOFTWARE PRODUCT), the accompanying

printed materials, and any copies of the OPTIONAL

SOFTWARE PRODUCT are owned by WATCHGUARD or its

licensors. Your rights to use the OPTIONAL SOFTWARE

PRODUCT are as specified in this AGREEMENT, and

WATCHGUARD retains all rights not expressly granted to

you in this AGREEMENT. Nothing in this AGREEMENT

constitutes a waiver of our rights under U.S. copyright law or

any other law or treaty.

2. Permitted Uses. You are granted the following rights to

the OPTIONAL SOFTWARE PRODUCT:

(A) You may install and use the OPTIONAL SOFTWARE

PRODUCT on that number of WATCHGUARD hardware

products (or manage that number of WATCHGUARD

hardware products) at any one time as permitted in the

license key certificate that you have purchased and may

install and use the OPTIONAL SOFTWARE PRODUCT on

multiple workstation computers. You must also maintain a

current subscription to the WatchGuard LiveSecurity Service

(or its equivalent) for each additional WATCHGUARD

hardware product on which you will use a copy of an updated

or modified version of the OPTIONAL SOFTWARE

PRODUCT received through the WatchGuard LiveSecurity

Service (or its equivalent).

(B) To use the OPTIONAL SOFTWARE PRODUCT on more

WATCHGUARD hardware products than provided for in

Section 2(A), you must license additional copies of the

OPTIONAL SOFTWARE PRODUCT as required.

(C) In addition to the copies described in Section 2(A), you

may make a single copy of the OPTIONAL SOFTWARE

PRODUCT for backup or archival purposes only.

Central Policy Manager User Guide v

3. Prohibited Uses. You may not, without express written

permission from WATCHGUARD:

(A) Use, copy, modify, merge or transfer copies of the

OPTIONAL SOFTWARE PRODUCT or printed materials

except as provided in this AGREEMENT;

(B) Use any backup or archival copy of the OPTIONAL

SOFTWARE PRODUCT (or allow someone else to use such a

copy) for any purpose other than to replace the original copy

in the event it is destroyed or becomes defective;

(C) Sublicense, lend, lease or rent the OPTIONAL

SOFTWARE PRODUCT;

(D) Transfer this license to another party unless

(i) the transfer is permanent,

(ii) the third party recipient agrees to the terms of this

AGREEMENT, and

(iii) you do not retain any copies of the OPTIONAL

SOFTWARE PRODUCT; or

(E) Reverse engineer, disassemble or decompile the

OPTIONAL SOFTWARE PRODUCT.

4. Limited Warranty. WATCHGUARD makes the following

limited warranties for a period of ninety (90) days from the

date you obtained the OPTIONAL SOFTWARE PRODUCT

from WATCHGUARD or an authorized dealer:

(A) Media. The disks and documentation will be free from

defects in materials and workmanship under normal use. If

the disks or documentation fail to conform to this warranty,

you may, as your sole and exclusive remedy, obtain a

replacement free of charge if you return the defective disk or

documentation to us with a dated proof of purchase.

(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL

SOFTWARE PRODUCT will materially conform to the

documentation that accompanies it or its license key

certificate. If the OPTIONAL SOFTWARE PRODUCT fails

vi Central Policy Manager 5.1

to operate in accordance with this warranty, you may, as your

sole and exclusive remedy, return all of the OPTIONAL

SOFTWARE PRODUCT and the documentation to the

authorized dealer from whom you obtained it, along with a

dated proof of purchase, specifying the problems, and they

will provide you with a new version of the OPTIONAL

SOFTWARE PRODUCT or a full refund, at their election.

Disclaimer and Release. THE WARRANTIES,

OBLIGATIONS AND LIABILITIES OF WATCHGUARD,

AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS

4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN

SUBSTITUTION FOR, AND YOU HEREBY WAIVE,

DISCLAIM AND RELEASE ANY AND ALL OTHER

WARRANTIES, OBLIGATIONS AND LIABILITIES OF

WATCHGUARD AND ITS LICENSORS AND ALL OTHER

RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE

AGAINST WATCHGUARD AND ITS LICENSORS,

EXPRESS OR IMPLIED, ARISING BY LAW OR

OTHERWISE, WITH RESPECT TO ANY

NONCONFORMANCE OR DEFECT IN THE OPTIONAL

SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED

TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY

OR FITNESS FOR A PARTICULAR PURPOSE, ANY

IMPLIED WARRANTY ARISING FROM COURSE OF

PERFORMANCE, COURSE OF DEALING, OR USAGE OF

TRADE, ANY WARRANTY OF NONINFRINGEMENT,

ANY WARRANTY THAT THE OPTIONAL SOFTWARE

PRODUCT WILL MEET YOUR REQUIREMENTS, ANY

WARRANTY OF UNINTERRUPTED OR ERROR-FREE

OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,

CLAIM OR REMEDY IN TORT, WHETHER OR NOT

ARISING FROM THE NEGLIGENCE (WHETHER

ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF

WATCHGUARD AND ITS LICENSORS AND ANY

OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY

FOR LOSS OR DAMAGE TO, OR CAUSED BY OR

CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE

PRODUCT).

Central Policy Manager User Guide vii

Limitation of Liability. WATCHGUARD'S LIABILITY

(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND

NOTWITHSTANDING ANY FAULT, NEGLIGENCE,

STRICT LIABILITY OR PRODUCT LIABILITY) WITH

REGARD TO THE OPTIONAL SOFTWARE PRODUCT

WILL IN NO EVENT EXCEED THE PURCHASE PRICE

PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE

TRUE EVEN IN THE EVENT OF THE FAILURE OF AN

AGREED REMEDY. IN NO EVENT WILL WATCHGUARD

BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER

ARISING IN CONTRACT (INCLUDING WARRANTY),

TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED

NEGLIGENCE AND STRICT LIABILITY AND FAULT),

FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR

CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT

LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS

INTERRUPTION, OR LOSS OF BUSINESS

INFORMATION) ARISING OUT OF OR IN CONNECTION

WITH THIS WARRANTY OR THE USE OF OR INABILITY

TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF

WATCHGUARD HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE

TRUE EVEN IN THE EVENT OF THE FAILURE OF AN

AGREED REMEDY.

5.United States Government Restricted Rights. The

OPTIONAL SOFTWARE PRODUCT is provided with

Restricted Rights. Use, duplication or disclosure by the U.S.

Government or any agency or instrumentality thereof is

subject to restrictions as set forth in subdivision (c)(1)(ii) of

the Rights in Technical Data and Computer Software clause

at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of

the Commercial Computer Software -- Restricted Rights

Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer

is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite

500, Seattle, WA 98104.

6.Export Controls. You agree not to directly or indirectly

transfer the OPTIONAL SOFTWARE PRODUCT or

viii Central Policy Manager 5.1

documentation to any country to which such transfer would

be prohibited by the U.S. Export Administration Act and the

regulations issued thereunder.

7.Termination. This license and your right to use the

SOFTWARE PRODUCT will automatically terminate if you

fail to comply with any provisions of this AGREEMENT,

destroy all copies of the OPTIONAL SOFTWARE PRODUCT

in your possession, or voluntarily return the OPTIONAL

SOFTWARE PRODUCT to WATCHGUARD. Upon

termination you will destroy all copies of the OPTIONAL

SOFTWARE PRODUCT and documentation remaining in

your control or possession.

8.Miscellaneous Provisions. This AGREEMENT will be

governed by and construed in accordance with the

substantive laws of Washington excluding the 1980 United

National Convention on Contracts for the International Sale

of Goods, as amended. This is the entire AGREEMENT

between us relating to the OPTIONAL SOFTWARE

PRODUCT, and supersedes any prior purchase order,

communications, advertising or representations concerning

the OPTIONAL SOFTWARE PRODUCT AND BY USING

THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO

THESE TERMS. IF THE SOFTWARE PRODUCT IS

BEING USED BY AN ENTITY, THE INDIVIDUAL

INDICATING AGREEMENT TO THESE TERMS

REPRESENTS AND WARRANTS THAT (A) SUCH

INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS

AGREEMENT ON BEHALF OF THE ENTITY AND TO

BIND THE ENTITY TO THE TERMS OF THIS

AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,

CORPORATE OR OTHERWISE, TO ENTER INTO THIS

AGREEMENT AND PERFORM ITS OBLIGATIONS

UNDER THIS AGREEMENT AND; (C) THIS

AGREEMENT AND THE PERFORMANCE OF THE

ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO

NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO

WHICH THE ENTITY IS A PARTY. No change or

modification of this AGREEMENT will be valid unless it is in

writing and is signed by WATCHGUARD.

Central Policy Manager User Guide ix

Contents

CHAPTER 1 About WatchGuard CPM ...........................1

Why Use WatchGuard CPM? .............................................1

Components of CPM ........................................................2

CPM Server ..................................................................2

CPM Client ..................................................................3

Network Security Basics ....................................................3

Offline and Online Configuration ......................................4

Address Objects in CPM Security Policies ..........................5

CPM Policy Examples .....................................................6

CPM and Network Configuration .....................................10

Types of Appliances Administered with CPM ....................12

CPM and WatchGuard Vclass/RapidStream security appliances

...........................................................................12

CPM and RapidStream "Secured by Check Point" security

appliances

..........................................................12

Remote appliances running MUVPN ................................13

CPM and third-party security appliances ..........................13

About Router Mode and Transparent Mode .....................14

Router Mode ..............................................................14

Transparent Mode .......................................................16

x Central Policy Manager 5.1

More information ........................................................ 17

CHAPTER 2 Installing or Upgrading CPM Software .. 19

Where You Can Install CPM Server and Client .................. 19

Installation requirements .............................................. 20

System Requirements for CPM Server ............................. 21

System Requirements for CPM Client .............................. 22

Java 2 runtime environment (JRE) .................................. 23

Obtaining the Site License for CPM ................................ 24

Installing the CPM Server Software ................................. 25

Installing the CPM Client Software .................................. 29

Upgrading from a Previous Versions of CPM .................... 34

Backing Up CPM Server ................................................. 35

Uninstalling CPM Server or Client ................................... 36

CHAPTER 3 Starting the CPM Client and Server ....... 37

Starting the CPM Client for the First Time ....................... 37

Changing Your CPM Client Login Password ..................... 41

If CPM prompts a password change ............................... 41

If you want to replace an existing password ..................... 42

Starting the CPM Client After Initial Log In ...................... 44

Upgrading your CPM License ......................................... 44

Stopping the CPM Server ............................................... 46

Stopping CPM Server at the host computer ..................... 46

Shutting down CPM Server at the CPM Client workstation .. 48

Starting or Restarting CPM Server ................................... 49

CHAPTER 4 Creating CPM Administrator Accounts .51

CPM Default Roles ......................................................... 52

Creating New Roles (Optional) ....................................... 52

Creating Administrator Accounts .................................... 56

Completing the Access Setup ........................................ 58

Reviewing the Current CPM Session ............................... 58

Determining Which Other Administrators Are Online ....... 59

Reserving a CPM Window .............................................. 60

If you can’t reserve a window ........................................ 62

Central Policy Manager User Guide xi

CHAPTER 5 Configuring Appliances for Network Use ..

.......................................................................63

Getting Started ..............................................................64

Installing and Setting Up a Firebox Vclass Appliance ........64

Adding Appliances to CPM .............................................65

Discovering devices .....................................................65

Adding a new appliance record ......................................68

Importing Licenses and Certificates (Optional) ..................70

Obtaining the x.509 certificate .......................................70

Importing the new x.509 certificate .................................71

Importing licenses for extended features ..........................72

Reviewing the current licenses .......................................74

Deleting an out-of-date license ......................................76

Installing multiple licenses .............................................76

Restoring the Appliance to a Factory-Default State ...........78

Configuring the Appliance Hardware ...............................78

Running the CPM Default Policy Wizard ...........................80

If you chose the extended network .................................81

If you chose the local network ........................................83

Creating Network Addresses ...........................................85

Entering the Security Policies ..........................................86

Assembling the CPM Policy Components ........................87

Assembling a policy from available components ................88

Defining the Required Alarms .........................................90

Deploying the Profile ......................................................90

Compiling the profiles ..................................................90

Deploying the profiles ..................................................91

Relocating the Appliance ................................................92

CHAPTER 6 Completing the Appliance Configuration ..

.......................................................................95

Configuring a New WatchGuard Appliance ......................95

Completing the General Entries ......................................96

Completing the Interfaces Entries ....................................98

Completing the Routing Entries ....................................109

xii Central Policy Manager 5.1

Completing the DNS Entries ........................................ 111

Completing the SNMP Entries ...................................... 113

Completing the Log Settings Entries ............................. 114

Completing the Hacker Prevention Entries .................... 117

Completing the High Availability Tab ............................ 120

Configuration comparison between Active/Standby and Active/

Active mode

.................................................... 122

Completing the Tunnel Switch Entries ........................... 125

Completing the VLAN Forwarding Tab .......................... 127

Completing the NTP Tab .............................................. 129

Completing the Blocked Sites tab ................................. 130

Global Blocked Sites ................................................. 133

Completing the Advanced tab ..................................... 134

Completing the System Configuration Setup ................. 137

Reviewing the current licenses ..................................... 137

CHAPTER 7 Defining Security Policies in CPM ........ 139

Security Policy Components ......................................... 139

Traffic specifications .................................................. 140

Policy actions ........................................................... 140

Security Policies in CPM ............................................... 141

Scope of policies in CPM ............................................ 141

Addresses and address groups .................................... 141

Cataloging Addresses for Use in Policies ....................... 144

Entering a new address group ..................................... 145

Entering a new RAS address ....................................... 146

Creating a New Policy .................................................. 147

Cataloging Services for Use in Policies .......................... 150

Adding a new service ................................................ 150

Adding a new protocol .............................................. 151

Combining services in a group .................................... 153

Creating Policy Schedules ............................................ 154

Creating a new schedule ............................................ 154

Applying an existing schedule to a policy ...................... 155

Central Policy Manager User Guide xiii

CHAPTER 8 Using Policy Actions ...............................157

Combining Policy Actions .............................................157

Blocking and Rejecting Traffic .......................................158

About Network Address Translation (NAT) .....................159

Activating Dynamic NAT .............................................159

Activating Static NAT .................................................160

About Load Balancing ..................................................161

About QoS Actions ......................................................164

Activating port shaping ..............................................166

Applying a QoS action ...............................................166

Customizing a QoS action ...........................................166

Activating TOS marking ..............................................167

CHAPTER 9 Defining Proxies in CPM ........................169

In This Chapter ............................................................170

Proxy Description .........................................................170

HTTP Client proxy .....................................................170

SMTP proxy ..............................................................171

Rules and rulesets .....................................................171

General Proxy Configuration .........................................173

Using a proxy action in the configuration editor ...............173

Creating a proxy action ..............................................173

Editing an existing proxy action ....................................175

Configuring proxy rules ..............................................177

Ordering listed rules in a proxy action ...........................180

Proxy Parameters Reference ..........................................182

HTTP Client proxy .....................................................182

SMTP Proxy ..............................................................203

Reference Sources ........................................................219

CHAPTER 10 About Virtual Private Networks ...........221

About VPN Policies ......................................................222

VPN Policies and IPSec Actions .....................................224

About Encryption .........................................................225

Overview of Creating a VPN .........................................225

xiv Central Policy Manager 5.1

CHAPTER 11 Creating an Automatic Key IPSec Action ..

.................................................................... 229

An Overview of VPN Policies ........................................ 229

Creating a New Automatic Key VPN Policy .................... 230

Making a VPN Policy Bi-directional ............................... 232

Assessing the IKE settings .......................................... 232

Customizing an IPSec Action ........................................ 235

Customizing an IPSec proposal using a single transform ... 236

Customizing an IPSec proposal with more than one transform .

........................................................................ 237

Customizing multiple IPSec proposals with one or more

transforms

....................................................... 240

CHAPTER 12 Creating Remote Access VPN Policies 243

Creating a Policy for a Firebox V10 ............................... 243

Creating the Addresses entries .................................... 243

Creating the RAS security policy .................................. 244

Confirming the IKE settings ........................................ 244

Generating and deploying profiles ............................... 245

Creating a Policy for MUVPN Client Software ................ 245

Creating the RAS address group .................................. 245

Creating the security policy ......................................... 246

Confirming the IKE pair settings .................................. 246

Confirming the authentication method .......................... 246

CHAPTER 13 Establishing Tunnel Switching .............. 251

About Tunnel Switching ............................................... 251

Activating Tunnel Switching on the Central Appliance .... 252

Activating Tunnel Switching Between Sites .................... 252

CHAPTER 14 Monitoring Appliances .......................... 255

How CPM Monitors Appliances .................................... 255

About network polling ............................................... 255

About event notification ............................................. 256

Indicators Monitored by CPM ....................................... 257

About Appliance Availability ....................................... 257

About Interface Status ............................................... 259

Central Policy Manager User Guide xv

Reorganizing Appliance Manager Window Columns .......259

Working with Appliance Groups Folders ........................261

Reorganizing the Appliance Manager window ................261

Filtering Appliance Manager Window Entries .................262

Color-Coding in the Appliance Manager ........................263

Changing Appliance Manager Row Colors .....................263

Ignoring an Appliance’s Status Reports ..........................265

Ignoring a specific component .....................................265

Ignoring an entire appliance ........................................265

Using the Appliance Detail Dialog Box ..........................266

Using the Performance Graph .......................................267

Opening the Performance Graph ..................................268

Setting up the Performance Graph ................................268

Viewing several counters at once ..................................272

CHAPTER 15 Responding to Alarms ...........................275

Viewing new alarms ...................................................275

Using the Alarm Console window ................................276

Viewing details on alarms ............................................277

Acknowledging alarms ...............................................277

Reopening acknowledged alarms .................................277

Clearing alarms .........................................................278

Reopening cleared alarms ...........................................278

Purging cleared alarms ...............................................278

Reorganizing the list of alarms .....................................279

Filtering alarms .........................................................279

Disabling alarm filtering ..............................................280

Index ......................................................................... 281

xvi Central Policy Manager 5.1

Central Policy Manager User Guide 1

CHAPTER 1 About WatchGuard

CPM

Congratulations on your purchase of the WatchGuard

Central Policy Manager (CPM). Using this product,

you can simplify security policy deployment with a

central console that lets you manage multiple Firebox

Vclass installations across an entire enterprise infra-

structure. This powerful and highly scalable network

management platform offers global management for

large enterprises, data centers, and service providers.

Why Use WatchGuard CPM?

With WatchGuard CPM, you can configure and moni-

tor hundreds of Firebox Vclass appliances. It is the

ideal global management solution for distributed

enterprises, data centers, and service providers who

depend on Firebox Vclass appliances for their high-

speed security.

CHAPTER 1: About WatchGuard CPM

2 Central Policy Manager 5.1

Components of CPM

CPM consists of two main components, CPM Server and

CPM Client. CPM can be used to manage many different

types of appliances, as shown in the following figure.

CPM Server

The CPM Server software includes a database that stores

the configurations and policies for all appliances while it

actively monitors the status of each appliance, alerting you

if problems arise. WatchGuard recommends that you

install the CPM Server component onto a separate, high-

Network Security Basics

Central Policy Manager User Guide 3

capacity host computer. You can install both Client and

Server onto a single workstation if your network environ-

ment is small and you do not plan to expand it.

A large amount of appliance-specific information can be

stored in CPM Server as appliance-specific profiles. When

needed, you can prompt CPM Server to use its secure con-

nections to all your appliances to deploy new or updated

profiles.

CPM Client

The CPM Client application gives administrative worksta-

tions access to CPM Server. You can install and run the Cli-

ent on any number of administrative workstations. After

an administrator uses the Client to log into CPM Server, he

or she can set up global policies and record appliance-spe-

cific profiles, including policies, system configurations, log

files, alarms, and activity monitors. If the administrator has

fewer privileges, he or she might only be able to review the

active alarms and clear them.

You can assign more than one administrator to manage

various aspects of the overall task load. Your authorized

client administrative users do not have to be “local” to par-

ticipate in the CPM system. If you load VPN policies into

the relevant appliances that would permit secure commu-

nications between a client workstation and the server host,

other remote administrators can assume their duties from

their locations.

Network Security Basics

You begin your assessment of how to secure a site or

network with a security stance. Simply put, a security

stance is a statement of how an organization protects its

assets. An effective organization-wide security stance

considers:

CHAPTER 1: About WatchGuard CPM

4 Central Policy Manager 5.1

• Implementation and maintenance of the stance, and

how the stance fits in with the organization’s goals and

objectives

• The level of access provided to the various users and

groups within the organization

• Whether the organization allows recreational use of

facilities and systems

• What level of remote access communication is allowed

The stance generally accepted by the Internet security

community is to discard all packets not explicitly

allowed; stated simply, “that which is not explicitly

allowed is denied.” WatchGuard Firebox Vclass appli-

ances, like most commercial firewalls, adopt this as the

default stance. Discarding all data packets not explicitly

allowed through the firewall protects against attacks

based upon new, unfamiliar, or obscure IP services. It

also provides a safety net regarding unknown services

and configuration errors that can threaten network secu-

rity.

This means that for the Firebox to pass any traffic, it

must be configured to pass the traffic your customer

wants to allow through the firewall. The network

administrator must actively select the services and pro-

tocols you or your customers want, configure each one

to define which hosts can send and receive them, and set

other individual properties for the service.

Offline and Online Configuration

Unlike WatchGuard Vcontroller and other single-appliance

management tools, CPM performs most configuration

tasks offline. During offline configuration, CPM does not

need a connection to an appliance. All configuration for an

appliance is completed on the CPM server, compiled into a

profile for the appliance, and deployed to the appliance at

Page is loading ...

Watchguard Firebox Vclass User guide

Watchguard Firebox Vclass User guide

Related papers

Other documents