Watchguard CPM Policy & Adminstration User guide

CPM Policy &

Administration Guide

Central Policy Manager 4.0

Vcontoller 3.2

ii Central Policy Manager 4.0

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright, Trademark, and Patent Information

Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III,

Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity,

RapidStream, RapidCore, WatchGuard, WatchGuard Technologies, Inc., AppLock, AppLock/Web, Designing peace of

mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate,

ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks

or trademarks of WatchGuard Technologies, Inc. in the United States and/or other courtries.

patents pending.

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United

States and other countries.

RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA

Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data

RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the

United States and/or other countries.

Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United

without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://

www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from

this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without

prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software

developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL

PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young

(eay@cryptsoft.com). This product includes software written by Tim

Hudson (tjh@cryptsoft.com).

CPM Policy & Administration Guide iii

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The

following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the

SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that

the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is

used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in

the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic'

can be left out if the routines from the library being used are not cryptographic related :-).

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you

must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE.

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.

this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The

detailed license information follows.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl

project (http://www.modssl.org/)."

4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior

written permission. For written permission, please contact rse@engelschall.com.

5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without

prior written permission of Ralf S. Engelschall.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software

developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/)."

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.

ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

iv Central Policy Manager 4.0

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The Apache Software License, Version 1.1

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:

"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately,

this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally

appear.

4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived

from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without

prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,

BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION

OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE

GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,

EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software

Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Portions of this software are based upon public domain software originally written at the National Center for

Supercomputing Applications, University of Illinois, Urbana-Champaign.

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Part No:

CPM Policy & Administration Guide v

Contents

CHAPTER 1 An Introduction to CPM Security Policies 1

What Scope Does a Policy Have? ...................................... 2

How many appliances? .................................................. 2

How many actions? ....................................................... 2

Planning a New Security Policy ......................................... 3

How to Take Advantage of Policy-creation in CPM ............. 4

How policies are organized in CPM .................................. 4

How CPM makes policy creation more efficient ................... 5

Important qualifications concerning CPM policies ............... 7

CHAPTER 2 How a Security Policy is Put Together,

then Put into Effect .................................... 9

Inserting a New Policy Row .............................................. 9

Adding a new policy to a large, existing collection ............ 11

Adding the Source and Destination Addresses ................ 11

Adding Service(s) ........................................................... 13

Selecting the Actions a Policy Will Take ........................... 13

Making Efficient Use of the Policy Tab ............................. 16

CHAPTER 3 Cataloging Your Network Addresses .... 19

Overview ...................................................................... 19

vi Central Policy Manager 4.0

Preparing for Address Entry ............................................ 20

Entering a New Address ................................................. 21

Entering a New Address Group ....................................... 24

Entering a New RAS Address .......................................... 25

Entering an IP Subnet .................................................. 27

Entering an IP Range ................................................... 28

Removing Address Entries .............................................. 28

CHAPTER 4 Cataloging Services for Use in Policies .. 31

Reviewing the catalog of existing services ....................... 31

Adding a new service to the tab ..................................... 32

Combining two or more services ..................................... 33

CHAPTER 5 Determining the Actions a Policy Will

Take ........................................................... 37

Selecting the actions a policy will take ............................. 38

CHAPTER 6 Choosing a Firewall Action ...................... 41

Getting started .............................................................. 42

Activating Firewall Protection in a New Policy .................. 43

CHAPTER 7 Applying a NAT Action to a New Policy 45

Activating Dynamic IP NAT ............................................. 46

Getting started ........................................................... 46

Case Study: Setting up a dynamic NAT firewall policy ......... 47

Policy (“dnat_access”) .................................................. 47

Applying a static NAT action ........................................... 48

Requirements ............................................................. 48

Qualifications ............................................................. 49

Recording a static NAT action ........................................ 49

Applying a Virtual IP Load Balancing Action ..................... 51

Qualifications ............................................................. 52

Recording the load balancing action ............................... 52

Distributing the load to a number of servers ..................... 54

Important Notes ............................................................ 56

CHAPTER 8 Creating a QoS Policy Action .................. 57

What numbers to enter? ............................................... 59

CPM Policy & Administration Guide vii

Why use QoS? ........................................................... 60

Activating Port Shaping in an Appliance .......................... 61

Applying a QoS Action .................................................. 62

Customizing the new QoS action ................................... 63

Activating TOS marking ................................................. 63

Applying QoS Policies to an Entire Network .................... 65

Case Study: Sample QoS actions .................................... 65

Example 1: ................................................................ 65

Example 2: ................................................................ 66

CHAPTER 9 Creating an IPSec Manual Key Action ... 67

Before You Begin ........................................................... 68

Creating a New Manual-key IPSec VPN Policy ................. 68

Entering the correct traffic specifications for manual key VPN 68

Selecting the action .................................................... 69

Making this policy bi-directional .................................... 69

Customizing/creating an IPSec action ............................. 70

Configuring ESP protocols ............................................ 73

Configuring AH protocol .............................................. 74

Completing this action ................................................. 74

CHAPTER 10 Creating an Automatic Key IPSec Action 77

Overview ...................................................................... 77

An oOverview of VPN Policy-making ............................... 78

Are certificates needed for authentication? ...................... 78

About Uni- and Bi-directional VPN Policies ...................... 79

Creating a New Automatic-key IPSec VPN Policy ............. 79

Entering the traffic specifications ................................... 80

Choosing an IPSec action ............................................. 81

Making an IKE VPN policy bi-directional .......................... 83

Assessing the IKE Settings ............................................. 83

If an appliance has an x.509 certificate ............................ 85

If both appliances have no x.509 certificates .................... 86

Customizing a New IKE IPSec Action .............................. 87

Completing the General tab entries ............................... 88

Customizing an IPSec proposal utilizing a single transform .. 90

viii Central Policy Manager 4.0

Customizing an IPSec proposal with more than one transform 91

Customizing multiple IPSec proposals with one or

more transforms ............................................................

94

CHAPTER 11 Creating Remote Access VPN Policies .. 97

Problems—and Answers ................................................. 98

Potential problems for you the network administrator ......... 98

WatchGuard solutions for those problems ........................ 98

Controlling a Remote Access User’s Network Access

Privileges ....................................................................

99

Getting Started .............................................................. 99

Setting Up the RAS VPN Client User Access ................... 101

Creating a Policy that Permits RAS Connections Using a

Firebox V10 ..............................................................

102

Creating the needed Appliance records ......................... 102

Creating the needed Addresses entries ......................... 103

Creating the RAS security policy ................................... 104

Confirming the IKE settings ......................................... 105

And finally... ............................................................. 105

Creating a Policy that Permits RAS Connections from

MUVPN Client Software ...........................................

106

Creating the RAS address group .................................. 106

Creating the gateway appliance’s Private network address 108

Creating the security policy ......................................... 108

Confirming the IKE pair settings ................................... 109

Configuring the authentication method for each group .... 109

Before You Finish ......................................................... 115

How it works ................................................................ 115

CHAPTER 12 Creating Policies for Multi-Tenant

Virtual User Domains ............................ 117

Creating Policies for VLAN Tenants ............................... 118

Inserting VLAN tenant security policies ......................... 119

The advantages of a VLAN .......................................... 120

Routing VLAN traffic through a WatchGuard appliance ..... 121

Case Study: VLAN in WatchGuard Appliances ................ 123

CPM Policy & Administration Guide ix

Important: Using a Firebox Vclass appliance in a VLAN

setting ..........................................................................

124

Creating Policies for User-domain Tenants ..................... 125

Inserting user domain tenant security policies ................ 125

Additional information ............................................... 125

An example of a user-domain policy in use .................... 126

An Overview of User-domain Tenant Authentication ....... 127

Inserting user domain tenant security policies ................ 127

How a User Domain Tenant Makes a Connection ........... 128

Activating the Firebox Vclass “Authenticate with

Certificates” feature .................................................

128

Importing a VPN certificate into a user’s Web browser ...... 129

CHAPTER 13 Establishing Tunnel Switching .............. 131

Requirements .............................................................. 133

Activating Tunnel Switching on the Central Appliance .... 134

Case Study: Establishing Tunnel Switching Between

Remote Sites ............................................................

134

Before starting ......................................................... 135

Applying policies to the appliance at the central site ....... 135

How Exactly Does this Example of Tunnel Switching Work? 137

Adding a New Site to the Initial Tunnel Switching Layout 138

CHAPTER 14 Editing IKE pairs, proposals and

authentication .........................................141

Requirements .............................................................. 142

Editing IKE Pair Settings ............................................... 142

Creating a New IKE Proposal ........................................ 144

Entering a single transform for this proposal .................. 146

Entering more than one transform for this IKE proposal .... 148

Changing the authentication process ............................ 150

If you use symmetric certificate matching rules (the default) 152

If you use asymmetric certificate matching rules— ........... 152

If an appliance pair has only one certificate... ................. 153

Completing the entries .............................................. 153

Entering the Text for a Preshared (Secret) Key (PSK) ....... 154

x Central Policy Manager 4.0

CHAPTER 15 Scheduling a Policy for Specific Dates

and Time .................................................. 157

Creating a New Schedule ............................................. 158

Selecting a Schedule for Use in a New Policy ................. 159

CHAPTER 16 Discovering and Deploying New

Security Appliances ................................161

Requirements .............................................................. 162

Discovering a New Appliance ....................................... 162

Deploying Profiles to New Appliances ........................... 164

Relocating the appliance ............................................ 168

What’s next .................................................................. 169

CHAPTER 17 Deploying Profiles to Active Security

Appliances ............................................... 171

How Deployment is Done ............................................. 172

Compiling All Listed Profiles ......................................... 173

Deploying profiles to all security appliances ................... 175

Deploying Profiles to a Specific Appliance ..................... 177

Important! ................................................................... 177

CHAPTER 18 Alternate System Configuration Options 179

Copying the Entire Configuration from Another Appliance 180

Copying Specific Configurations from Another Appliance 182

CHAPTER 19 Exporting/Importing an XML profile ... 185

Exporting a Profile as an XML Data File ......................... 185

Importing a XML Profile via CPM ................................... 189

Before you start ........................................................ 189

Importing the profile .................................................. 190

CHAPTER 20 Deleting Appliances, Addresses and

Policy Records ........................................195

Deleting Records from the CPM Server Database ........... 196

Removing address entries ........................................... 196

Removing appliance entries ........................................ 196

Removing policies ..................................................... 196

If an error occurs… .................................................... 197

CPM Policy & Administration Guide xi

CHAPTER 21 Using CPM to monitor and maintain

a number of security appliances ............199

Questions... ................................................................ 200

Answers... ................................................................... 201

CHAPTER 22 Monitoring a Security Appliances’

Status with CPM ....................................203

How Does CPM Monitor an Appliance? ........................ 203

About network polling ............................................... 204

About event notification ............................................. 204

What can CPM monitor? .............................................. 205

About Appliance Availability ....................................... 206

About Interface Status ............................................... 207

About High Availability (HA) Status ............................... 207

About Alarm Status ................................................... 208

About Configuration Mismatch .................................... 208

Using the Appliance Manager Window to Monitor Status 208

What the window row colors mean ............................... 211

Reorganizing Appliance Manager Window Columns ...... 213

Sorting Appliance Manager window rows ...................... 215

Filtering Appliance Manager Window Entries ............... 216

Using wildcards ........................................................ 216

Getting started ......................................................... 217

Changing Appliance Manager Window Row Colors ....... 218

Ignoring an Appliance’s Status Reports ......................... 221

Ignoring a specific component .................................... 221

Ignoring an entire appliance ....................................... 222

CHAPTER 23 Using the Appliance Details dialog box 225

Opening the Appliance Detail dialog box ..................... 225

Window features ...................................................... 227

About the Appliance Detail Window Tabs ..................... 233

What the Window Colors Mean .................................... 234

CHAPTER 24 Using the Performance Graph ............ 237

Opening the Performance Graph .................................. 237

Setting up the Performance Graph ............................... 239

xii Central Policy Manager 4.0

What this window displays .......................................... 242

Viewing Several Counters at Once ................................ 243

CHAPTER 25 Monitoring Alarms in CPM ................... 247

An overview of the built-in alarms ................................. 248

Reviewing recently triggered alarms .............................. 248

What’s in this window? ............................................... 249

Reviewing and resolving the alarm ................................ 250

Reviewing and Resolving Outstanding Alarms ................ 251

Updating the CPM alarm record ................................... 251

Viewing details of an open alarm .................................. 252

Acknowledging an open alarm .................................... 253

Clearing an alarm ...................................................... 254

Purging a cleared alarm .............................................. 256

Sorting Alarms in the Alarm window tabs ...................... 256

Filtering Alarms in the Alarm window tabs ..................... 257

CHAPTER 26 Defining New Individual and Group

Alarms .....................................................261

What You Can Do with the Alarm Console ..................... 261

Quickstart: Using the Alarm Definition window ............... 262

Defining Individual Alarms ............................................ 264

Adding System Probe Counters to an Individual Alarm ..... 269

Adding VPN Peer Probes to an Individual Alarm .............. 272

Completing the alarm definition ................................... 275

Defining Global Alarms ................................................ 276

Adding System Probe counters to a global alarm definition 279

Adding VPN Peer probes to a global alarm definition ....... 283

Completing the global alarm definition ......................... 285

Additional notes .......................................................... 286

Deploying New Alarm Definitions to the Network .......... 287

CHAPTER 27 Setting up and Managing CPM Log Files 289

Viewing the CPM Log ................................................... 291

Viewing the Logs for Specific Appliances ....................... 293

Revising Log Settings for an Appliance .......................... 295

Managing a Large Number of Log Entries ...................... 296

CPM Policy & Administration Guide xiii

Changing the number of log entries per page ................ 296

Filtering the contents of a log ..................................... 298

Creating a cumulative set of filters ............................... 299

Archiving Log Files ...................................................... 299

CHAPTER 28 Maintaining your Appliances ............... 303

About the Shortcut Menu ............................................. 303

Remotely Restarting an Appliance ................................ 304

Remotely Shutting Down an Appliance ......................... 305

Restoring an Appliance to the Factory Default State ...... 305

Archiving an Appliance’s Profile as an XML File .............. 306

Synchronizing an Appliance’s Clock with the CPM Server 306

CHAPTER 29 Backing Up and Restoring the CPM

Server Database .................................... 309

Backing up the CPM Database ..................................... 310

Restoring a Previously Archived CPM Server Database ... 312

CHAPTER 30 Deleting Appliances, Addresses and

Policy Records ...................................... 315

Deleting Records from the CPM Server Database .......... 316

Removing policies ....................................................... 316

If there are any security policies ................................... 316

If an error occurs… .................................................... 317

CHAPTER 31 Upgrading Appliances with WatchGuard

OS software .......................................... 319

Upgrading an active appliance with CPM ...................... 319

Migrating the CPM Appliance Record ........................... 320

CHAPTER 32 Shutting Down and Rebooting

Appliances ..............................................323

Remotely rebooting a security appliance ....................... 324

APPENDIX A Setting up an Active-Standby HA

Failover System ......................................325

Important Requirements and Aualifications .................... 326

Before Connecting the Appliances ................................ 326

Connecting the Appliances .......................................... 326

xiv Central Policy Manager 4.0

Enabling High Availability in CPM ................................. 329

Synchronizing the Primary and Secondary Appliances ..... 332

If You Change the Primary Profile .................................. 333

Before a Failover Occurs .............................................. 333

APPENDIX B About the CPM Configuration Files ..... 335

CPM Server Config file ................................................. 335

CPM Client Config file .................................................. 338

APPENDIX C A Catalog of Alarm Probes and

Counters .................................................341

System counters ......................................................... 341

Aggregate counters for all VPN end-point pairs ............ 347

IPSec counters per VPN end-point pair ......................... 348

Policy counters for all policies ...................................... 349

Policy counters per policy ............................................ 349

Index ......................................................................... 351

CPM Policy & Administration Guide 1

CHAPTER 1 An Introduction to CPM

Security Policies

Every security appliance utilizes policies (or, rules) that instruct the

appliance as to what to do with traffic streams that match certain

specifications. To create an effective policy, you must know the following:

Source

Where the traffic stream originates

Destination

Where the traffic is being sent

Services

Which services are incorporated into qualifying data streams

Action

What the security appliance should do with all qualifying data

streams

Schedule

When this policy should go into effect (days and hours)

The source, destination and service entries serve as the “traffic

specifications” and once a security appliance detects traffic that matches a

particular set of specifications, it can then take “action” with that traffic.

The potential actions include the following:

• Pass, block, or reject all qualifying traffic

CHAPTER 1: An Introduction to CPM Security Policies

2 Central Policy Manager 4.0

• Apply one of three general NAT actions: dynamic NAT, static NAT or

load balancing

• Apply Quality of Service and TOS marking to that particular traffic

stream

• Initiate and maintain a VPN connection with another appliance,

permitting secure data exchanges through insecure networks. This

can include varieties of corporate site connections and remote-access

service connections between external users and a corporate network.

What Scope Does a Policy Have?

As WatchGuard CPM allows you to manage all of your security

appliances, you can create policies with more than one action and apply

them to a single appliance or to a combination of appliances. This means

that the scope of a CPM policy has two aspects:

• How many appliances will make use of this policy (and its actions)

• How many distinct actions a specific policy can apply to qualifying

data

How many appliances?

With CPM you can create and apply a specific policy to a single appliance

or to several. For example, you can create a policy that includes a remote

access VPN action that permits client users to connect to a single security

appliance at the corporate headquarters.

Or, you can create policies that incorporate more than one security

appliance (at separate sites) as both source and destination. For example,

you may want to apply a VPN policy that permits branch offices to

communicate with corporate headquarters. The required policy would

record all gateway security appliances as both source and destination,

then apply the needed VPN/IPSec action to protect communications.

How many actions?

When you create a new policy (for one or more appliances) you can also

combine one or more actions in that policy, depending upon what you

Planning a New Security Policy

CPM Policy & Administration Guide 3

want done with the specific data stream. Firebox Vclass appliances were

expressly designed for such mingling of security services, so a wide range

of complementary actions can be enforced by a single policy.

As for which actions can be safely combined in a single policy, the

following table will provide a helpful overview:

In summary, you can combine a number of separate actions in a policy,

but do not combine VIP, static NAT and dynamic NAT in the same policy.

Planning a New Security Policy

In getting started with policy creation, you should complete the following

tasks. Skipping any of the following will only cause problems, as all of

these tasks are important.

Inventory your network

Make a complete catalog of every Firebox Vclass appliance

including IP address, model number, and version of operating

software.

Assess the traffic

Map out the principal traffic patterns you will be managing. This

includes external-to-internal traffic, as well as internal network

traffic flows (in case you have certain subnets managed by a

security appliance.)

Record network addresses

If there are other network assets or regions that will be the sources

or destinations of traffic managed by any of your security

Firewall IPSec

Virtual IP Load

Balancing

Dynamic

NAT

Static

NAT

QoS

Firewall / YES YES YES YES YES

IPSec / YES YES YES YES

Virtual IP / NO NO YES

Dynamic NAT / NO YES

Static NAT /YES

QoS /

CHAPTER 1: An Introduction to CPM Security Policies

4 Central Policy Manager 4.0

appliances, register them as addresses and address groups in the

Configuration Editor window before proceeding.

Assign RAS IP addresses

In anticipation of creating remote access VPN policies, have any

needed internal-use IP addresses ready for RAS connection

purposes.

Set RAS authentication

Use the Remote Access tab (in the Configuration Editor window)

to customize the particulars about remote access connections and

how RAS clients authenticate themselves to your internal

network.

Whether you are working with operational security appliances or brand-

new “factory default” appliances, you should see the entire setup/

configuration process as a whole, resulting in a fully-prepared appliance

profile. It’s not practical to deploy pieces of a profile, and accrue the

whole profile in parts. The best strategy is to assemble all the profile

components and deploy it at one time. You can update it incrementally

any time thereafter, once the basic settings are in place.

How to Take Advantage of Policy-creation in CPM

If you are familiar with policy insertion in either RapidStream Manager or

WatchGuard Vcontroller, CPM shares some basic creation options, while

it also offers you some useful shortcuts to speed up your network

management duties. This section will describe the similarities and

differences, and then show you how to take advantage of CPM’s efficient

features in creating policies.

How policies are organized in CPM

As with Vcontroller, CPM allows you to designate a wide range of

possibilities as traffic sources or destinations: including whole networks,

whole subnets, specific ranges of IP addresses, or single IP addresses. You

can pick the services, the actions, and set a specific schedule of operations

per policy.

How to Take Advantage of Policy-creation in CPM

CPM Policy & Administration Guide 5

However the basic premise is different in CPM. In Vcontroller, the

policies automatically refer to the networks connecting to the appliance,

and all internal network assets are associated with the private data

interface. With CPM, first you create a policy, and then you prompt CPM

to figure out which appliances it applies to at the time you compile and

deploy the profiles. Any given policy could be applied in a number of

security appliances. Initially, a policy could affect your entire network,

but CPM is able to sort out the appliances that make use of that policy.

In addition, the CPM policy-creation process is done off-line, preventing

you from tying up an operational appliance while you work. You can take

your time assembling policy components, and when ready, deploy the

updated profile to the appliance in a single step. You don’t have to

interrupt the appliances’ operations to create or edit policies.

Finally, the relationship of CPM to your entire network is fully

demonstrated in the association of network resources (usually noted as IP

addresses/ranges/subnets) with the general network topology. Every

private/trusted network resource is linked to a "private" data interface or

a "DMZ" interface on an appliance, while all others are linked to the

external, "public" data interface, to the Internet. As a result, network

resources are recorded as both an address and a data interface–for a

particular appliance. If you create a number of internal "10.10.0.0- type

address entries per specific site, there is no conflict in CPM, because each

10.10.0.0 entry is specifically assigned to a data interface on a specific

appliance. The same is with all resources not within the protective

coverage of an appliance; they must be then assigned to the "Internet".

How CPM makes policy creation more efficient

Unlike Vcontroller (which usually services one or two appliances), CPM

also allows you to group the private networks behind each and every

appliance (noted as "addresses") into an address group, which you can

apply to a single policy. An example (noted in the accompanying

illustrations) is the creation of a single group address that includes all the

CHAPTER 1: An Introduction to CPM Security Policies

6 Central Policy Manager 4.0

private networks behind the "private" interfaces of five V10 client

appliances.

If you have such a group, you can use it to make a single bi-directional

VPN policy to permit access to the corporate network, with your gateway

appliance (and the private network) as Destination and this one address

group as Source.

Watchguard CPM Policy & Adminstration User guide

Related papers

Other documents