Watchguard Firebox Vclass User guide

Category
Software
Type
User guide
WatchGuard
®
Central Policy
Manager User
Guide
Central Policy Manager 5.1
ii Central Policy Manager 5.1
Copyright
Copyright © 1998-2003 WatchGuard Technologies, Inc.
All rights reserved.
Notice to Users
Information in this document is subject to change and
revision without notice. This documentation and the software
described herein is subject to and may only be used and
copied as outlined in the Firebox System software end-user
license agreement. No part of this manual may be reproduced
by any means, electronic or mechanical, for any purpose
other than the purchaser’s personal use, without prior written
permission from WatchGuard Technologies, Inc.
TRADEMARK NOTES
WatchGuard and LiveSecurity are either trademarks or
registered trademarks of WatchGuard Technologies, Inc. in
the United States and other countries. Firebox, ServerLock,
DVCP, and Designing peace of mind are trademarks of
WatchGuard Technologies, Inc. All other trademarks or
trade names mentioned herein, if any, are the property of
their respective owners.
Part No: 1200016
Central Policy Manager User Guide iii
WatchGuard Technologies, Inc.
Firebox System Software
End-User License Agreement
WatchGuard Central Policy Manager (CPM) End-User
License Agreement
IMPORTANT - READ CAREFULLY BEFORE ACCESSING
WATCHGUARD SOFTWARE:
This Central Policy Manager End-User License Agreement
('AGREEMENT') is a legal agreement between you (either an
individual or a single entity) and WatchGuard Technologies,
Inc. ('WATCHGUARD') for the WATCHGUARD optional
software product for the WatchGuard Firebox product you
have purchased, which includes computer software
components (whether installed separately on a computer
workstation or on the WATCHGUARD hardware product)
and may include associated media, printed materials, and on-
line or electronic documentation, and any updates or
modifications thereto, including those received through the
WatchGuard LiveSecurity Service (or its equivalent), (the '
OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is
willing to license the OPTIONAL SOFTWARE PRODUCT to
you only on the condition that you accept all of the terms
contained in this Agreement. Please read this Agreement
carefully. By installing, activating or using the OPTIONAL
SOFTWARE PRODUCT you agree to be bound by the terms
of this Agreement. If you do not agree to the terms of this
AGREEMENT, WATCHGUARD will not license the
OPTIONAL SOFTWARE PRODUCT to you, and you will not
have any rights in the OPTIONAL SOFTWARE PRODUCT.
In that case, promptly return the OPTIONAL SOFTWARE
PRODUCT/license key certificate, along with proof of
payment, to the authorized dealer from whom you obtained
the OPTIONAL SOFTWARE PRODUCT/license key
certificate for a full refund of the price you paid.
iv Central Policy Manager 5.1
1. Ownership and License. The OPTIONAL SOFTWARE
PRODUCT is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws
and treaties. This is a license agreement and NOT an
agreement for sale. All title and copyrights in and to the
OPTIONAL SOFTWARE PRODUCT (including but not
limited to any images, photographs, animations, video,
audio, music, text, and pallets incorporated into the
OPTIONAL SOFTWARE PRODUCT), the accompanying
printed materials, and any copies of the OPTIONAL
SOFTWARE PRODUCT are owned by WATCHGUARD or its
licensors. Your rights to use the OPTIONAL SOFTWARE
PRODUCT are as specified in this AGREEMENT, and
WATCHGUARD retains all rights not expressly granted to
you in this AGREEMENT. Nothing in this AGREEMENT
constitutes a waiver of our rights under U.S. copyright law or
any other law or treaty.
2. Permitted Uses. You are granted the following rights to
the OPTIONAL SOFTWARE PRODUCT:
(A) You may install and use the OPTIONAL SOFTWARE
PRODUCT on that number of WATCHGUARD hardware
products (or manage that number of WATCHGUARD
hardware products) at any one time as permitted in the
license key certificate that you have purchased and may
install and use the OPTIONAL SOFTWARE PRODUCT on
multiple workstation computers. You must also maintain a
current subscription to the WatchGuard LiveSecurity Service
(or its equivalent) for each additional WATCHGUARD
hardware product on which you will use a copy of an updated
or modified version of the OPTIONAL SOFTWARE
PRODUCT received through the WatchGuard LiveSecurity
Service (or its equivalent).
(B) To use the OPTIONAL SOFTWARE PRODUCT on more
WATCHGUARD hardware products than provided for in
Section 2(A), you must license additional copies of the
OPTIONAL SOFTWARE PRODUCT as required.
(C) In addition to the copies described in Section 2(A), you
may make a single copy of the OPTIONAL SOFTWARE
PRODUCT for backup or archival purposes only.
Central Policy Manager User Guide v
3. Prohibited Uses. You may not, without express written
permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the
OPTIONAL SOFTWARE PRODUCT or printed materials
except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the OPTIONAL
SOFTWARE PRODUCT (or allow someone else to use such a
copy) for any purpose other than to replace the original copy
in the event it is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the OPTIONAL
SOFTWARE PRODUCT;
(D) Transfer this license to another party unless
(i) the transfer is permanent,
(ii) the third party recipient agrees to the terms of this
AGREEMENT, and
(iii) you do not retain any copies of the OPTIONAL
SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the
OPTIONAL SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following
limited warranties for a period of ninety (90) days from the
date you obtained the OPTIONAL SOFTWARE PRODUCT
from WATCHGUARD or an authorized dealer:
(A) Media. The disks and documentation will be free from
defects in materials and workmanship under normal use. If
the disks or documentation fail to conform to this warranty,
you may, as your sole and exclusive remedy, obtain a
replacement free of charge if you return the defective disk or
documentation to us with a dated proof of purchase.
(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL
SOFTWARE PRODUCT will materially conform to the
documentation that accompanies it or its license key
certificate. If the OPTIONAL SOFTWARE PRODUCT fails
vi Central Policy Manager 5.1
to operate in accordance with this warranty, you may, as your
sole and exclusive remedy, return all of the OPTIONAL
SOFTWARE PRODUCT and the documentation to the
authorized dealer from whom you obtained it, along with a
dated proof of purchase, specifying the problems, and they
will provide you with a new version of the OPTIONAL
SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES,
OBLIGATIONS AND LIABILITIES OF WATCHGUARD,
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS
4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN
SUBSTITUTION FOR, AND YOU HEREBY WAIVE,
DISCLAIM AND RELEASE ANY AND ALL OTHER
WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD AND ITS LICENSORS AND ALL OTHER
RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE
AGAINST WATCHGUARD AND ITS LICENSORS,
EXPRESS OR IMPLIED, ARISING BY LAW OR
OTHERWISE, WITH RESPECT TO ANY
NONCONFORMANCE OR DEFECT IN THE OPTIONAL
SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED
TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE, ANY
IMPLIED WARRANTY ARISING FROM COURSE OF
PERFORMANCE, COURSE OF DEALING, OR USAGE OF
TRADE, ANY WARRANTY OF NONINFRINGEMENT,
ANY WARRANTY THAT THE OPTIONAL SOFTWARE
PRODUCT WILL MEET YOUR REQUIREMENTS, ANY
WARRANTY OF UNINTERRUPTED OR ERROR-FREE
OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,
CLAIM OR REMEDY IN TORT, WHETHER OR NOT
ARISING FROM THE NEGLIGENCE (WHETHER
ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF
WATCHGUARD AND ITS LICENSORS AND ANY
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY
FOR LOSS OR DAMAGE TO, OR CAUSED BY OR
CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE
PRODUCT).
Central Policy Manager User Guide vii
Limitation of Liability. WATCHGUARD'S LIABILITY
(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND
NOTWITHSTANDING ANY FAULT, NEGLIGENCE,
STRICT LIABILITY OR PRODUCT LIABILITY) WITH
REGARD TO THE OPTIONAL SOFTWARE PRODUCT
WILL IN NO EVENT EXCEED THE PURCHASE PRICE
PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY. IN NO EVENT WILL WATCHGUARD
BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER
ARISING IN CONTRACT (INCLUDING WARRANTY),
TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED
NEGLIGENCE AND STRICT LIABILITY AND FAULT),
FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT
LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION) ARISING OUT OF OR IN CONNECTION
WITH THIS WARRANTY OR THE USE OF OR INABILITY
TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF
WATCHGUARD HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY.
5.United States Government Restricted Rights. The
OPTIONAL SOFTWARE PRODUCT is provided with
Restricted Rights. Use, duplication or disclosure by the U.S.
Government or any agency or instrumentality thereof is
subject to restrictions as set forth in subdivision (c)(1)(ii) of
the Rights in Technical Data and Computer Software clause
at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of
the Commercial Computer Software -- Restricted Rights
Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer
is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite
500, Seattle, WA 98104.
6.Export Controls. You agree not to directly or indirectly
transfer the OPTIONAL SOFTWARE PRODUCT or
viii Central Policy Manager 5.1
documentation to any country to which such transfer would
be prohibited by the U.S. Export Administration Act and the
regulations issued thereunder.
7.Termination. This license and your right to use the
SOFTWARE PRODUCT will automatically terminate if you
fail to comply with any provisions of this AGREEMENT,
destroy all copies of the OPTIONAL SOFTWARE PRODUCT
in your possession, or voluntarily return the OPTIONAL
SOFTWARE PRODUCT to WATCHGUARD. Upon
termination you will destroy all copies of the OPTIONAL
SOFTWARE PRODUCT and documentation remaining in
your control or possession.
8.Miscellaneous Provisions. This AGREEMENT will be
governed by and construed in accordance with the
substantive laws of Washington excluding the 1980 United
National Convention on Contracts for the International Sale
of Goods, as amended. This is the entire AGREEMENT
between us relating to the OPTIONAL SOFTWARE
PRODUCT, and supersedes any prior purchase order,
communications, advertising or representations concerning
the OPTIONAL SOFTWARE PRODUCT AND BY USING
THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO
THESE TERMS. IF THE SOFTWARE PRODUCT IS
BEING USED BY AN ENTITY, THE INDIVIDUAL
INDICATING AGREEMENT TO THESE TERMS
REPRESENTS AND WARRANTS THAT (A) SUCH
INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS
AGREEMENT ON BEHALF OF THE ENTITY AND TO
BIND THE ENTITY TO THE TERMS OF THIS
AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,
CORPORATE OR OTHERWISE, TO ENTER INTO THIS
AGREEMENT AND PERFORM ITS OBLIGATIONS
UNDER THIS AGREEMENT AND; (C) THIS
AGREEMENT AND THE PERFORMANCE OF THE
ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO
NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO
WHICH THE ENTITY IS A PARTY. No change or
modification of this AGREEMENT will be valid unless it is in
writing and is signed by WATCHGUARD.
Central Policy Manager User Guide ix
Contents
CHAPTER 1 About WatchGuard CPM ...........................1
Why Use WatchGuard CPM? .............................................1
Components of CPM ........................................................2
CPM Server ..................................................................2
CPM Client ..................................................................3
Network Security Basics ....................................................3
Offline and Online Configuration ......................................4
Address Objects in CPM Security Policies ..........................5
CPM Policy Examples .....................................................6
CPM and Network Configuration .....................................10
Types of Appliances Administered with CPM ....................12
CPM and WatchGuard Vclass/RapidStream security appliances
...........................................................................12
CPM and RapidStream "Secured by Check Point" security
appliances
..........................................................12
Remote appliances running MUVPN ................................13
CPM and third-party security appliances ..........................13
About Router Mode and Transparent Mode .....................14
Router Mode ..............................................................14
Transparent Mode .......................................................16
x Central Policy Manager 5.1
More information ........................................................ 17
CHAPTER 2 Installing or Upgrading CPM Software .. 19
Where You Can Install CPM Server and Client .................. 19
Installation requirements .............................................. 20
System Requirements for CPM Server ............................. 21
System Requirements for CPM Client .............................. 22
Java 2 runtime environment (JRE) .................................. 23
Obtaining the Site License for CPM ................................ 24
Installing the CPM Server Software ................................. 25
Installing the CPM Client Software .................................. 29
Upgrading from a Previous Versions of CPM .................... 34
Backing Up CPM Server ................................................. 35
Uninstalling CPM Server or Client ................................... 36
CHAPTER 3 Starting the CPM Client and Server ....... 37
Starting the CPM Client for the First Time ....................... 37
Changing Your CPM Client Login Password ..................... 41
If CPM prompts a password change ............................... 41
If you want to replace an existing password ..................... 42
Starting the CPM Client After Initial Log In ...................... 44
Upgrading your CPM License ......................................... 44
Stopping the CPM Server ............................................... 46
Stopping CPM Server at the host computer ..................... 46
Shutting down CPM Server at the CPM Client workstation .. 48
Starting or Restarting CPM Server ................................... 49
CHAPTER 4 Creating CPM Administrator Accounts .51
CPM Default Roles ......................................................... 52
Creating New Roles (Optional) ....................................... 52
Creating Administrator Accounts .................................... 56
Completing the Access Setup ........................................ 58
Reviewing the Current CPM Session ............................... 58
Determining Which Other Administrators Are Online ....... 59
Reserving a CPM Window .............................................. 60
If you can’t reserve a window ........................................ 62
Central Policy Manager User Guide xi
CHAPTER 5 Configuring Appliances for Network Use ..
.......................................................................63
Getting Started ..............................................................64
Installing and Setting Up a Firebox Vclass Appliance ........64
Adding Appliances to CPM .............................................65
Discovering devices .....................................................65
Adding a new appliance record ......................................68
Importing Licenses and Certificates (Optional) ..................70
Obtaining the x.509 certificate .......................................70
Importing the new x.509 certificate .................................71
Importing licenses for extended features ..........................72
Reviewing the current licenses .......................................74
Deleting an out-of-date license ......................................76
Installing multiple licenses .............................................76
Restoring the Appliance to a Factory-Default State ...........78
Configuring the Appliance Hardware ...............................78
Running the CPM Default Policy Wizard ...........................80
If you chose the extended network .................................81
If you chose the local network ........................................83
Creating Network Addresses ...........................................85
Entering the Security Policies ..........................................86
Assembling the CPM Policy Components ........................87
Assembling a policy from available components ................88
Defining the Required Alarms .........................................90
Deploying the Profile ......................................................90
Compiling the profiles ..................................................90
Deploying the profiles ..................................................91
Relocating the Appliance ................................................92
CHAPTER 6 Completing the Appliance Configuration ..
.......................................................................95
Configuring a New WatchGuard Appliance ......................95
Completing the General Entries ......................................96
Completing the Interfaces Entries ....................................98
Completing the Routing Entries ....................................109
xii Central Policy Manager 5.1
Completing the DNS Entries ........................................ 111
Completing the SNMP Entries ...................................... 113
Completing the Log Settings Entries ............................. 114
Completing the Hacker Prevention Entries .................... 117
Completing the High Availability Tab ............................ 120
Configuration comparison between Active/Standby and Active/
Active mode
.................................................... 122
Completing the Tunnel Switch Entries ........................... 125
Completing the VLAN Forwarding Tab .......................... 127
Completing the NTP Tab .............................................. 129
Completing the Blocked Sites tab ................................. 130
Global Blocked Sites ................................................. 133
Completing the Advanced tab ..................................... 134
Completing the System Configuration Setup ................. 137
Reviewing the current licenses ..................................... 137
CHAPTER 7 Defining Security Policies in CPM ........ 139
Security Policy Components ......................................... 139
Traffic specifications .................................................. 140
Policy actions ........................................................... 140
Security Policies in CPM ............................................... 141
Scope of policies in CPM ............................................ 141
Addresses and address groups .................................... 141
Cataloging Addresses for Use in Policies ....................... 144
Entering a new address group ..................................... 145
Entering a new RAS address ....................................... 146
Creating a New Policy .................................................. 147
Cataloging Services for Use in Policies .......................... 150
Adding a new service ................................................ 150
Adding a new protocol .............................................. 151
Combining services in a group .................................... 153
Creating Policy Schedules ............................................ 154
Creating a new schedule ............................................ 154
Applying an existing schedule to a policy ...................... 155
Central Policy Manager User Guide xiii
CHAPTER 8 Using Policy Actions ...............................157
Combining Policy Actions .............................................157
Blocking and Rejecting Traffic .......................................158
About Network Address Translation (NAT) .....................159
Activating Dynamic NAT .............................................159
Activating Static NAT .................................................160
About Load Balancing ..................................................161
About QoS Actions ......................................................164
Activating port shaping ..............................................166
Applying a QoS action ...............................................166
Customizing a QoS action ...........................................166
Activating TOS marking ..............................................167
CHAPTER 9 Defining Proxies in CPM ........................169
In This Chapter ............................................................170
Proxy Description .........................................................170
HTTP Client proxy .....................................................170
SMTP proxy ..............................................................171
Rules and rulesets .....................................................171
General Proxy Configuration .........................................173
Using a proxy action in the configuration editor ...............173
Creating a proxy action ..............................................173
Editing an existing proxy action ....................................175
Configuring proxy rules ..............................................177
Ordering listed rules in a proxy action ...........................180
Proxy Parameters Reference ..........................................182
HTTP Client proxy .....................................................182
SMTP Proxy ..............................................................203
Reference Sources ........................................................219
CHAPTER 10 About Virtual Private Networks ...........221
About VPN Policies ......................................................222
VPN Policies and IPSec Actions .....................................224
About Encryption .........................................................225
Overview of Creating a VPN .........................................225
xiv Central Policy Manager 5.1
CHAPTER 11 Creating an Automatic Key IPSec Action ..
.................................................................... 229
An Overview of VPN Policies ........................................ 229
Creating a New Automatic Key VPN Policy .................... 230
Making a VPN Policy Bi-directional ............................... 232
Assessing the IKE settings .......................................... 232
Customizing an IPSec Action ........................................ 235
Customizing an IPSec proposal using a single transform ... 236
Customizing an IPSec proposal with more than one transform .
........................................................................ 237
Customizing multiple IPSec proposals with one or more
transforms
....................................................... 240
CHAPTER 12 Creating Remote Access VPN Policies 243
Creating a Policy for a Firebox V10 ............................... 243
Creating the Addresses entries .................................... 243
Creating the RAS security policy .................................. 244
Confirming the IKE settings ........................................ 244
Generating and deploying profiles ............................... 245
Creating a Policy for MUVPN Client Software ................ 245
Creating the RAS address group .................................. 245
Creating the security policy ......................................... 246
Confirming the IKE pair settings .................................. 246
Confirming the authentication method .......................... 246
CHAPTER 13 Establishing Tunnel Switching .............. 251
About Tunnel Switching ............................................... 251
Activating Tunnel Switching on the Central Appliance .... 252
Activating Tunnel Switching Between Sites .................... 252
CHAPTER 14 Monitoring Appliances .......................... 255
How CPM Monitors Appliances .................................... 255
About network polling ............................................... 255
About event notification ............................................. 256
Indicators Monitored by CPM ....................................... 257
About Appliance Availability ....................................... 257
About Interface Status ............................................... 259
Central Policy Manager User Guide xv
Reorganizing Appliance Manager Window Columns .......259
Working with Appliance Groups Folders ........................261
Reorganizing the Appliance Manager window ................261
Filtering Appliance Manager Window Entries .................262
Color-Coding in the Appliance Manager ........................263
Changing Appliance Manager Row Colors .....................263
Ignoring an Appliance’s Status Reports ..........................265
Ignoring a specific component .....................................265
Ignoring an entire appliance ........................................265
Using the Appliance Detail Dialog Box ..........................266
Using the Performance Graph .......................................267
Opening the Performance Graph ..................................268
Setting up the Performance Graph ................................268
Viewing several counters at once ..................................272
CHAPTER 15 Responding to Alarms ...........................275
Viewing new alarms ...................................................275
Using the Alarm Console window ................................276
Viewing details on alarms ............................................277
Acknowledging alarms ...............................................277
Reopening acknowledged alarms .................................277
Clearing alarms .........................................................278
Reopening cleared alarms ...........................................278
Purging cleared alarms ...............................................278
Reorganizing the list of alarms .....................................279
Filtering alarms .........................................................279
Disabling alarm filtering ..............................................280
Index ......................................................................... 281
xvi Central Policy Manager 5.1
Central Policy Manager User Guide 1
CHAPTER 1 About WatchGuard
CPM
Congratulations on your purchase of the WatchGuard
Central Policy Manager (CPM). Using this product,
you can simplify security policy deployment with a
central console that lets you manage multiple Firebox
Vclass installations across an entire enterprise infra-
structure. This powerful and highly scalable network
management platform offers global management for
large enterprises, data centers, and service providers.
Why Use WatchGuard CPM?
With WatchGuard CPM, you can configure and moni-
tor hundreds of Firebox Vclass appliances. It is the
ideal global management solution for distributed
enterprises, data centers, and service providers who
depend on Firebox Vclass appliances for their high-
speed security.
CHAPTER 1: About WatchGuard CPM
2 Central Policy Manager 5.1
Components of CPM
CPM consists of two main components, CPM Server and
CPM Client. CPM can be used to manage many different
types of appliances, as shown in the following figure.
CPM Server
The CPM Server software includes a database that stores
the configurations and policies for all appliances while it
actively monitors the status of each appliance, alerting you
if problems arise. WatchGuard recommends that you
install the CPM Server component onto a separate, high-
Network Security Basics
Central Policy Manager User Guide 3
capacity host computer. You can install both Client and
Server onto a single workstation if your network environ-
ment is small and you do not plan to expand it.
A large amount of appliance-specific information can be
stored in CPM Server as appliance-specific profiles. When
needed, you can prompt CPM Server to use its secure con-
nections to all your appliances to deploy new or updated
profiles.
CPM Client
The CPM Client application gives administrative worksta-
tions access to CPM Server. You can install and run the Cli-
ent on any number of administrative workstations. After
an administrator uses the Client to log into CPM Server, he
or she can set up global policies and record appliance-spe-
cific profiles, including policies, system configurations, log
files, alarms, and activity monitors. If the administrator has
fewer privileges, he or she might only be able to review the
active alarms and clear them.
You can assign more than one administrator to manage
various aspects of the overall task load. Your authorized
client administrative users do not have to be “local” to par-
ticipate in the CPM system. If you load VPN policies into
the relevant appliances that would permit secure commu-
nications between a client workstation and the server host,
other remote administrators can assume their duties from
their locations.
Network Security Basics
You begin your assessment of how to secure a site or
network with a security stance. Simply put, a security
stance is a statement of how an organization protects its
assets. An effective organization-wide security stance
considers:
CHAPTER 1: About WatchGuard CPM
4 Central Policy Manager 5.1
Implementation and maintenance of the stance, and
how the stance fits in with the organization’s goals and
objectives
The level of access provided to the various users and
groups within the organization
Whether the organization allows recreational use of
facilities and systems
What level of remote access communication is allowed
The stance generally accepted by the Internet security
community is to discard all packets not explicitly
allowed; stated simply, “that which is not explicitly
allowed is denied.” WatchGuard Firebox Vclass appli-
ances, like most commercial firewalls, adopt this as the
default stance. Discarding all data packets not explicitly
allowed through the firewall protects against attacks
based upon new, unfamiliar, or obscure IP services. It
also provides a safety net regarding unknown services
and configuration errors that can threaten network secu-
rity.
This means that for the Firebox to pass any traffic, it
must be configured to pass the traffic your customer
wants to allow through the firewall. The network
administrator must actively select the services and pro-
tocols you or your customers want, configure each one
to define which hosts can send and receive them, and set
other individual properties for the service.
Offline and Online Configuration
Unlike WatchGuard Vcontroller and other single-appliance
management tools, CPM performs most configuration
tasks offline. During offline configuration, CPM does not
need a connection to an appliance. All configuration for an
appliance is completed on the CPM server, compiled into a
profile for the appliance, and deployed to the appliance at
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303

Watchguard Firebox Vclass User guide

Category
Software
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI