Watchguard CPM Policy & Adminstration User guide

Category
Software manuals
Type
User guide
CPM Policy &
Administration Guide
Central Policy Manager 4.0
Vcontoller 3.2
ii Central Policy Manager 4.0
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved.
Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III,
Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity,
RapidStream, RapidCore, WatchGuard, WatchGuard Technologies, Inc., AppLock, AppLock/Web, Designing peace of
mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate,
ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks
or trademarks of WatchGuard Technologies, Inc. in the United States and/or other courtries.
© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other
patents pending.
Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United
States and other countries.
RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA
Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data
Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the
United States and/or other countries.
Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United
States and other countries. All right reserved.
© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved.
© 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from
this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without
prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim
Hudson (tjh@cryptsoft.com).
CPM Policy & Administration Guide iii
© 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The
following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the
SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that
the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in
the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic'
can be left out if the routines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you
must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The
detailed license information follows.
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl
project (http://www.modssl.org/)."
4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior
written permission. For written permission, please contact rse@engelschall.com.
5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without
prior written permission of Ralf S. Engelschall.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software
developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.
ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
iv Central Policy Manager 4.0
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:
"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately,
this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally
appear.
4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived
from this software without prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without
prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION
OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software
Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.
Portions of this software are based upon public domain software originally written at the National Center for
Supercomputing Applications, University of Illinois, Urbana-Champaign.
All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Part No:
CPM Policy & Administration Guide v
Contents
CHAPTER 1 An Introduction to CPM Security Policies 1
What Scope Does a Policy Have? ...................................... 2
How many appliances? .................................................. 2
How many actions? ....................................................... 2
Planning a New Security Policy ......................................... 3
How to Take Advantage of Policy-creation in CPM ............. 4
How policies are organized in CPM .................................. 4
How CPM makes policy creation more efficient ................... 5
Important qualifications concerning CPM policies ............... 7
CHAPTER 2 How a Security Policy is Put Together,
then Put into Effect .................................... 9
Inserting a New Policy Row .............................................. 9
Adding a new policy to a large, existing collection ............ 11
Adding the Source and Destination Addresses ................ 11
Adding Service(s) ........................................................... 13
Selecting the Actions a Policy Will Take ........................... 13
Making Efficient Use of the Policy Tab ............................. 16
CHAPTER 3 Cataloging Your Network Addresses .... 19
Overview ...................................................................... 19
vi Central Policy Manager 4.0
Preparing for Address Entry ............................................ 20
Entering a New Address ................................................. 21
Entering a New Address Group ....................................... 24
Entering a New RAS Address .......................................... 25
Entering an IP Subnet .................................................. 27
Entering an IP Range ................................................... 28
Removing Address Entries .............................................. 28
CHAPTER 4 Cataloging Services for Use in Policies .. 31
Reviewing the catalog of existing services ....................... 31
Adding a new service to the tab ..................................... 32
Combining two or more services ..................................... 33
CHAPTER 5 Determining the Actions a Policy Will
Take ........................................................... 37
Selecting the actions a policy will take ............................. 38
CHAPTER 6 Choosing a Firewall Action ...................... 41
Getting started .............................................................. 42
Activating Firewall Protection in a New Policy .................. 43
CHAPTER 7 Applying a NAT Action to a New Policy 45
Activating Dynamic IP NAT ............................................. 46
Getting started ........................................................... 46
Case Study: Setting up a dynamic NAT firewall policy ......... 47
Policy (“dnat_access”) .................................................. 47
Applying a static NAT action ........................................... 48
Requirements ............................................................. 48
Qualifications ............................................................. 49
Recording a static NAT action ........................................ 49
Applying a Virtual IP Load Balancing Action ..................... 51
Qualifications ............................................................. 52
Recording the load balancing action ............................... 52
Distributing the load to a number of servers ..................... 54
Important Notes ............................................................ 56
CHAPTER 8 Creating a QoS Policy Action .................. 57
What numbers to enter? ............................................... 59
CPM Policy & Administration Guide vii
Why use QoS? ........................................................... 60
Activating Port Shaping in an Appliance .......................... 61
Applying a QoS Action .................................................. 62
Customizing the new QoS action ................................... 63
Activating TOS marking ................................................. 63
Applying QoS Policies to an Entire Network .................... 65
Case Study: Sample QoS actions .................................... 65
Example 1: ................................................................ 65
Example 2: ................................................................ 66
CHAPTER 9 Creating an IPSec Manual Key Action ... 67
Before You Begin ........................................................... 68
Creating a New Manual-key IPSec VPN Policy ................. 68
Entering the correct traffic specifications for manual key VPN 68
Selecting the action .................................................... 69
Making this policy bi-directional .................................... 69
Customizing/creating an IPSec action ............................. 70
Configuring ESP protocols ............................................ 73
Configuring AH protocol .............................................. 74
Completing this action ................................................. 74
CHAPTER 10 Creating an Automatic Key IPSec Action 77
Overview ...................................................................... 77
An oOverview of VPN Policy-making ............................... 78
Are certificates needed for authentication? ...................... 78
About Uni- and Bi-directional VPN Policies ...................... 79
Creating a New Automatic-key IPSec VPN Policy ............. 79
Entering the traffic specifications ................................... 80
Choosing an IPSec action ............................................. 81
Making an IKE VPN policy bi-directional .......................... 83
Assessing the IKE Settings ............................................. 83
If an appliance has an x.509 certificate ............................ 85
If both appliances have no x.509 certificates .................... 86
Customizing a New IKE IPSec Action .............................. 87
Completing the General tab entries ............................... 88
Customizing an IPSec proposal utilizing a single transform .. 90
viii Central Policy Manager 4.0
Customizing an IPSec proposal with more than one transform 91
Customizing multiple IPSec proposals with one or
more transforms ............................................................
94
CHAPTER 11 Creating Remote Access VPN Policies .. 97
Problems—and Answers ................................................. 98
Potential problems for you the network administrator ......... 98
WatchGuard solutions for those problems ........................ 98
Controlling a Remote Access User’s Network Access
Privileges ....................................................................
99
Getting Started .............................................................. 99
Setting Up the RAS VPN Client User Access ................... 101
Creating a Policy that Permits RAS Connections Using a
Firebox V10 ..............................................................
102
Creating the needed Appliance records ......................... 102
Creating the needed Addresses entries ......................... 103
Creating the RAS security policy ................................... 104
Confirming the IKE settings ......................................... 105
And finally... ............................................................. 105
Creating a Policy that Permits RAS Connections from
MUVPN Client Software ...........................................
106
Creating the RAS address group .................................. 106
Creating the gateway appliance’s Private network address 108
Creating the security policy ......................................... 108
Confirming the IKE pair settings ................................... 109
Configuring the authentication method for each group .... 109
Before You Finish ......................................................... 115
How it works ................................................................ 115
CHAPTER 12 Creating Policies for Multi-Tenant
Virtual User Domains ............................ 117
Creating Policies for VLAN Tenants ............................... 118
Inserting VLAN tenant security policies ......................... 119
The advantages of a VLAN .......................................... 120
Routing VLAN traffic through a WatchGuard appliance ..... 121
Case Study: VLAN in WatchGuard Appliances ................ 123
CPM Policy & Administration Guide ix
Important: Using a Firebox Vclass appliance in a VLAN
setting ..........................................................................
124
Creating Policies for User-domain Tenants ..................... 125
Inserting user domain tenant security policies ................ 125
Additional information ............................................... 125
An example of a user-domain policy in use .................... 126
An Overview of User-domain Tenant Authentication ....... 127
Inserting user domain tenant security policies ................ 127
How a User Domain Tenant Makes a Connection ........... 128
Activating the Firebox Vclass “Authenticate with
Certificates” feature .................................................
128
Importing a VPN certificate into a users Web browser ...... 129
CHAPTER 13 Establishing Tunnel Switching .............. 131
Requirements .............................................................. 133
Activating Tunnel Switching on the Central Appliance .... 134
Case Study: Establishing Tunnel Switching Between
Remote Sites ............................................................
134
Before starting ......................................................... 135
Applying policies to the appliance at the central site ....... 135
How Exactly Does this Example of Tunnel Switching Work? 137
Adding a New Site to the Initial Tunnel Switching Layout 138
CHAPTER 14 Editing IKE pairs, proposals and
authentication .........................................141
Requirements .............................................................. 142
Editing IKE Pair Settings ............................................... 142
Creating a New IKE Proposal ........................................ 144
Entering a single transform for this proposal .................. 146
Entering more than one transform for this IKE proposal .... 148
Changing the authentication process ............................ 150
If you use symmetric certificate matching rules (the default) 152
If you use asymmetric certificate matching rules— ........... 152
If an appliance pair has only one certificate... ................. 153
Completing the entries .............................................. 153
Entering the Text for a Preshared (Secret) Key (PSK) ....... 154
x Central Policy Manager 4.0
CHAPTER 15 Scheduling a Policy for Specific Dates
and Time .................................................. 157
Creating a New Schedule ............................................. 158
Selecting a Schedule for Use in a New Policy ................. 159
CHAPTER 16 Discovering and Deploying New
Security Appliances ................................161
Requirements .............................................................. 162
Discovering a New Appliance ....................................... 162
Deploying Profiles to New Appliances ........................... 164
Relocating the appliance ............................................ 168
What’s next .................................................................. 169
CHAPTER 17 Deploying Profiles to Active Security
Appliances ............................................... 171
How Deployment is Done ............................................. 172
Compiling All Listed Profiles ......................................... 173
Deploying profiles to all security appliances ................... 175
Deploying Profiles to a Specific Appliance ..................... 177
Important! ................................................................... 177
CHAPTER 18 Alternate System Configuration Options 179
Copying the Entire Configuration from Another Appliance 180
Copying Specific Configurations from Another Appliance 182
CHAPTER 19 Exporting/Importing an XML profile ... 185
Exporting a Profile as an XML Data File ......................... 185
Importing a XML Profile via CPM ................................... 189
Before you start ........................................................ 189
Importing the profile .................................................. 190
CHAPTER 20 Deleting Appliances, Addresses and
Policy Records ........................................195
Deleting Records from the CPM Server Database ........... 196
Removing address entries ........................................... 196
Removing appliance entries ........................................ 196
Removing policies ..................................................... 196
If an error occurs… .................................................... 197
CPM Policy & Administration Guide xi
CHAPTER 21 Using CPM to monitor and maintain
a number of security appliances ............199
Questions... ................................................................ 200
Answers... ................................................................... 201
CHAPTER 22 Monitoring a Security Appliances’
Status with CPM ....................................203
How Does CPM Monitor an Appliance? ........................ 203
About network polling ............................................... 204
About event notification ............................................. 204
What can CPM monitor? .............................................. 205
About Appliance Availability ....................................... 206
About Interface Status ............................................... 207
About High Availability (HA) Status ............................... 207
About Alarm Status ................................................... 208
About Configuration Mismatch .................................... 208
Using the Appliance Manager Window to Monitor Status 208
What the window row colors mean ............................... 211
Reorganizing Appliance Manager Window Columns ...... 213
Sorting Appliance Manager window rows ...................... 215
Filtering Appliance Manager Window Entries ............... 216
Using wildcards ........................................................ 216
Getting started ......................................................... 217
Changing Appliance Manager Window Row Colors ....... 218
Ignoring an Appliance’s Status Reports ......................... 221
Ignoring a specific component .................................... 221
Ignoring an entire appliance ....................................... 222
CHAPTER 23 Using the Appliance Details dialog box 225
Opening the Appliance Detail dialog box ..................... 225
Window features ...................................................... 227
About the Appliance Detail Window Tabs ..................... 233
What the Window Colors Mean .................................... 234
CHAPTER 24 Using the Performance Graph ............ 237
Opening the Performance Graph .................................. 237
Setting up the Performance Graph ............................... 239
xii Central Policy Manager 4.0
What this window displays .......................................... 242
Viewing Several Counters at Once ................................ 243
CHAPTER 25 Monitoring Alarms in CPM ................... 247
An overview of the built-in alarms ................................. 248
Reviewing recently triggered alarms .............................. 248
What’s in this window? ............................................... 249
Reviewing and resolving the alarm ................................ 250
Reviewing and Resolving Outstanding Alarms ................ 251
Updating the CPM alarm record ................................... 251
Viewing details of an open alarm .................................. 252
Acknowledging an open alarm .................................... 253
Clearing an alarm ...................................................... 254
Purging a cleared alarm .............................................. 256
Sorting Alarms in the Alarm window tabs ...................... 256
Filtering Alarms in the Alarm window tabs ..................... 257
CHAPTER 26 Defining New Individual and Group
Alarms .....................................................261
What You Can Do with the Alarm Console ..................... 261
Quickstart: Using the Alarm Definition window ............... 262
Defining Individual Alarms ............................................ 264
Adding System Probe Counters to an Individual Alarm ..... 269
Adding VPN Peer Probes to an Individual Alarm .............. 272
Completing the alarm definition ................................... 275
Defining Global Alarms ................................................ 276
Adding System Probe counters to a global alarm definition 279
Adding VPN Peer probes to a global alarm definition ....... 283
Completing the global alarm definition ......................... 285
Additional notes .......................................................... 286
Deploying New Alarm Definitions to the Network .......... 287
CHAPTER 27 Setting up and Managing CPM Log Files 289
Viewing the CPM Log ................................................... 291
Viewing the Logs for Specific Appliances ....................... 293
Revising Log Settings for an Appliance .......................... 295
Managing a Large Number of Log Entries ...................... 296
CPM Policy & Administration Guide xiii
Changing the number of log entries per page ................ 296
Filtering the contents of a log ..................................... 298
Creating a cumulative set of filters ............................... 299
Archiving Log Files ...................................................... 299
CHAPTER 28 Maintaining your Appliances ............... 303
About the Shortcut Menu ............................................. 303
Remotely Restarting an Appliance ................................ 304
Remotely Shutting Down an Appliance ......................... 305
Restoring an Appliance to the Factory Default State ...... 305
Archiving an Appliance’s Profile as an XML File .............. 306
Synchronizing an Appliance’s Clock with the CPM Server 306
CHAPTER 29 Backing Up and Restoring the CPM
Server Database .................................... 309
Backing up the CPM Database ..................................... 310
Restoring a Previously Archived CPM Server Database ... 312
CHAPTER 30 Deleting Appliances, Addresses and
Policy Records ...................................... 315
Deleting Records from the CPM Server Database .......... 316
Removing policies ....................................................... 316
If there are any security policies ................................... 316
If an error occurs… .................................................... 317
CHAPTER 31 Upgrading Appliances with WatchGuard
OS software .......................................... 319
Upgrading an active appliance with CPM ...................... 319
Migrating the CPM Appliance Record ........................... 320
CHAPTER 32 Shutting Down and Rebooting
Appliances ..............................................323
Remotely rebooting a security appliance ....................... 324
APPENDIX A Setting up an Active-Standby HA
Failover System ......................................325
Important Requirements and Aualifications .................... 326
Before Connecting the Appliances ................................ 326
Connecting the Appliances .......................................... 326
xiv Central Policy Manager 4.0
Enabling High Availability in CPM ................................. 329
Synchronizing the Primary and Secondary Appliances ..... 332
If You Change the Primary Profile .................................. 333
Before a Failover Occurs .............................................. 333
APPENDIX B About the CPM Configuration Files ..... 335
CPM Server Config file ................................................. 335
CPM Client Config file .................................................. 338
APPENDIX C A Catalog of Alarm Probes and
Counters .................................................341
System counters ......................................................... 341
Aggregate counters for all VPN end-point pairs ............ 347
IPSec counters per VPN end-point pair ......................... 348
Policy counters for all policies ...................................... 349
Policy counters per policy ............................................ 349
Index ......................................................................... 351
CPM Policy & Administration Guide 1
CHAPTER 1 An Introduction to CPM
Security Policies
Every security appliance utilizes policies (or, rules) that instruct the
appliance as to what to do with traffic streams that match certain
specifications. To create an effective policy, you must know the following:
Source
Where the traffic stream originates
Destination
Where the traffic is being sent
Services
Which services are incorporated into qualifying data streams
Action
What the security appliance should do with all qualifying data
streams
Schedule
When this policy should go into effect (days and hours)
The source, destination and service entries serve as the “traffic
specifications” and once a security appliance detects traffic that matches a
particular set of specifications, it can then take “action” with that traffic.
The potential actions include the following:
Pass, block, or reject all qualifying traffic
CHAPTER 1: An Introduction to CPM Security Policies
2 Central Policy Manager 4.0
Apply one of three general NAT actions: dynamic NAT, static NAT or
load balancing
Apply Quality of Service and TOS marking to that particular traffic
stream
Initiate and maintain a VPN connection with another appliance,
permitting secure data exchanges through insecure networks. This
can include varieties of corporate site connections and remote-access
service connections between external users and a corporate network.
What Scope Does a Policy Have?
As WatchGuard CPM allows you to manage all of your security
appliances, you can create policies with more than one action and apply
them to a single appliance or to a combination of appliances. This means
that the scope of a CPM policy has two aspects:
How many appliances will make use of this policy (and its actions)
How many distinct actions a specific policy can apply to qualifying
data
How many appliances?
With CPM you can create and apply a specific policy to a single appliance
or to several. For example, you can create a policy that includes a remote
access VPN action that permits client users to connect to a single security
appliance at the corporate headquarters.
Or, you can create policies that incorporate more than one security
appliance (at separate sites) as both source and destination. For example,
you may want to apply a VPN policy that permits branch offices to
communicate with corporate headquarters. The required policy would
record all gateway security appliances as both source and destination,
then apply the needed VPN/IPSec action to protect communications.
How many actions?
When you create a new policy (for one or more appliances) you can also
combine one or more actions in that policy, depending upon what you
Planning a New Security Policy
CPM Policy & Administration Guide 3
want done with the specific data stream. Firebox Vclass appliances were
expressly designed for such mingling of security services, so a wide range
of complementary actions can be enforced by a single policy.
As for which actions can be safely combined in a single policy, the
following table will provide a helpful overview:
In summary, you can combine a number of separate actions in a policy,
but do not combine VIP, static NAT and dynamic NAT in the same policy.
Planning a New Security Policy
In getting started with policy creation, you should complete the following
tasks. Skipping any of the following will only cause problems, as all of
these tasks are important.
Inventory your network
Make a complete catalog of every Firebox Vclass appliance
including IP address, model number, and version of operating
software.
Assess the traffic
Map out the principal traffic patterns you will be managing. This
includes external-to-internal traffic, as well as internal network
traffic flows (in case you have certain subnets managed by a
security appliance.)
Record network addresses
If there are other network assets or regions that will be the sources
or destinations of traffic managed by any of your security
Firewall IPSec
Virtual IP Load
Balancing
Dynamic
NAT
Static
NAT
QoS
Firewall / YES YES YES YES YES
IPSec / YES YES YES YES
Virtual IP / NO NO YES
Dynamic NAT / NO YES
Static NAT /YES
QoS /
CHAPTER 1: An Introduction to CPM Security Policies
4 Central Policy Manager 4.0
appliances, register them as addresses and address groups in the
Configuration Editor window before proceeding.
Assign RAS IP addresses
In anticipation of creating remote access VPN policies, have any
needed internal-use IP addresses ready for RAS connection
purposes.
Set RAS authentication
Use the Remote Access tab (in the Configuration Editor window)
to customize the particulars about remote access connections and
how RAS clients authenticate themselves to your internal
network.
Whether you are working with operational security appliances or brand-
new “factory default” appliances, you should see the entire setup/
configuration process as a whole, resulting in a fully-prepared appliance
profile. It’s not practical to deploy pieces of a profile, and accrue the
whole profile in parts. The best strategy is to assemble all the profile
components and deploy it at one time. You can update it incrementally
any time thereafter, once the basic settings are in place.
How to Take Advantage of Policy-creation in CPM
If you are familiar with policy insertion in either RapidStream Manager or
WatchGuard Vcontroller, CPM shares some basic creation options, while
it also offers you some useful shortcuts to speed up your network
management duties. This section will describe the similarities and
differences, and then show you how to take advantage of CPM’s efficient
features in creating policies.
How policies are organized in CPM
As with Vcontroller, CPM allows you to designate a wide range of
possibilities as traffic sources or destinations: including whole networks,
whole subnets, specific ranges of IP addresses, or single IP addresses. You
can pick the services, the actions, and set a specific schedule of operations
per policy.
How to Take Advantage of Policy-creation in CPM
CPM Policy & Administration Guide 5
However the basic premise is different in CPM. In Vcontroller, the
policies automatically refer to the networks connecting to the appliance,
and all internal network assets are associated with the private data
interface. With CPM, first you create a policy, and then you prompt CPM
to figure out which appliances it applies to at the time you compile and
deploy the profiles. Any given policy could be applied in a number of
security appliances. Initially, a policy could affect your entire network,
but CPM is able to sort out the appliances that make use of that policy.
In addition, the CPM policy-creation process is done off-line, preventing
you from tying up an operational appliance while you work. You can take
your time assembling policy components, and when ready, deploy the
updated profile to the appliance in a single step. You don’t have to
interrupt the appliances’ operations to create or edit policies.
Finally, the relationship of CPM to your entire network is fully
demonstrated in the association of network resources (usually noted as IP
addresses/ranges/subnets) with the general network topology. Every
private/trusted network resource is linked to a "private" data interface or
a "DMZ" interface on an appliance, while all others are linked to the
external, "public" data interface, to the Internet. As a result, network
resources are recorded as both an address and a data interface–for a
particular appliance. If you create a number of internal "10.10.0.0- type
address entries per specific site, there is no conflict in CPM, because each
10.10.0.0 entry is specifically assigned to a data interface on a specific
appliance. The same is with all resources not within the protective
coverage of an appliance; they must be then assigned to the "Internet".
How CPM makes policy creation more efficient
Unlike Vcontroller (which usually services one or two appliances), CPM
also allows you to group the private networks behind each and every
appliance (noted as "addresses") into an address group, which you can
apply to a single policy. An example (noted in the accompanying
illustrations) is the creation of a single group address that includes all the
CHAPTER 1: An Introduction to CPM Security Policies
6 Central Policy Manager 4.0
private networks behind the "private" interfaces of five V10 client
appliances.
If you have such a group, you can use it to make a single bi-directional
VPN policy to permit access to the corporate network, with your gateway
appliance (and the private network) as Destination and this one address
group as Source.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369

Watchguard CPM Policy & Adminstration User guide

Category
Software manuals
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI