User Guide - WatchGuard Technologies

Central Policy Manager 

Guide 

Central Policy Manager 4.0

Notice to Users 

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are 

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, 

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. 

Copyright, Trademark, and Patent Information 

Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved. 

Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III, 

Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity, 

RapidStream, RapidCore, WatchGuard, WatchGuard Technologies, Inc., AppLock, AppLock/Web, Designing peace of 

mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate, 

ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks 

or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. 

© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other 

patents pending. 

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either 

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. 

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United 

States and other countries. 

RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA 

Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data 

Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved. 

RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the 

United States and/or other countries. 

Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United 

States and other countries. All right reserved. 

© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved. 

© 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or 

without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following 

disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following 

disclaimer in the documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: 

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http:// 

www.openssl.org/)" 

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from 

this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without 

prior written permission of the OpenSSL Project. 

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software 

developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" 

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY EXPRESSED OR IMPLIED 

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL 

PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

This product includes cryptographic software written by Eric Young 

(eay@cryptsoft.com). This product includes software written by Tim 

Hudson (tjh@cryptsoft.com). 

ii Central Policy Manager 4.0

© 1995-1998 Eric Young (eay@cryptsoft.com) 

All rights reserved. 

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). 

The implementation was written so as to conform with Netscapes SSL. 

This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The 

following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the 

SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that 

the holder is Tim Hudson (tjh@cryptsoft.com). 

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is 

used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in 

the form of a textual message at program startup or in documentation (online or textual) provided with the package. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 

following conditions are met: 

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 



3. All advertising materials mentioning features or use of this software must display the following acknowledgement: 

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' 

can be left out if the routines from the library being used are not cryptographic related :-). 

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you 

must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 

FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS 

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 

POSSIBILITY OF SUCH DAMAGE. 

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. 

this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] 

The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The 

detailed license information follows. 

Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. 




disclaimer. 



3. All advertising materials mentioning features or use of this software must display the following acknowledgment: 

"This product includes software developed by Ralf S. Engelschall for use in the mod_ssl 

project (http://www.modssl.org/)." 

4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior 

written permission. For written permission, please contact rse@engelschall.com. 

5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without 

prior written permission of Ralf S. Engelschall. 

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software 

developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/)." 

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL `ÀS IS'' AND ANY EXPRESSED OR IMPLIED 

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. 

ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 

Central Policy Manager Guide 

iii

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

The Apache Software License, Version 1.1 

Copyright (c) 2000 The Apache Software Foundation. All rights reserved. 




disclaimer. 



3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: 

"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, 

this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally 

appear. 

4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived 

from this software without prior written permission. For written permission, please contact apache@apache.org. 

5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without 

prior written permission of the Apache Software Foundation. 

THIS SOFTWARE IS PROVIDED `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, 

BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION 

OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, 

OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 

GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 

EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software 

Foundation. For more information on the Apache Software Foundation, please see . 

Portions of this software are based upon public domain software originally written at the National Center for 

Supercomputing Applications, University of Illinois, Urbana-Champaign. 

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. 

Part No: 0833-003 

iv Central Policy Manager 4.0

Contents 

CHAPTER 1 About WatchGuard CPM .......................... 1 

About the CPM Server ................................................... 1 

About the CPM Client ................................................... 2 

Network Scope of CPM .................................................... 2 

Types of Appliances Administered with CPM ..................... 2 

CPM and WatchGuard/RapidStream security appliances ....... 3 

CPM and RapidStream "Secured by Check Point" security 

appliances ........................................................................ 3 

CPM and foreign security appliances ................................ 3 

CHAPTER 2 Installing or Upgrading CPM Software .... 5 

Installing and Setting Up a Firebox Vclass Appliance .......... 5 

Where You Can Install CPM Server and Client .................... 6 

Requirements for CPM Installation .................................... 7 

Server specifics ............................................................ 7 

Client specifics ............................................................. 7 

Hardware and software specifics ...................................... 8 

Java 2 runtime environment .......................................... 10 

Obtaining the Site License for CPM ................................ 10 

Installing the CPM Server Software ................................. 11 

Installing CPM Server on a Windows NT platform .............. 16 

Central Policy Manager Guide 

v

Installing CPM Server on a Solaris host ............................ 16 

Installing the CPM Client Software .................................. 18 

Upgrading from Previous Versions of CPM ....................... 21 

Uninstalling the CPM Server or Client .............................. 22 

CHAPTER 3 Starting the CPM Client and Server ....... 23 

Starting the CPM Client for the First Time ........................ 23 

Starting the CPM Client After Initial Log In ....................... 27 

Changing Your CPM Client Login Password ..................... 27 

If CPM prompts a password change ................................ 28 

If you want to replace an existing password ..................... 29 

Upgrading your CPM Server License ............................... 30 

Stopping the CPM Server ............................................... 32 

Stopping CPM Server at the host computer ...................... 32 

Shutting down CPM Server at the CPM Client workstation ... 33 

Starting or Restarting the CPM Server ............................. 35 

CHAPTER 4 Creating CPM Administrator Accounts .. 37 

CPM Default Roles ......................................................... 37 

Setting Up New Roles (Optional) ..................................... 38 

Creating Administrator Accounts ..................................... 41 

Completing the Access Setup ......................................... 44 

Determining Which Other Administrators Are Online ....... 44 

Reserving a CPM Window .............................................. 45 

If you can’t reserve a window ......................................... 47 

CHAPTER 5 Discovering and Deploying Appliances .49 

Before You Begin ........................................................... 50 

Discovering A New Appliance ......................................... 50 

Deploying Profiles to New Appliances ............................. 51 

CHAPTER 6 Mapping your Network in CPM .............. 55 

Map Out Your Network on Paper .................................... 55 

About the Appliance Manager Window ........................... 56 

Transcribing the Map Into CPM ....................................... 57 

vi Central Policy Manager 4.0

CHAPTER 7 Creating Appliance Records ................... 61 

Creating CPM-Managed Appliance Records .................... 62 

Creating Non-CPM–Managed Appliance Records ............ 63 

CHAPTER 8 Configuring Appliances for Network Use 69 

Getting Started ............................................................. 69 

Importing Licenses and Certificates ................................ 70 

Obtaining the x.509 certificate ...................................... 72 

Importing the new x.509 certificate ................................ 73 

To import licenses for extended features ......................... 74 

Restoring the Appliance to a Factory-Default State .......... 75 

Creating the New Appliance Record ............................... 76 

Configuring the Appliance Hardware .............................. 78 

Running the CPM Default Policy Wizard .......................... 80 

Entering the Security Policies ......................................... 80 

Creating the Network Addresses Required ...................... 81 

Assembling the CPM Policy Components ........................ 82 

Defining the Required Alarms ......................................... 83 

Deploying the Profile ..................................................... 83 

Compiling the profiles ................................................. 83 

Discovering the profile-ready appliances ......................... 84 

Deploying profiles to new appliances ............................. 85 

Deploying the profiles ................................................. 87 

Relocating the Appliance ............................................... 89 

Copying a Configuration to New Appliance .................... 90 

CHAPTER 9 Completing the Appliance Configuration 93 

Running the CPM Default Policy Wizard .......................... 93 

If you can chose the extended network ........................... 95 

If you chose the local network ....................................... 96 

Assembling the CPM Policy Components ........................ 98 

Assembling a policy from available components ............... 98 

CHAPTER 10 Completing the System Configuration 101 

Configuring a New WatchGuard Appliance ................... 101 

Completing the General Entries ................................... 102 

Central Poicy Manager Guide 

vii

Completing the Interfaces Entries ................................. 103 

Completing the Routing Entries .................................... 106 

Verifying the routes ................................................... 109 

Completing the DNS Entries ......................................... 111 

Completing the SNMP Entries ...................................... 112 

Completing the Log Settings Entries ............................. 115 

Completing the Hacker Prevention Entries ..................... 116 

About the High Availability Tab ..................................... 118 

About the VLAN Forwarding Tab ................................... 119 

Completing the Tunnel Switch Entries ........................... 121 

Saving the System Configuration Entries ........................ 122 

Importing a New License .............................................. 122 

Reviewing the current licenses ..................................... 124 

Deleting an out-of-date license .................................... 126 

Index .......................................................................... 127 

viii Central Policy Manager 4.0

CHAPTER 1 

About WatchGuard CPM 

Congratulations on your purchase of the WatchGuard Central Policy 

Manager (CPM). Using this product, you can simplify policy analysis 

deployment with a central console that lets you manage multiple Firebox 

Vclass installations across an entire enterprise infrastructure. This 

powerful and highly scalable network management platform offers global 

management for large enterprises, data centers, and service providers. 

About the CPM Server 

The CPM Server software includes a database that stores the 

configurations and policies for all appliances while it actively monitors 

the status of each appliance, alerting you if problems arise. You can assign 

more than one administrator (who would use the CPM Client) to manage 

various aspects of the overall task load. WatchGuard recommends that 

you install the CPM Server component onto a separate, high-capacity host 

computer. You can install both Client and Server onto a single 

workstation if your network environment is small and you do not plan to 

expand it. 

Your authorized client administrative users do not have to be “local” to 

participate in the CPM system. If you load VPN policies into the relevant 

appliances that would permit secure communications between a client 

Central Policy Manager Guide 1

CHAPTER 1: About WatchGuard CPM 

workstation and the server host, other remote administrators can assume 

their duties from their locations. 

About the CPM Client 

The stand-alone CPM Client application provides the primary access to 

the CPM Server. You can install and run the Client on any number of 

administrative workstations. After an administrator uses the Client to log 

into the CPM Server, he or she can record appliance-specific profiles, 

including policies, system configurations, log files, alarms, and activity 

monitors. If the administrator has fewer privileges, he or she might only 

be able to review the active alarms and clear them. 

A complex amount of RapidStream or Firebox Vclass appliance-specific 

information can be stored in the CPM Server database as appliancespecific 

profiles. When needed, you can prompt the database to use its 

secure connections to all your appliances to deploy new or updated 

profiles. 

Network Scope of CPM 

You can use CPM to maintain and monitor any number of Firebox Vclass 

and RapidStream security appliances both within your local firewall and 

outside the firewall. The key requirement is an SSL/HTTPS policy on 

each appliance that permits CPM to gain complete access to that 

appliance through whatever firewalls may exist between the Server and 

that appliance. This includes full-strength gateway security appliances, 

internal-use appliances that guard private network assets, and VPN client 

appliances, distributed throughout the Internet and serviced by ISPs. 

Types of Appliances Administered with CPM 

You can administer, monitor, and coordinate network communications 

between a number of devices in CPM: 

• WatchGuard Firebox Vclass security appliances 

• RapidStream appliances 

2 Central Policy Manager 4.0

Types of Appliances Administered with CPM 

• RapidStream "Secured by Check Point" appliances 

• Third-Party security appliances 

• "Virtual appliances" that represent VLAN or user domain tenants 

associated with an operational appliance 

CPM and WatchGuard/RapidStream security appliances 

You can use CPM to install and configure the operational profile for any 

“factory default” Firebox Vclass appliances from WatchGuard or legacy 

appliances manufactured by RapidStream. After the appliances are 

deployed and operational, you can monitor and troubleshoot them. 

CPM and RapidStream "Secured by Check Point" security 

appliances 

If you are using RapidStream appliances running pre-installed Check 

Point software, you can continue to use RapidStream Navigator to 

administer the appliances, while using CPM to identity the location of 

these appliances for policy-making purposes. (CPM can also be used to 

monitor certain SNMP status-indicating communications.) 

Because CPM includes a link to RapidStream Navigator, you can integrate 

CPM system—monitoring with the maintenance of Check Pointpreinstalled 

security appliances through RapidStream Navigator. 

Recording the Check Point appliances in CPM as network assets allows 

you to record security policies that establish traffic between the Check 

Point devices and Firebox Vclass or RapidStream devices. 

CPM and foreign security appliances 

You can record all third-party appliances, which include third-party 

security appliances or older-model Firebox appliances, as assets in your 

extended network. You can then use CPM to configure security policies 

for communications between Firebox Vclass appliances and these thirdparty 

appliances. 


CHAPTER 1: About WatchGuard CPM 

The following table summarizes all of the CPM management options, by 

appliance type: 

= via link to RapidStream Navigator 


CHAPTER 2 

Installing or Upgrading CPM 

Software 

This chapter describes how to install or upgrade the two components of 

the CPM system: the CPM Server software and the CPM Client 

application. Each software installation relies on the use of an 

InstallShield Wizard stored on the CD-ROM enclosed with your 

manual and software registration. This chapter also covers software 

shutdown and removal of CPM software. 

Installing and Setting Up a Firebox Vclass Appliance 

If you plan to use the WatchGuard CPM system to configure “factory 

default” appliances, you must mount, connect, and power up the 

appliance before any initial configuration can occur. Use the WatchGuard 

Vcontroller Installation Guide that came with your appliances to guide you 

through these tasks: 

• Mounting the appliance in a network setting 

• Connecting the network cabling to the appropriate data interfaces 

• Powering up the security appliance 

Be sure to mount any new Firebox Vclass appliance in the same subnet as 

the CPM Server host computer, so that you can proceed with the full CPM 

profile creation and deployment process. 


CHAPTER 2: Installing or Upgrading CPM Software 

Where You Can Install CPM Server and Client 

You can install both CPM Server and CPM Client onto any qualifying 

computer, workstation, or host/server. Or you can install the components 

onto separate machines; the choice depends upon the following 

requirements: 

Workstation only 

If your workstation CPU processor speed is sufficient, you can 

install both server and client software onto a workstation/ 

desktop computer. WatchGuard recommends installing the CPM 

Server onto an auxiliary drive with at least fifty (50) megabytes of 

free space. 

You can install the CPM Client onto the main drive of the 

workstation. It will not increase in size during use. 

Workstation/Server 

WatchGuard recommends this mode of installation, in which you 

install the CPM Server software separately onto a server with an 

auxiliary drive or a separate partition that has at least 50 MB in 

free space. 

You can install the CPM Client onto the main drive of any locally 

networked workstation. It will not increase in size during use. 


Requirements for CPM Installation 


Server specifics 

• The computer hosting the CPM Server must be running one of the 

following operating systems: 

- Sun Solaris, v2.8 (Sparc) 

- Microsoft Windows NT, Windows 2000 Professional, or 

Windows XP Professional. Do not install Server software onto 

any non-NT computers such as Windows 98. 

• The computer that will host the CPM Server software should be 

located inside a corporate network/firewall. 

• The CPM Server software cannot be installed onto more than one host 

computer. 

• The CPM Server software must have been installed on the host 

computer and be currently active before any CPM Client can be 

installed and started. 

Client specifics 

• The workstation (or computer) onto which you’ll be installing the 

initial CPM Client must be inside the same corporate network/ 

firewall as the CPM Server. Any subsequent Client installations (for 

other administrators) can be on workstations located either inside or 

outside the corporate network/firewall. 

• The workstation designated for CPM Client use can be running the 

Windows 98/2000/Me/XP operating system. 

• You can install the CPM Client application onto multiple 

workstations, giving access to as many administrative users as you 

want. Although, the CPM Server permits multiple logins, a lock-out 

feature prevents data manipulation conflicts within appliance 

profiles. 

• To manage more than one security appliance with CPM, you must 

have the appropriate WatchGuard CPM license. This license 

determines the number of appliances that you can administer. After 

the requisite license is entered during installation (or later, if needed) 

the CPM Server can contact and administer the maximum number of 



licensed appliances. (If you add more appliances to your network, 

you can easily obtain and install an expanded-capacity license.) 

• All CPM Clients communicate with the CPM Server database through 

a Secure Socket Layer (SSL) connection, whether the client workstation 

is located inside or outside the firewall of the corporate network. 

If any client applications are intended for use outside the firewall, you 

must open a specific SSL connection has to be opened through the 

firewall. The SSL port can be customized by opening and editing the 

cpm_server.conf and cpm_client.conf files. 

• If you’ve installed several separate CPM Server software packages, 

you can connect to any number of them with the same CPM Client 

application. However, you must have an access account for each 

server. 

• After logging into a CPM Server on a separate host computer, you 

must have the IP address of that host. Once you have initially logged 

in, the CPM Client stores the IP address of this CPM Server host (and 

all other subsequent host connections) in its configuration file. This 

will make reconnection much more efficient. 

NOTE 

You can review “About the CPM Configuration Files" in the CPM Policy 

and Administration Guide for complete details of both cpm_server.conf 

and cpm_client.conf files. 

Hardware and software specifics 

The following lists provide the current system requirements for both CPM 

Server and Client. 

CPM Server 

Host computer 

Any PC-compatible workstation or server with sufficient hard 

drive capacity. A standalone server is recommended. 



Operating System 

Sun Solaris, v2.8 (Sparc) 

Windows NT 4.0 Server / NT Workstation (Service Pack 6a), 

Windows 2000 Server / 2000 Professional, or Windows XP 

Professional. 

Processor Type 

Pentium II or later version of Pentium CPU 

Processor Speed 

700 MHz minimum 

Memory 

256 Mb minimum 

Hard Disk Space 

50 MB minimum (for CPM Server database software) 

20 MB minimum (for CPM Client software) 

Input Device 

CD-ROM or DVD 

Network Interface 

NICs or embedded network connections 

CPM Client 

Host Computer 

Any desktop computer matching the following qualifications 

Operating System 

MS Windows 98/ME/XP or NT/2000/XP 

Processor Type 

Pentium II or later version of Pentium CPU 

Processor Speed 

500 MHz or faster 

Memory 

128 Mb minimum 

Input Device 

CD-ROM or DVD 



Hard Disk Space 

10 Mb minimum (for CPM software) 

Network Interface 

NICs or embedded network connections 

Java 2 runtime environment 

Both CPM Server and Client require JRE Standard Edition v1.3.1 on their 

Microsoft Windows host computers. JRE v1.3.1 will run on most recent 

versions of Windows, including Windows 98, NT 4.0, and later. If it is not 

present, or if an older version is present, the Installer will detect this state 

and alert you. You can then choose to install JRE 1.3.1 at this time, or (if an 

older version of JRE is present) retain that older version. However, 

WatchGuard does not recommend using the older version with CPM. 

Obtaining the Site License for CPM 

Before you proceed with installation, you must obtain the license for 

CPM. To do so, follow these steps: 

1 Find the license key certificate that was included with your CPM 

package. This item contains the text of a code you must enter at a 

particular WatchGuard Web site. 

2 Use a Web browser to connect to the URL printed on the same card. 

3 Make all the relevant entries in that Web page, including your 

company’s name and the host name of the computer on which the 

CPM Server will be installed. 

After you successfully submit the entries: 

- You will be automatically sent an email with the license key text. 

- The license text will be printed in the browser, which you should 

cut and paste into a text file stored on your workstation. 

4 After you have obtained the license text and stored it safely on your 

workstation, you can proceed with the CPM installations. You won’t 

need the license text until you first start the CPM Client and attempt 

to log into the CPM Server. 


Installing the CPM Server Software 


You must install the CPM Server software directly onto the host, whether 

it is your administrative workstation or a network-accessible host server. 

This process cannot be done through a network connection to a local 

computer. 

To install the CPM Server software onto the target host computer, follow 

these steps: 

1 Take the WatchGuard CPM Software CD-ROM out of the package 

and insert it into the CD-ROM drive of either the administrative 

workstation or the host server. 

2 Locate and double-click the CD-ROM drive icon. 

NOTE 

The CD-ROM may not start automatically on some computers. If this is 

the case, open the Run dialog box and enter the CD-ROM drive letter and 

setup.exe to start the process. 

3 Open the CPM Server folder (inside the Windows folder). 

4 Double-click the Server installer icon (Setup.exe). 

The CPM Server Setup wizard appears, displaying the initial Welcome screen. 



5 Click Next. 

The Wizard now displays the text of the WatchGuard CPM Server Software 

License. 

6 Read the complete agreement before proceeding. Click Yes to accept 

the terms of the agreement. 



7 If you clicked Yes, the Wizard prompts you for a destination 

directory, listing a default destination folder and its directory 

pathway. WatchGuard recommends that you use the default folder. 

If you are unsure of the drive location, click Browse to open the Choose Folder 

dialog box (shown below) which you can use to locate the computer, drive, and 

directory. 

8 Click Next to accept the selected drive, path, and directory. 



9 The InstallShield Wizard prompts you for a default Program Folder to 

install the program icons. WatchGuard recommends that you accept 

the default location noted in the wizard. Click Next. 

NOTE 

The CPM Server software (a database) is treated as a service by Microsoft 

Windows, and as a result does not have a program folder listed under 

Programs in the Start menu. It will be set to start automatically in the 

Services dialog box of Control Panel during the installation process. 

10 The wizard now loads the archived installer files from the CD-ROM 

into the designated drive and directory. All of the CPM Server files 

will be stored in the CPM Server directory. Click Next. 



11 The Wizard now displays a confirmation message. Click Finish. 

A dialog box appears, asking whether you want to start the CPM Server at this 

time. 

12 Click Yes to proceed. 



Installing CPM Server on a Windows NT platform 

If you are installing the CPM Server software onto a Windows NT 4.x 

computer, the following dialog box appears when you click Finish, 

prompting you to restart the CPM Server host. 

If you are installing the CPM Server onto a Windows 2000 computer, the 

installer will ask you if you want to start the CPM Server. Click OK to do 

so. (You do not have to restart the host computer.) 

If this is a convenient time to do so, click the button by Yes, and then click 

OK to close this dialog box and restart the host server. (If this is not a 

convenient time, you can wait until later to restart the host computer.) 

This will also start the CPM Server, which, from now on, will be restarted 

automatically each time the host server is rebooted. 

You can now proceed to install the CPM Client application on a 

designated client workstation inside the firewall. 

Installing CPM Server on a Solaris host 

The following section describes the process of installing the CPM Server 

on a Solaris host computer. You must use Solaris v2.8. 

To install the CPM Server, follow these steps: 

1 Insert the WatchGuard CD into the CD-ROM. (Under Solaris, the CD 

should automatically mount at /cdrom.) 

2 Run this command: 

cd /cdrom/ 

3 Now run this command: 



/setup.sh 

4 During the resulting software installation process, the installer will 

ask if you have already installed the latest versions of the Java Runtime 

Environment and JDK. If you have done so, you must type “Y” 

and then type the pathway to the JRE/JDK directory. 

If this is an older version of JDK, the installer will alert you and ask if you prefer to 

use it instead of a more recent version. WatchGuard recommends you use the most 

recent version. 

5 If you haven’t installed JRE/JDK, type “N”. The installer will quit, but 

when it does, it will provide information on the Sun Web site to 

obtain the proper version of JRE/JDK software. (The default JDK 

install location is the current user’s home directory; however, you can 

type another directory at this time.) 

6 When the JDK software has been installed (and any needed Solaris 

updates are completed), run this command: 

cd/cdrom/watchguard 

Then run this command: 

./setup.sh 

This will restart the installation process. 

7 When asked by the installation script to indicate where the JDK is, 

type the pathway to that directory. 

The installation can now proceed to completion. When installation is complete, you 

can launch the CPM Server and start the installation of the CPM Client on a 

Microsoft Windows workstation, as detailed in the following section. 

If you want others to have access to this new appliance for administrative 

or monitoring purposes, you can allow them to install the Vcontroller 

software onto their workstations. Prior to their using the Vcontroller, you, 

as the System Administrator, should first configure the appliance, and 

then use the Vcontroller Account Manager window to set up access 

privileges and accounts for each additional user. These configuration and 

access management processes are fully detailed in the Vcontroller user 

documentation. 



NOTE 

A script wgcpmsvr is generated during installtion to facilitate starting 

CPM Server during boot time. This script can be copied into the /etc/init.d 

directory and linked to variouls rcx.d directories so that the CPM Server 

can be started at boot time. 

Installing the CPM Client Software 

To install the WatchGuard CPM Client application on a computer 

running Microsoft Windows, follow these steps: 

1 Remove the WatchGuard CPM Software CD-ROM from the package 

and insert it into the CD-ROM drive of your administrative 

workstation. 

2 Locate and double-click the CD-ROM drive icon. 

3 Open the Client folder on the CD (inside the Windows folder). 

4 Double-click the CPM Client installer icon (Setup.exe). 

After startup is complete, the InstallShield Wizard appears, displaying the 

Welcome screen. 


Installing the CPM Client Software 

5 Click Next to proceed. 

The Wizard displays the WatchGuard CPM Client Software License Agreement, as 

shown below, which you must accept to continue with the installation. 

6 Read the complete agreement before proceeding. Click Yes to accept 

the terms of the agreement. 

7 The Wizard suggests a default destination folder. Watchguard 

recommends using CPM Client as the installation directory. If you 

prefer, you can click Browse and enter a new folder. Click Next after 

you have selected a location. 



8 The Wizard now prompts you for a default Program Folder in which 

to install the program icon. WatchGuard recommends you use the 

default location. Click Next. 

After the Wizard completes the installation, it displays a confirmation message. 

9 Click Finish. 


Upgrading from Previous Versions of CPM 

10 A Question dialog box appears, asking if you would like to start the 

CPM Client. Click Yes if you are ready to proceed. 

Upgrading from Previous Versions of CPM 

If you are already using an earlier version of CPM (version 3.1 or 3.1.1), 

you can upgrade to version 4.0 by following the series of steps outlined in 

this section. 

You must have obtained a new version 4.0 site license (from the 

WatchGuard Web site) before you proceed with this upgrade, because 

CPM Server cannot inherit the previous license. For more information, see 

“Obtaining the Site License for CPM” on page 10. 

NOTE 

If you installed the Server onto a separate computer and have one or more 

Clients on other computers/workstations, you should first upgrade the 

Server on that machine before upgrading all other installations of the 

Client. 

To complete the upgrade, follow these steps: 

1 Log into the CPM Server (from the root admin workstation). 

2 Open the Backup/Restore window and back up your current 

database. 

3 (Optional) When the backup is complete, stop the "RapidStream CPM 

Server" service. 

4 Use the Windows Add/Remove Programs dialog box to remove the 

CPM Server, and then the CPM Client from your computer. 

5 Install the current version of CPM Server, as described in “Installing 

the CPM Server Software” on page 11. 



6 When asked whether you want to start the CPM Server, click Yes. 

7 Start the CPM Client Installer and complete that installation on your 

root admin workstation. (For more information, see “Installing the 

CPM Client Software” on page 18.) 

8 When asked whether you want to start the CPM Client and log into 

the Server, click Yes. 

9 Use the Login dialog box to connect to the CPM Server. 

A dialog box appears, informing you that a valid license is needed. 

10 Use the CPM Server Info window that appears automatically to 

import the license. 

11 When this is complete, you can log into CPM Server and restore the 

archived CPM database. 

For more information on restoring the archived database, see the CPM Policy and 

Administration Guide. 

Uninstalling the CPM Server or Client 

If problems arise and you need to make a clean reinstallation of the CPM 

software or remove corrupted files, you must first uninstall the CPM 

Client or CPM Server software. To uninstall the software, use the 

Windows Add/Remove Program utility. 

Before uninstalling, you may want to preserve your existing database 

contents, such as appliance configurations and policies. To do so, you 

should back up the CPM database files (as described in the CPM Policy 

and Administration Guide) before proceeding. Removal of the CPM Server 

database will delete all of your appliance logs, configurations, and 

policies. 


CHAPTER 3 

Starting the CPM Client and 

Server 

This chapter describes how to start the WatchGuard CPM Client and log 

into the CPM Server. At this point, the CPM Server should be running, so 

you can simply log in with the CPM Client. 

Starting the CPM Client for the First Time 

If the CPM Server has been installed on a host server with multiple 

network interface cards (NICs), you must use the IP address of the NIC 

used for the CPM Server as the Server IP address. The CPM Server IP 

address is stored in cpm_server.conf, which you can review in “About the 

CPM Configuration Files” in the System Administration Guide. 

The "cpmadmin" username and password give the user full root admin 

account access. WatchGuard recommends logging in as root 

("cpmadmin"), and then immediately using the Account Manager 

window to set up a range of other administrator access accounts. This is 

described in the next chapter. 


CHAPTER 3: Starting the CPM Client and Server 

To log into the CPM Server, follow these steps: 

1 Click Start => Programs => WatchGuard CPM Client, or double-click 

the WatchGuard CPM Client shortcut icon if one was placed on the 

Windows desktop. 

The CPM login dialog box appears. 

2 In the Server IP Name field, type the IP address of the host computer. 

(This may also be the IP address of a specific NIC that grants access to 

the server partition hosting the CPM Server.) 

If the CPM Server is on the same workstation as your Client, you can leave the 

default "127.0.0.1" in place and simply fill in your name and password to log in. If 

multiple NICs present in the workstation will cause problems, use the appropriate 

IP address. 

3 In the Name field, type cpmadmin. 

4 In the Password field, type cpmadmin. 

5 Click Log In to submit the access entries. 

If this is your first log-in attempt, an alert dialog box may appear to tell you that 

you need to import the basic WatchGuard license that allows you to use CPM for 

appliance management. 


Starting the CPM Client for the First Time 

6 Click OK to proceed. 

The CPM Server Information window appears (in front of the CPM Console 

window), displaying the General Info tab. 

7 Locate the license file (a text file that you obtained and saved earlier) 

and open it. 

8 Copy the contents onto the Clipboard. 

9 Close the file. 



10 Click Upgrade License in the General Info tab (as indicated in the 

previous illustration). 

The Upgrade License dialog box appears. 

11 Click in the empty text entry area and paste in the license text. Click 

OK. 

A confirmation dialog box appears, indicating the number of appliances this 

license will allow you to manage with CPM. 

12 Click OK to close this dialog box. 

The dialog box closes and the General Info tab now displays information about the 

license. 


Starting the CPM Client After Initial Log In 

13 Close this window. 

The CPM Console window appears, ready for use. 

Starting the CPM Client After Initial Log In 

1 Select the Start => Programs => WatchGuard => CPM. 

2 When the Login dialog box appears, enter your account user name 

and password and click OK. (Note that CPM will "remember" the IP 

address of the Server.) 

The Console window appears, ready for use. 

Changing Your CPM Client Login Password 

You need to change the password used for access to the CPM Server on 

two occasions: 

• If you have not yet changed the default password since you 

completed the original installation. In this case, CPM will prompt you 

to make the change. 

• If you want to periodically change the password to maintain system 

security. 



If CPM prompts a password change 

If you have never replaced the default password, a dialog box will 

eventually recommend that you change the original default “cpmadmin” 

password. You must change it by following these steps: 

1 When the following dialog box appears, click OK to close it. 

The Set Password dialog box appears. 

2 Type a new password into both New Password and Confirm 

Password text fields. 

Use only alphanumeric characters between 6 and 16 characters for the password. 

NOTE 

If you are replacing the main CPM “root admin” password, be sure to 

write your new password down and store the note in a safe, accessible 

place. If the password is forgotten and lost, all root admin access will be 

lost and you will have to uninstall and reinstall the CPM Server, losing all 

your settings and entries. 

3 Click OK to submit the new password. 

A confirmation dialog box appears. 

4 Click OK to close this dialog box. Your new password is in effect. 

You can continue using CPM during this login session without having to log out 

and log back in using the new password. 


Changing Your CPM Client Login Password 

If you want to replace an existing password 

After changing the original password, you should periodically replace the 

current password to maintain system security: 

1 With the CPM Console active, click CPM Server. 

The CPM Server Information dialog box appears. 

2 Click Change Password (in the lower-right corner of the General Info. 

tab.) 


3 Type a new password into both New Password and Confirm 

Password text fields. 

Use only alphanumeric characters between 6 and 16 characters for the password. 



NOTE 

If you are replacing the main CPM “root admin” password, be sure to 

write your new password down and store the note in a safe, accessible 

place. If the password is forgotten and lost, all root admin access will be 

lost and you will have to uninstall and reinstall the CPM Server, losing all 

your settings and entries. 

4 Click OK to submit the new password. 


5 Click OK to close this dialog box. Your new password is in effect. 

You may continue using CPM during this login session without having to log out 

and log back in using the new password. 

Upgrading your CPM Server License 

Two distinct types of licenses are required for full use of CPM: 

• The basic CPM Server license, (a site license) which controls how 

many appliances you can manage with this software 

• Separate extended-feature licenses for additional software features 

that might be used by the individual appliances, such as high 

availability, increased SA capacity, 3DES, or a greater number of 

concurrent VPN tunnels 

You need the CPM license to simply log into the Server before you can 

license additional features for each appliance. 

This section describes how to upgrade your CPM Server license after the 

original has expired. 

After you obtain the upgrade license (as a text file), follow these steps: 

1 Open the file containing the license text. 


Upgrading your CPM Server License 

2 Select and copy all of the text onto the Clipboard. 

3 After logging into the CPM Server, click CPM Server in the CPM 

Console. 

4 When the CPM Server Information dialog box appears, click 

Upgrade License. 

5 When the Upgrade License dialog box appears, click in the text entry 

fields and paste the license text from the Clipboard. 

6 Click OK to load this information into the CPM Server database. 

If the upgrade is successful, a confirmation dialog box appears. The CPM Server 

Information dialog box should now indicate the new number of manageable 

appliances. 



Stopping the CPM Server 

You may want to shut down the CPM Server (an optional step) before 

upgrading the Server software. You can shut down the CPM Server in 

two ways: 

• Using the Services control panel on the actual host server location 

where the CPM Server application is installed. 

• Using the CPM Client at the CPM Client workstation. You must first 

log into the CPM Server as the Root Admin user (using the 

“cpmadmin” login name). 

Stopping CPM Server at the host computer 

This section describes the process for the Microsoft Windows 2000 and XP 

operating systems. It is slightly different for Windows NT 4. 

1 Select Start => Settings => Control Panel. 

2 When the Control Panel opens on the desktop, double-click the 

Services icon. 

3 When the Services control panel appears, scroll down the list and 

select WatchGuard CPM Server. 

4 Click the square Stop button in the control panel toolbar. 


Stopping the CPM Server 

A status dialog box appears. 

This dialog box will automatically close after the Service control panel 

has completed the shutdown of the WatchGuard CPM Server service. 

The control panel Status column will be blank, indicating that the 

service has stopped. 

5 You can now close the Services control panel. 

The CPM Server application can now be upgraded or removed from the server. 

Shutting down CPM Server at the CPM Client workstation 

1 If you have not already done so, start the CPM Client. 

2 Log into the CPM Server as the Root Admin user. 



3 When the CPM Console appears, click CPM Server. 

The CPM Server Information dialog box appears. 

4 Click Shutdown (in the lower-right corner of the General Info tab.) 


5 Click Yes to proceed with shutdown. 

After an interval, the following information dialog box appears. 

6 Click OK. 

7 You can now quit (exit) the CPM Client. 


Starting or Restarting the CPM Server 

Starting or Restarting the CPM Server 

This section explains how to start the WatchGuard CPM Server 

application. This is necessary only during unusual circumstances. 

1 Select Start => Settings => Control Panel. 

2 When the Control Panel opens on the desktop, double-click the 

Services icon. 

3 When the Services dialog box opens, scroll down the list until you 

locate the WatchGuard CPM Server listing. 

The Status message should read “Started”. If for some reason the CPM Server has 

been shut down, the Status message will read “Stopped”. 

4 Select the CPM Server entry and click Start. 

Microsoft Windows attempts to start the WatchGuard CPM Server. When the 

startup is complete, “Started” should appear in the Status column for CPM 

Server. 

5 You can now close the Control Panel. 

The CPM Server is now operational. You can now start the WatchGuard CPM 

Client and log into the CPM Server as described in a preceding section. 

NOTE 

If the host server ever needs to be rebooted, the CPM Server will 

automatically restart. 




CHAPTER 4 

Creating CPM Administrator 

Accounts 

Administrative accounts enable users to connect to the CPM Server so 

that they can monitor and manage the system to the extent of the group 

privileges assigned to them. You have the ability to allow one account 

user a wide range of controls over the appliance and policies, while other 

account users can be restricted to basic status checks and alarm 

monitoring. 

To set up the system for multi-user access (with multiple levels of role 

privileges), you will do the following: 

• Assess the existing default roles, to see if more are needed. (The 

default roles should cover most, if not all of your network 

management options.) 

• (Optional) Create as many additional roles as are needed to establish 

precise levels of CPM access. 

• Create separate Administrator accounts, for individual users. 

CPM Default Roles 

CPM is installed with five basic access-privilege roles. Starting with the 

lowest role, and proceeding to the highest level, the default roles are: 


CHAPTER 4: Creating CPM Administrator Accounts 

“Help Desk Staffs” 

Users have permitted read-only access to all features of CPM. 

“MIS Staffs” 

Users can configure and resolve all alarms, but all other features 

are read-only. 

"Network Operator" 

Users can set up and manage appliances and customize new 

alarm definitions. 

“Network Administrator” 

Users can create and manage appliance entries, configure new 

alarm definitions and policy creation/deployment. 

"MIS Admins" 

Users have the full range of access privileges, including appliance 

record entry/configuration and policy creation/deployment. 

They can also create new admin accounts. 

If you find these role definitions not fully inclusive, you can use CPM to 

add to the list more roles, or delete any default roles and replace them 

with your own combinations of responsibilities. 

Setting Up New Roles (Optional) 

If you decide that more roles need to be customized for your network 

administrative users, you can do so at this time. This section describes the 

creation of any additional access-privilege roles. 

To start the this process, log into the CPM Server and open the CPM 

Console, if it is not visible. 

1 Click Account. 

A shortcut menu appears with three options. 



Appliance Configuration (App Cfg) 

Can enter new appliance records and then configure and deploy 

the needed profile. 

Alarm Configuration (Alm Cfg) 

Can create any needed custom alarm definitions, whether 

individual or global. 

Appliance Control (App Clt) 

Can monitor and shut down or reboot problematic appliances. 

Admin Account Configuration (Adm Cfg) 

Can create or change administrative access accounts, including 

assignment of privileges. 

Policy Configuration (Pcy Cfg) 

Has allowed full access to the insertion and deployment of 

security policies. 

4 To add a new role (if needed), click New (to the right of the Roles list.) 

The Admin Role Properties dialog box appears, displaying the General tab. 

5 Delete the placeholder text in the Role Name text field and type a 

name for the role. 

A role name should consist of numbers and letters, up to 24 characters in length. 

Use hyphens (-), underscores (_), or spaces as separators. 


Creating Administrator Accounts 

6 (Optional) Type a brief description of this group in the Description 

text field. 

7 Click to select the checkboxes (one or more) by the roles you want to 

assign to this group. You can combine any of the listed roles. For 

information on role options, see the definitions in Step 3. 

NOTE 

You can create a group for each separate level of access privileges, or 

create groups that incorporate varying combinations of privileges, 

according to your preferences. 

8 Click OK to save your selections. 

The New Group dialog box closes. When the Administrator Accounts dialog box 

becomes visible, it lists your first group entry below the default entries. 

9 Repeat the previous process to create any other groups to incorporate 

the levels of access privilege you want to assign to your network 

administrators. 


This section describes how to create an administrator account (which you 

can include in one or more of the existing groups.) To do so, you should 

first determine the following: 

• Which people can administer the security appliances 

• A login name for each administrator 

• The full name of each administrator 

• A password for each administrator account 

• What role each administrator should undertake 

To create a new administrator account, follow these steps: 

1 If you have not already opened the Administrative Access dialog 

box, click Account in the CPM Console. 

The Administrator Accounts dialog box appears, listing the groups that have been 

previously created. 



2 Click New (to the right of the Administrators list). 

The Admin Account Properties dialog box appears. 

3 In the Login Name text field, type a login name for the administrator. 

An administrator name should consist of numbers and letters, up to 24 characters 

in length. Use hyphens (-), underscores (_), or spaces as separators. 

4 In the Full Name text field, type the full name of the first 

administrator. 

Use only numbers and letters up to 24 characters in length, and use the space bar 

for spaces between names. 

5 In the Contact Info field, type any relevant contact information 

(phone number or email address). 



6 To add the group access privileges that you want this administrator to 

have, click Add Role. 

The Add Group dialog box appears. 

7 Make a selection from the listed privilege groups and click OK. 

8 Repeat this process to add other groups, if needed. 

9 Click Set Password. 

The Set Password dialog box appears, displaying the login name for this account in 

the title bar. 

10 In the New Password text field, type a password for this user account. 

Use only alphanumeric characters, between 6 and 16 characters in length. 

11 In the Confirm Password text field, reenter the same password. 

12 Click OK. 

The Set Password dialog box closes and the Admin Account dialog box reappears. 

13 Click OK to close the Admin Account dialog box. 

14 Repeat this process to enter all of the anticipated admin access 

accounts and to assign them the appropriate group privileges. 



Completing the Access Setup 

Now that you have defined the access privileges and the administrator 

accounts, you can do the following: 

• Contact each potential administrator 

• Verify that they have installed the CPM Client onto their workstations 

• Deliver to them an account login name and password 

• Define their responsibilities and provide instructions for the 

performance of their tasks. (You can distribute the Acrobat file 

containing this user guide as a teaching aid to all network 

administrators or support staff.) 

Determining Which Other Administrators Are Online 

CPM provides a way to see which other administrators are online in 

active sessions, who has been locked out of particular windows, or who 

has locked a particular window. You can also use CPM to view a snapshot 

of your current session. 

1 Click Account. 

A shortcut menu appears, as shown here. 

2 To view a summary of your current CPM administrative session, 

select Show My Session. 

The My Session Info dialog box appears. 


Reserving a CPM Window 

This dialog box summarizes your login information, along with your administrative 

group privileges. 

3 Click OK to close this dialog box when you are finished. 

4 To view a summary of the other administrators actively using CPM, 

from the Account shortcut menu, select Show All Sessions. 

The All Session Info dialog box appears. 

This window lists the following: 

- All currently active administrative sessions 

- The initial session login time 

- The current time 

- Whether any active administrator has locked a particular CPM 

window (naming the window if it has been locked.) 

For more information on locking Windows, see the next section. 

5 If you need to use a locked window and you have the proper 

privileges, you can contact the locking administrator and confer with 

them on access to that window. 


You can reserve the following CPM windows for your exclusive use: 

• The Configuration Editor window 



• The System Configuration dialog box (on a per-appliance basis) 

• The Alarm Definition dialog box (the Alarm Console is not lockable) 

• The main Administrative Accounts window 

If more than one CPM administrator logs into the CPM Server, the Server 

allows the first one who opens one of these four windows to make it 

Writable, and to reserve it for his or her own use for as long as is needed. 

Other administrator can open these windows with View only access. 

The status of a window is indicated by the two icons below: 

Click the icon to toggle the status and change the icon accordingly. 

If the second administrator needs to have full access, he or she can use the 

Account Administrator All Session Info window to determine who locked 

that window, and then contact that administrator and ask them to change 

the access to View only (which releases the lock). 

To lock a window for your own use, follow these steps: 

1 Log into the CPM Server. 

2 Open any one of these lockable windows: 

- Configuration Editor window 

- System Configuration dialog box (on a per-appliance basis) 

- Alarm Definition dialog box (the Alarm Console is not lockable) 

- Administrative Accounts window 

3 Click the "View Only" icon at the bottom of the window to change it to 

the “writable” icon. 

4 To make this window "writable" for another’s use, if requested by 

another administrator, click the "Writable" icon to return it to "View 

Only". 

At this point, you are (potentially) prevented from working in this 

window by any other super administrator who chooses to make it 

"Writable". 


If you can’t reserve a window 


Another administrator may have reserved the window. If this occurs, 

you’ll see this dialog box when you try to change "View Only" to 

"Writable". 

This dialog box notes the user name and the IP address of the 

administrative workstation so that you can contact that user and request a 

release of the window. 

NOTE 

If you reserve a window as "Writable" for your exclusive use, remember 

that your CPM Client will NOT release that window after a certain 

amount of idle time has elapsed. You must manually return the window to 

“View only”. 




CHAPTER 5 

Discovering and Deploying 

Appliances 

WatchGuard CPM discovers unconfigured security appliances and then 

assigns a temporary IP address that is used while a new profile is 

deployed. This profile includes system configurations, settings, and 

security policies. 

This process involves: 

• Creating an appliance record (in CPM Configuration Editor) 

• Completing the system configuration of the appliance 

• Entering all the necessary settings and policies 

• Discovering the appliance, assigning a temporary IP address, and 

deploying the profile 

• Powering down and disconnecting the appliance 

• Shipping it to the service location, connecting it, and powering it up 

• Connecting to it with CPM, and beginning system monitoring 

If you using Vcontroller (or the CLI) to set up and install security 

appliances, the complete profile– configurations and policies–must be 

ready to load into the appliance before the discovery process begins. 


CHAPTER 5: Discovering and Deploying Appliances 

Before You Begin 

Before using CPM to discover an uninstalled or factory default appliance 

and then deploy a profile to it, you must have this information ready: 

• A temporary IP address, for use in discovery and the initial 

deployment 

• A unique password that CPM uses to gain access to the appliance 

• A basic profile, ready for deployment 

• (Optional) A file containing the text of any required x.509 certificates 

used in VPN authentication 

• (Optional) A file containing extended-feature licensing 

NOTE 

You cannot discover and deploy a profile to any factory-default appliance 

mounted on a network outside the firewall. Instead, you must temporarily 

install the appliance inside your local network in the subnet, discover and 

preliminarily configure it, set it up for remote CPM access, and then 

transport it to the remote site and reinstall it. 

Discovering A New Appliance 

1 Open the Configuration Editor. Click the Profiles tab. 

2 Click Discover (in the tab toolbar.) 

The first Discovery dialog box appears on screen. 

3 Click Find. 


Deploying Profiles to New Appliances 

A status dialog box appears during the discovery process. Next, one 

of two dialog boxes appear: 

- If no devices are found on the network, a Devices Not Found 

dialog box appears. Click Find Again, or click Close to close this 

dialog box. If the discovery process is unsuccessful, check the 

status (on or off) of the appliance and the network connections. 

- If locally networked WatchGuard appliances are discovered, the 

appliance Discovery window appears. 

This window enables you to match up profiles and appliances for deployment. 


1 Select an appliance from the list. 

2 Click the To Do cell. From the now-active menu, select Set IP. 

"Set IP" appears in this cell. 



3 Click the Temp IP cell. When it becomes a text entry field, type in the 

IP address for use in the deployment process. 

4 Click the Mask cell. When it becomes a text entry field, type in the 

subnet mask. 

5 Click the Associated Appliance cell. From the menu, select the 

relevant profile. 

6 Click to select the checkbox marked CPM Password. 


7 In both Password fields, type the text of the password that CPM will 

use to establish a connection with the appliance. (This is for CPM use; 



administrative use passwords serve a separate function and are not 

related to this password.) 

8 Click OK to save the password. 

9 When you have completed the profile entries, click Apply (at the 

bottom of the window). 



A "Processing" message appears in the Processing Status column. If the application 

is successful, an "Up-to-date" message appears in the Processing Status column. 

11 Close the appliance Discovery window. 

The Profiles tab now lists this appliance’s profile. The Status column displays 

"Needs Deployment.” 

12 Select the new appliance/profile record. 

13 With this profile still selected, click the Deploy button. (Or, right-click 

the appliance record and select Deploy from the shortcut menu.) 

A confirmation dialog box appears, to alert you that the primary management IP 

address will be changed—and contact lost with this appliance—after deployment is 

complete. 


CPM now proceeds to deploy the new profile to this appliance, where 

it will be immediately put into effect. 

- The Status column notes "Deployment started.” 

- The Details column notes "Deployment in progress..." 

These status messages remain until replaced by the following 

combination of messages: 



No Contact 

Noted in the Status column. 

Successful 

Noted in the Last Deployed column, along with the date and time 

this profile was deployed. This is the key message. 

Unable to connect... 

Noted in the Details column. 


CHAPTER 6 

Mapping your Network in 

CPM 

Before you start setting up and configuring your appliances, your first 

step is to create a folder hierarchy that represents your current security 

appliance distribution and allows you to prioritize appliances. 

Map Out Your Network on Paper 

Make a list of the following: 

• The separate (geographic) sites where appliances are in use–by 

country, state, city, or even building or floor 

• The network locations in each site where an appliance is in use, 

whether as a gateway or for internal traffic management 

• The types of security appliances, on a per-manufacturer basis 

For example, you might have a top-level set of folders for each city, a 

second level of folders for offices in each city, and a third level of folders 

for types of appliances at use in those offices. 


CHAPTER 6: Mapping your Network in CPM 

About the Appliance Manager Window 

You use the Appliance Manager window to create your folder hierarchy. 

The Appliance Manager is your real-time window into the status of your 

Firebox Vclass and RapidStream appliances and the dynamic state of all 

network traffic being managed by those appliances. 

The Appliance 

Manager menus 

The Appliance 

Groups tool bar 

The current collection 

of group folders 

(and appliance 

entries) 

A set of buttons that open other CPM windows. 

The left side of the Appliance Manager incorporates these features: 

Menus 

Provides access to related sets of Appliance Manager features. 

Appliance Groups tool bar 

Allows you to create, edit, or delete group folders or appliance 

entries. 

Appliance Groups list area 

Provides a listing of groups and appliances in this area. 

CPM window buttons 

Allows you to open other CPM windows. 

The right side of the Appliance Manager incorporates these features: 


Transcribing the Map Into CPM 

The complete set of 

Appliance Manager 

tools 

A table listing the 

appliances in the 

selected folder. 

Note that all the appliance rows listed in this table use 

color and status messages to highlight the current condition 

of the appliance and all traffic involving the 

appliance. 


Using Appliance Manager, you can now transcribe this network 

information into CPM. This produces a hierarchy that sorts appliances by 

site and location or by usage. Be sure to make an entry for every type of 

device that exchanges traffic with one of your Firebox Vclass, 

RapidStream, or RapidStream Check Point devices: 

1 Log into CPM as an MIS admin user. 

2 Open Appliance Manager. 



3 Right-click the parent folder in the list and select Add Appliance 

Group. 

A new folder appears, labelled "Group0". The "(0)" next to the folder name is a 

dynamic counter that summarizes how many appliances are stored in each folder 

(or in the subfolders inside a parent folder). 

4 Right-click this new folder and select Appliance Group Properties. 

The Appliance Group Properties dialog box appears. 

5 Delete the "group0" text in the Name field and type a name for this 

group folder that indicates its purpose. 

For example, type a location name, a department, network, or function name, or 

the model or type of appliances to be grouped in this folder. 

6 (Optional) In the Comments field, type a description of the folder. 



7 Click OK. 

The folder reappears, displaying a new name. 

8 Repeat this process to create a complete set of first-level, site-specific 

folders in the Appliance Groups column, as suggested in this 

illustration. 

9 Create additional levels of new folders inside the site folders (as 

suggested below), to represent finer details of your appliance 

distribution. 



You can make this hierarchy as shallow or as deep as required to help 

you visualize your network’s distribution of appliances. 

Factors to consider: 

- Which appliances are site gateways? 

- Which appliances are internal-asset gateways? 

- Which appliances are used as VPN clients for remote user 

connections? (and should you group them in one folder?) 

Your completed hierarchy might resemble the following illustration. 

Geographic location 

Specific office/department/group 

of users 

Actual appliances 

Geographic location 

Specific office/department/group 

of users 


CHAPTER 7 

Creating Appliance Records 

You can now create new records for each type in the Configuration Editor 

(or Appliance Manager, depending upon your purposes), and sort them 

into the proper folders. 

This includes the following categories of appliances: 

• RapidStream legacy appliances 

• WatchGuard Firebox Vclass appliances 

• RapidStream "Secured by Check Point" appliances 

• Other models of WatchGuard appliances 

• Security appliances from other manufacturers 

• Security devices such as OEM devices running third-party firewall/ 

VPN software 


CHAPTER 7: Creating Appliance Records 

Creating CPM-Managed Appliance Records 

You use the Configuration Editor window to create new records for 

all the equipment you are managing with CPM. The Configuration 

Editor offers these features, organized into tabs. 

IKE Proposals listed in this tab. 

Schedules listed in this tab. 

QoS actions listed in this tab. 

IPSec actions listed in this tab. 

Services listed in this tab. 

Menu bar (varies per open tab) 

Appliances and addresses 

listed in this tab. 

Click a button to open a window 


Creating Non-CPM–Managed Appliance Records 

Policy tab assists in creation of 

complex security policies 

IKE Pairs tab assists in configuration of 

IKE authentication of VPN pairs 

Remote Access tab assists in RAS 

client connection configuration 

Profiles tab assists in deploying 

profiles to appliances 

Using this window, configure and assemble a complete profile 

(configurations, settings, and policies) for each device. To get started, click 

New (in Appliance/Addresses tab toolbar), and select New Appliance. 

Fill in the appropriate information in the dialog boxes provided. 


You might have RapidStream or Firebox V-series appliances that you will 

not be managing with CPM but which are integral parts of your network. 

You need to enter the appliances in the Appliance Manager for the 

following reasons: 

• To have them in CPM as network addresses that can be applied to 

security policies for traffic between them and your Vclass or 

RapidStream appliances. 

• To monitor them, to a limited extent, depending upon the SNMP 

setup. 

Consider entering any appliance that exchanges data traffic with a 

RapidStream, RapidStream Check Point, or Firebox Vclass appliance. 



To enter all such appliances into CPM’s Appliance Manager, follow these 

steps: 

1 Select the appropriate group folder. 

2 Click the New Appliance button (in the Appliance Groups toolbar). 

A Choose Appliance Type dialog box appears. 

3 For an appliance or security device manufactured by WatchGuard or 

RapidStream, select Firebox V series or RSSA. For a RapidStream 

appliance running Check Point software, select Check Point security 

software. 



4 Click OK. 

Depending upon your choice, one of these dialog boxes appears. 

Do not use these dialog boxes to enter records for appliances you are configuring 

and managing with CPM. 

5 Click to select the checkbox marked Open Mgmt Settings. Click OK. 



The Mgmt Setting and Password dialog box appears. 

6 Review the text in the dialog box, especially the Management Settings 

entries: 

Management IP 

If a number is present, it should represent the IP address of the 

interface used by CPM to connect to and manage the appliance. 

Serial Number 

If this appliance is a Firebox V10 or other security appliance with 

a dynamically assigned IP address, the number noted in this area 

should be the actual serial number assigned to this appliance (and 

"burned into" the appliance firmware). 



7 If both are empty, or if the relevant setting is incorrect, click Change 

Management Settings. 

The [NAME] Mgmt Settings dialog box appears. 

8 Click the button by IP Address (usually the default selection). In the 

empty text field to the right, type the IP address by which CPM can 

have access to this appliance. Or, if an IP address is present, delete it 

and type the correct administrative access interface. 

For appliances inside your local firewall, the address will be a data interface for 

trusted traffic. For appliances outside the firewall, the address will be the public/ 

untrusted interface. 

9 If this appliance record represents an appliance to which the ISP 

assigns a network identity by PPPoE or DHCP, click the button by 

Serial Number. In the empty text field, type the exact serial number 

of the appliance. 

10 Click OK to save this entry and close the dialog box. 

11 When the Management Settings dialog box reappears, click Change 

Password. 

The Change Password dialog box appears. 



12 In both New Password and Confirm Password fields, type the CPM 

access password that was recorded in this appliance when you 

inserted the "cpm_access" security policy. 

NOTE 

If you plan to switch to the Configuration Editor and want to complete the 

configuration/profile using those features, note that you can use the 

System Configuration window to change these settings at that time. 

13 Click OK to save the password and close this dialog box. 

14 When the main Management Settings and Password dialog box 

reappears, click Close to save your entries and close this dialog box. 

A new appliance record (represented by the icons shown below) 

appears in the Groups list. You can drag this icon into the proper 

folder if it’s not already in the folder you want. 

A WatchGuard Firebox Vclass appliance 

A RapidStream appliance 

A RapidStream Check Point appliance 


CHAPTER 8 

Configuring Appliances for 

Network Use 

The chapter describes how to use CPM to initialize, configure, and 

prepare new security appliances for your network. 

Getting Started 

To start the process of entering a new appliance record in CPM, follow 

these steps: 

1 Connect your factory default security appliances (either a new 

WatchGuard Firebox Vclass appliance or a legacy RapidStream) to the 

subnet shared by the CPM Server. 

2 Power up the new appliance. (The process takes about three minutes 

maximum.) 

3 Log into the CPM Server, using a "super admin" account with full 

appliance-creation and management privileges. 

4 When the CPM Console appears, you can open either the Appliance 

Manager window or the Configuration Editor window, which are 

used in the tasks in this chapter. 


CHAPTER 8: Configuring Appliances for Network Use 

Importing Licenses and Certificates 

If a factory-default security appliance needs an x.509 certificate (for use in 

IKE authentication), you must import the certificate contents before 

performing the full setup and configuration. Additionally, if you have 

certain extended-feature licenses that you’ve purchased for use in this 

appliance, you should import those licenses at this time. 

To import licenses and certificates into a factory default security 

appliance: 

1 Open the Appliance Manager window. 

2 Click Discover (in the Appliance Manager toolbar.) 

When the first Discovery dialog box appears on screen, click Find. 

If locally networked WatchGuard Firebox Vclass devices were discovered, the 

Device Discovery window appears. 

This window lists any factory default appliances found on your local subnet. 

3 Make your selection from the list. 



4 Click the To Do cell. From the drop list, select Set IP. 

Set IP appears in this cell. 

5 Click the Temp IP cell. When it becomes a text entry field, enter a 

unique local-subnet IP address for use in the deployment process. 

6 Click the Mask cell. When it becomes a text entry field, enter the 

subnet mask. 

7 Click the Associated Appliance cell to activate the menu. From the 

menu, select Create New. 

CPM creates a basic WG appliance profile, with a basic configuration. 

8 Click to select the CPM Password checkbox. 




9 In both Password fields, enter the CPM password. (This is for CPM 

use; administrative use passwords serve a separate function and are 

not related to this password.) 


11 When you complete the profile entries, click Apply (at the bottom of 

the Profiles tab). 

A confirmation dialog box appears, asking if you intend to apply all the settings 

made in this window. 


A "Processing" message appears in the Processing Status column of this window. 

If the apply action is successful, a lengthy summary of what was applied appears in 

the Processing Status column. 

13 Close the Device Discovery window. 

The Appliance Manager lists this device and notes its status as up-to-date. 

You can now import the x.509 certificate, along with any extended-feature 

licenses. 

Obtaining the x.509 certificate 

1 Right-click the new appliance record and select Certificate from the 

shortcut menu. 

When the Certificates dialog box appears, the Certificates tab should be visible. 

2 Click Create Request and use the resulting four-stage wizard dialog 

box to prepare the x.509 request for the preferred Certificate 

Authority (CA). 



3 When you are finished with the request (and have copied the text to 

the Clipboard), open a Web browser window and connect to the Web 

site of the preferred CA. 

4 Open the CA site certificate request form and paste this text into the 

relevant field. 

5 Fill in the other fields. 

6 Provide the required payment information. 

7 Submit the request, and then close the browser window. 

You now wait for the certificate (in the form of a text file sent to you by the cosigning 

authority). When you receive it, import it into the Firebox. 

Importing the new x.509 certificate 

To import the newly received x.509 certificate: 

1 Log into the CPM Server. 


3 Right-click the row that represents the appliance that uses this new 

certificate. Select Certificate from the shortcut menu. 

4 Click Import Certificate/CRL. 

5 When the Import dialog box appears, you have two options: 

- Use a text editor to open the certificate data file, and then copyand-paste 

the text contents into the text field in this dialog box. 

- Click Load the certificate from a file and use the resulting 

dialog box to locate and import the certificate data file. 

If the process is successful, the certificate data appears in the Import 

Certificate/CRL dialog box’s text field. 

6 When the certificate text is present in the dialog box’s text field, click 

Import Certificate. 



To import licenses for extended features 

1 Right-click the record of the appliance that will use this feature and 

select Show License. 

The [Appliance Name] License window appears. 

2 Click Add. 

The Import New License dialog box appears. 


Restoring the Appliance to a Factory-Default State 

3 You have several options: 

- Open the license file in a text editor, copy the text onto the 

Clipboard, and then paste it into the text area in this dialog box. 

- Open a Select License File dialog box. Use this dialog box to 

find and open the license file, which places the license text in the 

text area of this dialog box. 

- Manually transcribe the license text from some open source. 

4 Click OK to complete the import. 

The newly applied license is listed in the License window. 

5 Click OK to close the License window. 

The extended-feature license has now been incorporated in the appliance. 

Restoring the Appliance to a Factory-Default State 

Now that you’ve imported the certificate and licenses into the appliance, 

you must restore the appliance to a factory-default state so that you can 

proceed with the full CPM profile setup and deployment process. 

Because x.509 certificates and licenses are loaded into the appliance at a 

level lower than can be administered by the CPM Server, restoring an 



appliance to factory-default state will not delete the certificate or license 

information. 

1 Right-click the appliance record and select Operations => Restore 

Default. 


2 Click Yes to proceed. 

After a short interval, the status of this appliance will be “out of contact.” 

The restored-but-licensed/certified appliance (and the initial CPM 

record) is now ready for the full profile deployment process. See 

“Configuring the Appliance Hardware” on page 78 to proceed. You can 

reuse the existing appliance record, even though the appliance has been 

reverted to a blank state. 

Creating the New Appliance Record 

If you don’t need to import certificates or any extended-feature licenses, 

create a new appliance record in the Configuration Editor prior to starting 

the configuration process: 

1 Open the Configuration Editor. 

2 Open the Addresses/Appliances tab (left side), if it is not already 

visible. 


Creating the New Appliance Record 

3 Click New (in Appliance/Addresses tab toolbar), and select New 

Appliance from the drop list. 

The Add [NAME] Appliance dialog box appears. 

4 Delete the placeholder text in the Name field and type a name for this 

appliance. 

5 Click Blank if this is a new "factory default" appliance. 

A new set of appliance-entry menu options appear below. 



6 From the Model menu, select the (global) model number of this 

appliance. 

This menu includes both Firebox Vclass and older RapidStream models. 

7 From the Version menu, select the version of WatchGuard or 

RapidStream operating software installed on the appliance. 

Additional operating system options appear if you select a RapidStream model. 

8 Click to select the checkbox marked Open System Configuration. 


The System Configuration dialog box now appears. For information on completing 

this dialog box, see Chapter 10, “Completing the System Configuration.” 

Configuring the Appliance Hardware 

As an automatic extension of the new appliance entry process, the System 

Configuration window allows you to complete the hardware 

configurations required by this appliance. 

If you are beginning this procedure after restoring an appliance to a 

factory-default state, you should first open the Configuration Editor 

window before proceeding. Locate the new appliance record in the 


Configuring the Appliance Hardware 

Appliances/Addresses tab and right-click it. Select Edit/View, and the 

System Configuration window opens. 

1 After the System Configuration window appears, fill in the General 

tab text fields with appliance-specific information. 

2 Open the Timezone menu and select the geographic setting for this 

appliance. 

3 You can now work through all of the remaining System Configuration 

tabs and make the necessary entries. The tabs include the following, 

depending upon the security appliance model number. 

All appliance models 

General (information), Interfaces, Routing, DNS, SNMP, Log 

Settings, Hacker Prevention 

V80/V100 models 

Tunnel Switching, High Availability, VLAN Forwarding 

For more information on the tabs and their contents, see Chapter 10, 

“Completing the System Configuration.” 



Running the CPM Default Policy Wizard 

After you’ve completed the initial appliance entry (including 

configuration), you should run (or update) the Default Policy Wizard, 

which establishes policies for secure administrative communications 

between the newly recorded appliance and the CPM Server. For more 

information, see “Running the CPM Default Policy Wizard” on page 93. 

Entering the Security Policies 

The Configuration Editor assists you in the creation of security policies by 

organizing many policy “building blocks” into convenient tabs or dialog 

boxes. 

The tabs to the left in the Configuration Editor are Appliances/Addresses, 

Services, IPSec actions, QoS actions, Schedules, and IKE proposals. 


Creating the Network Addresses Required 

The Configuration Editor shortcut menu (which you open by rightclicking 

the Action cell in a policy row) provides access to other policy 

action options, as shown here. 

The tabs to the left of this window comprise catalogs of components that 

you can add to or customize before starting on the policy-creation 

process. (Each tab contains a default selection of basic items, which you 

might find adequate for your use.) 

Creating the Network Addresses Required 

Note that this appliance has been automatically registered in the 

Configuration Editor window as new address entries for the appliance 

itself and for each of the data interfaces. You now need to create address 

entries associated with this appliance that represent all network entities 

behind each of the interfaces. To view the automatic entries: 

1 Open the Configuration Editor window. 

2 Look in the Appliances/Addresses tab for this new appliance record. 



3 Click the toggle to the left of this entry, as shown here. 

The record expands to show the automatically generated interface address entries. 

Note: These addresses represent the data interface, not the networks behind them. 

4 Right-click the appliance entry to open the shortcut menu, and select 

New Address. 

The Add Address dialog box appears, which you can use to enter the first of any 

required network-entity address records for later use in policies. THis process is 

fully described in the “Cataloging Your Network Addresses” chapter in the CPM 

Policy and Administration Guide. 

Assembling the CPM Policy Components 

After entering the network addresses associated with this appliance, you 

should enter the following before compiling policies: 

• Any additional, custom services or combined service groups 

• Any custom IPSec actions including transforms and proposals 

• Any additional, custom QoS actions 

• Any pertinent custom schedules 

For more information, see Chapter 10, “Completing the Appliance 

Configuration.” 


Defining the Required Alarms 

Defining the Required Alarms 

At this time you can open the CPM Alarm Console and review the default 

alarm definitions, and if needed, customize and add new definitions for 

use in this appliance. For more information on the alarm definition 

process, see the CPM Policy and Administration Guide. 

Deploying the Profile 

After you have completed all of the relevant tasks outlined in this chapter, 

you are ready to deploy the resulting profiles to the newly recorded 

appliances. This makes the appliances active and enables the monitoring 

and maintenance of these appliances. 

The deployment process involves this sequence of tasks: 

• Using the Profiles tab to discover the appliance 

• Assigning the discovered appliance a temporary IP address 

• Generating an up-to-date profile (including system configurations, 

settings, and security policies) 

• Deploying a profile. 

Before using CPM to discover an uninstalled ("factory default") appliance 

and then deploying a profile to it, you must have the following: 

• A temporary IP address, for use in discovery and the initial 

deployment 

• A unique password that CPM will use to gain access to this appliance 

• A basic appliance profile, ready for deployment 

Compiling the profiles 

NOTE 

If the Compile or Deploy buttons (as noted in the following) are not active, 

the most likely cause is a missing or erroneous IP address in one of the 

listed appliance records. Review the System Configuration window 



Interface tab entries for each appliance until you find and change the 

error—at which time you will be able to compile and deploy the profiles. 

1 Open the Configuration Editor. Click the Profiles tab. 

2 Select any (or all) appliance entries. 

3 Click the Compile button (in the tab’s top toolbar). 

The profile-compilation process begins, and a status message appears in the Status 

column. 

After the profiles have been compiled from the database, the Status 

column reports one of the following states for each profile entry: 

No Contact 

The appliance is not in communication with CPM. Use the 

Appliance Manager to assess the situation. 

Needs Deployment 

This profile has been changed since the last deployment, and you 

should redeploy the contents to the relevant appliance. 

Up to date 

The appliance profile has not been changed since the last 

deployment and you do not need to redeploy the contents. 

If the profile for your new appliance displays "Needs Deployment,” 

you can proceed with the discovery/deployment process. 

Discovering the profile-ready appliances 

1 Click the Profiles tab. 

2 Click Discover (in the tab toolbar.) 

The first Discovery dialog box appears on screen. 



3 Click Find. 

If locally networked WatchGuard devices were discovered, the Device Discovery 

window appears. 

This window enables you to match up profiles and appliances for deployment. 

Deploying profiles to new appliances 

1 Select an appliance from the list. 

2 Click the To Do cell. From the now-active menu, select Set IP. 

"Set IP" appears in this cell. 



3 Click the Temp IP. When it becomes a text entry field, type in the IP 

address for use in the deployment process. 

4 Click the Mask cell. When it becomes a text entry field, type in the 

subnet mask. 

5 Click the Associated Appliance cell. From the menu, select the 

relevant profile. 

NOTE 

If you have not yet created a basic profile including the network identity of 

this appliance, you can do so at this time by selecting Create New from 

this menu. It opens the Add New Appliance dialog box, which you can use 

to create the profile. When finished, make the Profile tab active, select the 

profile from this menu, and proceed. 



6 Click to select the checkbox marked CPM Password. 


7 In both Password fields, type the text of the password that CPM will 

use to establish a connection with the appliance. (This is for CPM use; 

administrative use passwords serve a separate function and are not 

related to this password.) 


9 When you have completed the profile entries, click Apply (at the 

bottom of the window). 



A "Processing" message appears in the Processing Status column. If the application 

is successful, an "Up-to-date" message appears in the Processing Status column. 

11 Close the Device Discovery window. 

The Profiles tab now lists this appliance’s profile. The Status column displays 

"Needs Deployment,” and the Details column displays “Never Deployed.” 

Deploying the profiles 

1 Select the new appliance/profile record. 

2 If you want to verify the profile’s readiness, click the now-active 

Compile button in the tab’s top toolbar. 

The Status column now displays "Compiling" (while the Details column displays 

"Profile compilation in progress..."). When profile generation is complete, the 

Status column displays "Compilation done". 



3 With this compiled profile still selected, click the Deploy button. (Or, 

right-click the appliance record and select Deploy.) 

NOTE 

If the Deploy button is not active, the most likely cause is a missing or 

erroneous IP address in an appliance record. Review the System 

Configuration window Interface tab entries for each appliance until you 

find and change the error—at which time you can deploy the profiles. 

A confirmation dialog box appears, to alert you that the primary management IP 

address will be changed—and contact lost with this appliance—after deployment is 

complete. 


CPM now proceeds to deploy the new profile to this appliance, where 

it will be immediately put into effect. 

- The Status column notes “Deployment started.” 

- The Details column notes "Deployment in progress..." 

These status messages remain until replaced by the following 

combination of messages: 

No Contact 

As noted in the Status column. 

Successful 

As noted in the Last Deployed column, along with the date and 

time this profile was deployed. This is the key message. 

Unable to connect... 

As noted in the Details column. 


Relocating the Appliance 

Relocating the Appliance 

At this time, you can power down the appliance and disconnect it, prior 

to shipping it to its service location. 

After it is delivered to its location, the appliance should be connected to 

the appropriate networks and then powered up. 

A few minutes after power-up is complete and the Ready LED on the 

appliance is lit solidly (not blinking), you can use CPM to remotely 

establish contact with the device, for all future monitoring and 

maintenance. To do so, follow these steps: 

1 After logging into CPM (if you’ve not already done so), open the 

Appliance Manager window. 

2 Locate the appliance record in the group folder and select it. 

The appliance entry appears in the table to the right, shaded Green (for "in contact 

with CPM"). The Status column should read "Normal". 

NOTE 

In certain circumstances, a minor alarm will be triggered and the 

appliance row will be Yellow. You can simply open the Appliance Detail 

dialog box to get an accurate reading of the appliance’s status, as noted in 

the remainder of this section. 

3 Double-click the appliance row. 

The Appliance Detail dialog box appears. 



4 Review the Availability indicator, highlighted above. It should be 

green, and should display “Contacted.” The Interface/Port indicators 

should list the proper IP addresses and be green. 

5 If the row is yellow, you can now open the Alarm Console window 

and review or clear any minor alarms that were triggered during the 

initial contact phase. This restores the row to green and changes the 

Status message to “In contact.” 

You’ve successfully configured and deployed a working appliance. 

Copying a Configuration to New Appliance 

Among the time-saving techniques in CPM, you may find this setup 

technique to be most helpful. This configuration shortcut allows you to 

create new appliance records, bypass the manual entries, and copy the 

configuration from a matching model of appliance. You can then quickly 

fine-tune this new configuration for the new appliance. 

1 Create and deploy a complete profile for a factory default appliance; 

for example, a V80. 

2 When you need to create a profile for a second V80, open the Add 

[NAME] Appliance dialog box. 

3 Delete the placeholder text in the Name field and type the name 

assigned to this appliance. 


Copying a Configuration to New Appliance 

4 Click Copy From (as highlighted above). (Do not click Blank.) 

An Appliance menu appears below, listing all the current appliances. 

5 From this Appliance menu, select the original V80 appliance entry. 

6 Click OK. 

The System Configuration window now appears, containing all the copied settings. 

7 You can make any changes necessary to the General and Interfaces 

tab contents, relevant to this new appliance. 

8 Make any necessary changes to the other tabs that apply to this 

appliance. 

9 Click OK when you are finished. 

The new appliance record appears in the Appliances/Addresses tab of the 

Configuration Editor (and a new record automatically appears in the Appliance 

Manager window—including address entries for the principal data interfaces. 




CHAPTER 9 

Completing the Appliance 

Configuration 

After you’ve completed the initial appliance entry (including 

configuration), you should run (or update) the Default Policy Wizard. 

This process establishes policies for secure administrative 

communications between the newly recorded appliance and the CPM 

Server. 


1 Open the Configuration Editor window, if it has not already been 

opened. 


CHAPTER 9: Completing the Appliance Configuration 

2 From the Policy menu, select Wizards => Create CPM Default 

Policies. 

The Policy Wizard appears. 

This initial wizard displays two topology drawings: 

- The one on the left shows an extended network with the CPM 

system connected to a gateway appliance, through which it is 

connected to other appliances through the Internet (outside the 

local firewall.) 

- The one on the right shows a local network with the CPM 

system connected to a collection of appliances, all inside the local 

firewall. 

3 Click either drawing, depending upon which topology your network 

matches. Click Next. 



If you can chose the extended network 

If you clicked the extended network drawing, the following screen 

appears. 

1 From the Appliance menu, select the appliance acting as your local 

firewall gateway. 

2 In the IP Address field, type the IP address of your CPM Server. 

NOTE 

If the host computer for the CPM Server software has more than one 

interface (usually when several NICs are in use,) you should enter the IP 

address configured previously for the CPM Server, which is recorded in 

the cpm_server.conf file in the installation directory. 

3 If your external connection does not use dynamic NAT, and your host 

computer has its own IP address, click the DNAT option No button. 

(Otherwise, the default connection state is that DNAT is active and 

does apply to your CPM host computer’s external connections.) 


The next screen appears, summarizing what is about to be accomplished. 

5 Review the information, and then click Next to finish the process. 

When the policy wizard is finished, the wizard will have closed and 

the Policy window will now list two “global” policies: 



- An "Allow CPM" policy that permits outgoing CPM HTTPS 

traffic, for use in contacting all remote appliances. 

- A "Heartbeat Tunnels" policy, for incoming IPSec traffic that 

directs the remote appliance’s heartbeats to the CPM Server. 

If you chose the local network 

If you clicked the right-hand local network drawing, the following screen 

appears. 

1 Delete any text that might appear in the IP Address field, and type the 

IP address of the CPM Server. 

NOTE 

If the host computer for the CPM Server software has more than one 

interface (usually when several NICs are in use,) you should enter the IP 

address configured previously for the CPM Server, which is recorded in 

the cpm_server.conf file in the installation directory. 




The final screen appears. 

3 Click Next to finish. 

When the wizard is finished, it closes and the Policy tab in the 

Configuration Editor lists a single new policy that permits SSL traffic 

exchanged between all sources, including the management port IP 

addresses of the local security appliances. 

The Configuration Editor also adds a new "address" entry (named 

"Mgmt Ports"), representing all management interfaces for all 

appliances. 




After entering the network addresses associated with this appliance, you 

should enter the following before compiling policies out of the CPM 

building blocks: 

• Any additional, custom Services or combined service groups (along 

with the large number of default options) 

• Any custom IPSec Actions (including transforms, proposals) (along 

with the default options) 

• Any additional, custom QoS actions (along with the default options) 

• Any pertinent custom Schedules (along with the default options) 

Assembling a policy from available components 

1 Create a new policy row in the Policies tab. 

2 Double-click the Name cell and type a name representing the policy. 

3 Drag and drop (or click and select) the Traffic Specification 

components: 

Source 

Drag one or more entries from the Appliance/Addresses tab 

Destination 

Drag one or more entries from the Appliance/Addresses tab 

Service 

Drag one or more entries from the Services tab 



4 Drag and drop (or click and select) the required Action components: 

- Pass, Block, or Reject (the firewall options) 

- IPSec (manual key or automatic key VPN actions) 

- Bidirectional IPSec/VPN (set after completing a new policy) 

- Dynamic NAT (activates DNAT) 

- Static NAT (with a menu for directional options) 

- Load Balancing 

- QoS 

- TOS Marking 

5 Repeat this process to create policies for other devices 




CHAPTER 10 

Completing the System 

Configuration 

The System Configuration dialog box assists in the recording of a 

spectrum of appliance-specific options that optimize your appliance for 

your specific network environment. You can also use the System 

Configuration dialog box to revise existing system settings in operational 

appliances, as needed. 

Although appliance configurations are immediately stored in the CPM 

Server database, they are not put into effect until you deploy a complete 

appliance profile to the actual device. Do this after completing the profile, 

adding policies, alarm definitions, and log file settings to the profile. 

Configuring a New WatchGuard Appliance 

1 After starting CPM, open the Configuration Editor window. 

2 Right-click an appliance record (in the Appliances/Addresses list) 

and select Edit/View. 

The System Configuration dialog box appears, displaying the General tab. 


CHAPTER 10: Completing the System Configuration 

Completing the General Entries 

You can use the General tab to enter a basic set of appliance-informational 

entries. To do so, follow these steps: 

1 If you accepted the default appliance name in the Add New 

Appliance dialog box, you can delete it from the Appliance Name 

field, type a more appropriate name at this time. 

2 In the Location field, type the location (current or intended) of this 

appliance. 

The entry can be a city, state, or country name, a building and floor 

number, any combinations of these, or a simple identifier such as 

“my_office.” 

3 In the Contact field, type the name of the person who will be locally 

responsible for administration of this appliance–if anyone has been 

assigned that responsibility. 

4 Click Local Admin if you want to assign a password for use by any 

local administrator. 

NOTE 

This local password will supersede the existing “admin” or "rsadmin" 

access password after the initial deployment of CPM-generated 

configurations. If anyone needs to use the WatchGuard Vcontroller, 

RapidStream Manager, or CLI to administer that appliance, he or she 

must use this new password. Otherwise, all local access will be obtained 

through the CPM Client, as described in an earlier chapter. 

The Local Admin Account dialog box appears. 

5 In the Local Admin Password text field, type the new password text, 

using between 6—16 alphanumeric characters. 

6 Click OK to save the new settings and close this dialog box. 


Completing the Interfaces Entries 

7 From the Timezone menu, select the time zone for the geographical 

location where the appliance will be used. 


When the Interfaces tab appears, you must enter the IP addresses and 

network (or subnet) masks for all of the accelerated data interfaces 

incorporated into this appliance. 

1 Click the Interfaces tab. 

The Interfaces tab displays a set of features corresponding to the 

specifications of the appliance model number. In every case, you will 

see a different set of interface options. 

NOTE: The contents of this 

tab will vary, according to 

the model number of Firebox 

Vclass appliance. For 

example, configuring a v10 

will require different entries 

from those of a v80—as 

shown here. 

This illustration shows the Interface options for a v80 model. 

2 In each pair of interface-specific text fields, enter the IP Address and 

Network Mask assigned to that data interface. 



3 From the Use [NAME] IP address... menu, select the preferred CPM 

management access interface, depending upon the following: 

- Select the 0 (private) interface if this appliance is located inside 

your current site’s firewall. 

- Select the 1 (public) interface if this appliance is or will be 

located outside your current site’s firewall. 

This option determines which interface will be used by the CPM 

Server for connecting to and managing this appliance. 

NOTE 

If you don’t specify an interface management port for CPM Server 

(depending on the one selected), Invalid Mgmt IP will appear in the status 

column of the appliance record when you are finished. 

If you need to change the IP address information for any of these 

interfaces at a later time, you can do so by reopening this dialog box 

tab and making the changes. 

4 Click to select the Enable Port-Shaping checkbox if you want to 

activate system-wide port shaping for the available port interfaces. 

A Detail button appears in the Interfaces tab. 

5 Click Detail to open the Specify Port Bandwidth dialog box. 

This dialog box allows you to precisely adjust the output/throughput of the 

available accelerated data interfaces and can be recorded in either Kbps or Mbps. 

6 In each interface-specific field (as needed), type the appropriate 

number, according to your selections from the Increment menus. 



In most cases, you will want to set bandwidth for the Public port only, 

as that network connection will probably be the slowest. 

7 From the Use [PORT NAME] menu, select the interface to be used for 

CPM management connections (after this appliance has been 

relocated). 

8 If you want to use CPM to change the management settings for this 

appliance according to these interface entries (after the configuration 

is deployed), leave the checkbox selected. This ensures that CPM can 

do the following: 

- Use a new IP address to contact the appliance if the management 

interface IP address changes 

- Use the appliance’s serial number (embedded in the heartbeat) 

to manage the appliance if the designated management interface 

of the appliance is dynamically assigned by the ISP 

NOTE 

If you initially created this appliance record in the Appliance Manager, 

and if you opened and used the Management Settings dialog boxes to 

enter the CPM access settings, any changes or additions you make at this 

time in this dialog box will overwrite the original entries if there is a 

conflict. This will not pose a problem to CPM or the appliance. 

9 If you don’t want to use these settings, click to clear the checkbox. 

10 Click OK to save your entries. 

11 Click Apply to save the changes in the Interfaces tab. 



Completing the Routing Entries 

You use the Routing tab to set up static or dynamic routes. If you select 

dynamic routing, the options include RIP, RIP version 2, and OSPF. All 

routing configurations depend upon the following qualifications: 

• The appliance listens on the Private interface, not the Public or DMZ 

interfaces 

• RIP and RIPv2 run in silent mode, and do not advertise the routes 

• OSPF runs in host mode and cannot act as a designated router 

• Authentication is only supported for OSPF 

To enter the preferred routes, follow these steps: 

1 Click the Routing tab. 



2 To catalog the first of any static routes that will be used by network 

traffic passing through this appliance, click Add. 

The Add Route dialog box appears. 

3 In the Destination, Network Mask, and Gateway fields, enter the 

information necessary for a route. 

4 From the Interface/Port menu, select the port used for this route. 

5 In the Metric field, type the number of hops in this route. 

6 Click OK to close the dialog box and add this route to the tab 

contents. 

7 Repeat this process to catalog all other static routes. 

8 To configure dynamic routing for this appliance, from the Protocol 

menu, select a protocol. 

The dynamic routing protocol selections include the following: 

None 

This is the default setting, which remains in effect if you do not 

activate dynamic routing. 

RIP 

This option, an acronym for “Routing Information Protocol,” 

permits the Firebox Vclass appliance to record routes advertised 

by other routers using the RIP protocol. 



RIPv2 

This option permits the appliance to record routes advertised by 

other routers also using the RIPv2 protocol. 

OSPF 

This option, an acronym for “Open Shortest Path First,” activates 

additional routing options, which you must customize according 

to your preferences. 

If you select RIP or RIPv2, no additional features appear. You can 

click Apply and then proceed to the DNS tab, as described in 

“Completing the DNS Entries” on page 111. 

If you select the OSPF protocol, the Area ID and Authentication 

Type options become active, as shown here. 

9 In the Area ID field, type the appropriate IP address. 

10 From the Auth Type menu, select an authentication option from the 

following: 

None 

Requires no authentication. 

Simple 

Requires a key for authentication. 

MD5 

Requires both a key identity and the key text for authentication. 



11 If you selected Simple as the Auth Type, the Auth. Key 

(Authentication Key) text field appears, as shown here. In the Auth. 

Key field, type the assigned text of the key. 

If you selected MD5 as the Auth Type, the Authentication Key and 

Key ID fields appear, as shown here. In the Auth Key field, type the 

assigned text of the key. In the Key ID field, type the assigned 

number (between 1 and 255) that will identify this key. 

12 When you have finished making changes to the Routing tab, click 

Apply to save all the new entries. 

Verifying the routes 

You cannot use CPM to verify static route entries until the appliance has 

been relocated to its assigned spot and put in service. At that time you can 

verify the routing entries by doing the following: 

1 Use CPM to verify that the appliance is in contact. 

2 Right-click the appliance (in the Configuration Editor), and select 

Edit/View. 

3 When the System Configuration window appears, click the Routing 

tab. 


5 Right-click the same appliance record and select Appliance Details. 



6 When the Appliance Details window appears, click the Routing 

Table tab. 

7 Align the System Configuration and Appliance Details windows so 

that you can visually verify that both lists of routes fully match one 

another. 

If a route is missing in the Appliance Details window, the 

corresponding entry in the Routing tab in the System Configuration 

window needs to be corrected. 

8 Make all the changes necessary in the Routing tab of the System 

Configuration dialog box. 

9 Regenerate and redeploy that appliance’s profile. 

10 Repeat the two-window verification process. After both tabs are the 

same, you’ll know the routing tables are identical and in effect. 


Completing the DNS Entries 

Completing the DNS Entries 

The Domain Name Server (DNS) tab allows you to catalog all local DNS 

servers that might be used by this security appliance. 

1 Click the DNS tab. 

2 In the Domain Name field, type the domain name used for this 

security appliance. 

3 To start cataloging the DNS servers, click Insert. 

The DNS Server dialog box appears, as shown here. 

4 In the blank numeric text field, type the IP address of a DNS server. 

5 Click the Add button to save this entry in the DNS Servers list. 



6 Repeat this process to record the IP addresses of other DNS servers. 

7 If more than one server is listed in this tab, you can shuffle the search 

order by choosing a server entry and then clicking the Up or Down 

buttons until each server appears in the proper order. 

8 When you are finished with the DNS tasks, click Apply to save your 

new entries. 

Completing the SNMP Entries 

The CPM software allows you to assign this security appliance to an 

SNMP community, so it can be monitored through SNMP management 

stations. You can also configure this appliance so that an SNMP trap will 

be sent to management stations when certain alarms are triggered. This 

tab assists you in the following: 

• Adding needed IP addresses of management stations 

• Recording the SNMP community string 

• Activating the SNMP trap 


Completing the SNMP Entries 

NOTE 

For a complete list of supported MIBs in the CPM software, open and 

review the MIB files that are stored on the CPM CD. 

1 Click the SNMP tab. 

The Management Stations area (currently empty) lists the IP addresses (one or 

more) of all the network management stations that will receive SNMP traps when 

generated by this WatchGuard appliance. 

2 To add a specific management station to this list, click Add. 

The SNMP Management Station dialog box appears. 

3 Type the station’s IP address in the blank numeric text field. 



4 Click the Add button to catalog this management station in the SNMP 

tab. 

5 If necessary, repeat the SNMP Management Station dialog box 

process to record the IP addresses of all other management stations 

that will be monitoring this security appliance. 

6 If you are going to enable the SNMP trap, in the Community String 

field, type the password text that will identify the appliance to the 

management station. 

7 If you want this security appliance to send any alarm-triggered traps 

to the listed management stations, click to select the Enable SNMP 

Trap checkbox. 

Although no traps will be sent if you deactivate this option, any triggered alarms 

will still be logged in the appliance or emailed to the appropriate WatchGuard 

appliance administrator. 

8 When you are finished with the SNMP tab, click Apply to save your 

new entries. 


Completing the Log Settings Entries 

Completing the Log Settings Entries 

1 Click the Log Settings tab. 

2 The Settings workspace provides two sets of options pertaining to the 

two separate log types–Traffic and Event: 

- Click to select the Enable Traffic Logging checkbox to activate 

the WatchGuard logging function for all data traffic passed 

through this WatchGuard appliance. 

- Click to select the Enable Event Logging with Log Level 

checkbox, and then click the slider below this checkbox and 

move it until it is level with the desired logging level. 

The slider allows you to include fewer events or more events in your 

event log file–depending upon which selection you make. The 

“Critical Events only” selection creates a basic log file including only 

major events, while the remaining selections below add increasing 

amounts of information and detail to the log file. 



NOTE 

Because the system will purge the contents of the log files when a certain 

size is reached (usually a maximum of 200 Kb), the more events you 

include the more often the logs will be purged. See the CPM Policy and 

Administration Guide for more information about appliance logging. 

3 When you have finished with the Log Settings tab, click Apply to 

save your new entries. 

For more information about configuring a syslog server to accurately 

store all log files from a range of Firebox Vclass appliances, review the 

tech notes available in the WatchGuard support Web site. 

Completing the Hacker Prevention Entries 

1 Click the Hacker Prevention tab. 


Completing the Hacker Prevention Entries 

The Hacker Prevention tab appears, displaying the default values. 

2 Select and configure the Denial-of-Service Prevention options. 

The following anti-hacker attack options safeguard your servers from 

denial-of-service attacks. All such attacks flood your network with 

“requests” for information, clogging your servers and possibly 

shutting down your site. After you activate these options and set 

threshold numbers for this Firebox Vclass appliance, it will prevent 

such attacks. If there are more than the specified number of requests 

(per second), the security appliance will drop the excess number of 

requests within the same second while permitting the acceptable 

number of requests to pass through. This will protect your servers 

from becoming overwhelmed by too many requests within a short 

period of time. 

ICMP Flood Attack 

Allows you to safeguard your network from a sustained flood of 

ICMP pings. You can change the threshold number in the 

accompanying text field to a value that will trigger the denial-ofservice 

protection. 

SYN Flood Attack 


TCP syn requests without the corresponding attack response. You 

can change the threshold number in the accompanying text field 

to a value that will trigger the denial-of-service protection. 

UDP Flood Attack 


UDP packets. You can change the threshold number in the 

accompanying text field to a value that will trigger the denial-ofservice 

protection. 

Ping of Death 

Safeguards your network from user-defined large data-packet 

pings. 

IP Source Route 

Safeguards your network from a flood of false client IP addresses, 

designed to bypass firewall security. 

3 Select the Distributed Denial-of-Service Prevention options. 



As a subset of denial-of-service attacks, distributed DoS attacks occur 

when hackers coordinate a number of “borrowed” computers for 

malicious purposes and program them to simultaneously assault a 

network with information requests. If allowed to pass through, they 

can overwhelm and crash your Web servers. 

Per Server Quota 

Allows you to safeguard your servers from coordinated denial-ofservice 

attacks against any single server. You can change the 

threshold number in the accompanying text field to a value that 

represents the maximum request capacity (per second) of that 

server. If there are more than the specified number of connection 

requests within a second, the Firebox Vclass appliance will drop 

the excess requests within that same second. This will protect 

your server from being overwhelmed by too many connection 

requests in a short period of time. 

Per Client Quota 

Restricts the number of connection requests from a single client 

within a second. You can change the threshold number in the 

accompanying text field to a value that represents the maximum 

number of requests (per second) from a single client. If there are 

more than the specified number of connection requests within a 

second, the Firebox Vclass appliance will drop the excess requests 

within that same second. 

4 When you have finished with the Hacker Prevention tab, click Apply 

to save your new entries. 

About the High Availability Tab 

The High Availability tab appears only if the model of Firebox Vclass 

appliance being configured incorporates one or more HA interfaces. High 

Availability (HA) allows you to set up a system that activates an almost 

instantaneous replacement of a primary appliance with a secondary 

appliance in the event of system failure. This identically profiled 

secondary appliance will take over all traffic control in place of the failed 

primary appliance. 

You can also use this feature to establish an Active-Standby HA pairing. 


About the VLAN Forwarding Tab 

WatchGuard recommends bypassing this tab for now and undertaking 

this process at a more convenient time. To learn how to set up an HA 

system with this appliance, see the CPM Policy and Administration Guide. 

About the VLAN Forwarding Tab 

Your network may include a number of VLANs (either classic VLAN or 

multi-tenant domains). As a result, you may need to create security 

policies to route traffic between two separate domains that use the same 

VLAN switch. In such a situation, which is known as "VLAN 

forwarding,” you can enter such inter-VLAN policies in CPM, but you 

must activate the related hardware functionality beforehand, as described 

in this section. 

VLAN forwarding is a feature built into certain Firebox Vclass models. 

This function is inactive by default. As the example in the following 

illustration shows, VLAN forwarding enables you to use a CPM Client 

workstation in VLAN 1 to connect through the local gateway appliance 



and to manage another security appliance assigned to VLAN 3–which 

entails inter-VLAN connections. 

To activate the VLAN forwarding components of a Firebox appliance, 

follow these steps: 

1 Open the System Configuration window for the designated appliance. 

2 Click the VLAN Forwarding tab. 

If this tab is not visible, the selected Firebox model does not incorporate VLANforwarding 

capabilities. 

3 Click to select the checkbox marked Enable inter-VLAN forwarding. 


Completing the Tunnel Switch Entries 

4 Click Apply. Click OK to close the window. 

After you deploy this revised profile, the appliance will be ready for inter-VLAN 

communications. 

Completing the Tunnel Switch Entries 

If this model of security appliance incorporates Tunnel Switch hardware 

functionality, the Tunnel Switch tab appears in the System 

Configuration dialog box. You can use this tab to enable the hardware 

features. After that, you must then set up the policies required to enact 

tunnel switching with qualifying data streams. 

1 Click the Tunnel Switch tab. 

2 Click to select the checkbox marked Enable Tunnel Switch if you 

want to enable these features. 



3 Click Apply to save this change to the configuration. 

You can now save all your new configuration entries and close the 

System Configuration dialog box. For more information about tunnel 

switching configuration and setup, see the CPM Policy and 

Administration Guide. 

Saving the System Configuration Entries 

After you have completed the settings in the System Configuration 

dialog box for this appliance, click OK. This will save all the entries and 

close the dialog box. 

Importing a New License 

You can import the text of extended-feature licenses into CPM. You must 

first purchase and obtain the license text. With the text on-hand (or stored 

temporarily on the Clipboard), you can use the CPM License window to 

import the text into the relevant appliance. For more information about 

licensing additional features and capacity in your Firebox Vclass 

appliance, visit the WatchGuard Web site. 




2 Right-click the appropriate appliance record, and select Show 

License. 

The [Appliance Name] License window appears. 

3 Click Add. 

The Import License dialog box appears. 

4 You have several options: 



- Open the license file in a text editor, copy the text onto the 

Clipboard, and then paste it into the text area in this dialog box. 

- Open a Select License File dialog box and use it to find and 

open the license file, which places the license text in the text area 

of this dialog box. 

- Manually transcribe the text of the license into this dialog box 

from an open source. 

5 Click OK. 

The license is listed in the Licenses window. 

6 Click OK to close the License window. 

The extended-feature license has now been incorporated in the appliance. 

Reviewing the current licenses 

If you have already configured an active appliance and want to review 

the extended-feature licenses previously imported into the appliance, 

follow these steps: 

1 Right-click an appliance record in the Appliance Manager window 

and select Show Licenses. 

The [Appliance Name] Licenses window appears, listing any licenses present in this 

appliance. 



2 To review the complete set of active features, click Show Active 

Features. 

The Active Features dialog box appears. 

This dialog box shows the feature names, the capacity (dictated by the current 

license) and the expiration date. 

3 When you are finished reviewing the contents, click Close to close the 

dialog box. 

4 To review the actual text of a license, double-click the license entry in 

the License window. 

The License Detail dialog box appears, displaying the license text. 

This text cannot be copied and applied to any other appliances, 

because it is linked to the serial number hard-coded into the 

appliance. 



Deleting an out-of-date license 

You can remove old or out-of-date licenses from this appliance by 

following these steps: 

1 Open the License window. 

2 Select an expired license and click Delete. 


3 Click OK to confirm. 

The license entry is erased from the window. 


Index 

A 

Active Features dialog box 125 

Add Address dialog box 82 

Add Appliance dialog box 77, 90 

Add Group dialog box 43 

Add Route dialog box 107 

addresses, creating required 81 

Admin Account Properties dialog box 42 

Admin Role Properties dialog box 40 

Administrative Access dialog box 41 

administrator accounts 

creating new 41 

described 37 

Administrator Accounts dialog box 39 

administrators, seeing which are online 44 

alarms 83 

All Session Info dialog box 45 

Appliance Detail dialog box 89 

Appliance Group Properties dialog box 58 

Appliance Manager 

described 56 

features of 56 

using to create folder hierarchy 57 

using to create non-CPM managed records 63 

appliances 

activating tunnel switching hardware 121 

configuring for network use 69–91 

configuring hardware for 78 

configuring interfaces 104 

configuring local DNS server connections 111 

configuring local SNMP workstation 

connections 113 

configuring routes 106 

copying configurations to 90 

creating records for 61–68, 76 

deploying profiles to 51 

deploying profiles to new 85 

discovering 84 

discovering new 50 

enabling logging for 115 

entering records for 69 

installing 5 

not managed by CPM 63 

relocating 89 

requirements for discovering 50 

restoring to factory-default state 75 

C 

specifying location 102 

specifying name 102 

specifying time zone 103 

types managed by CPM 2 

certificates 

importing 70, 73 

obtaining 72 

Change Password dialog box 67 

Choose Appliance Type dialog box 64 

Configuration Editor 

described 62 

using to create CPM-managed records 62 

configurations, copying to new appliances 90 

CPM 

appliances managed by 2 

described 1 

hardware and software requirements 7–10 

network scope of 2 

obtaining site license for 10 

system requirements 7–10 

upgrading from previous versions 21 

CPM Client 

changing your CPM Client login password 27 

described 2 

installing 18–21 

installing on a server 6 

installing on a workstation 6 

starting 23–35 

uninstalling 22 

CPM Server 

described 1 

installing 11–17 

installing on a server 6 

installing on a workstation 6 

installing on Solaris host 16 

installing on Windows NT 16 

restarting the CPM Server 35 

starting 23–35 

Stopping the server 32 

uninstalling 22 

upgrading the license 30 

CPM Server Information dialog box 31 

CPM windows, locking 45 

D 

Default Policy Wizard 


described 93 

running 80, 93–97 

Denial-of-Service Prevention options 117 

dialog boxes 

Active Features 125 

Add Address 82 

Add Appliance 77, 90 

Add Group 43 

Add Route 107 

Admin Account Properties 42 

Admin Role Properties 40 

Administrative Access 41 

Administrator Accounts 39 

All Session Info 45 

Appliance Detail 89 

Appliance Group Properties 58 

Change Password 67 

Choose Appliance Type 64 

CPM login 24 

CPM Server Information 31 

CPM Server Information (General tab) 29, 34 

CPM Server shutdown confirmation 34 

Devices Found 51, 85 

Discovery 50, 70, 84 

DNS Server 111 

Import 73 

Import Certificate/CRL 73 

Import License 123 

Import New License 74 

Information (CPM Server shut down) 34 

License Details 125 

Local Admin Password 102 

Mgmt Setting and Password 66 

My Session Info 44 

Password Change Confirmation 28, 30 

Select the CRL file 73 

Service Control status 33 

Set Password 28, 29, 43, 52, 71, 87 

SNMP Management Station 113 

Specify Port Bandwidth 104 

System Configuration 101–126 

Upgrade License 31 

Discovery dialog box 50, 70, 84 

Distributed Denial-of-Service Prevention 

options 117 

DNS Server dialog box 111 

DNS servers 

cataloging 111 

configuring local network connections 111 

DNS tab, System Configuration dialog box 111 

F 

folders, creating hierarchy of 55 

G 

General tab, System Configuration dialog 

box 102 

H 

Hacker Prevention tab, System Configuration 

dialog box 116 

hardware configuration 78 

High Availability 118 

High Availability tab, System Configuration 


I 

ICMP Flood Attacks 117 

Import Certificate/CRL dialog box 73 

Import dialog box 73 

Import License dialog box 123 

Import New License dialog box 74 

Interfaces tab, System Configuration dialog 

box 103 

IP Source Routes 117 

J 

Java 2, version required for CPM 10 

L 

License Detail dialog box 125 

licenses 

deleting 126 

for CPM 10 

importing 70, 74, 122 

reviewing current 124 

upgrading the CPM Server license 30 

Local Admin Password dialog box 102 


Log Settings tab, System Configuration dialog 

box 115 

logging, enabling 115 

M 

Mgmt Setting and Password dialog box 66 

My Session Info dialog box 44 

N 

network, mapping using Appliance Manager 55 

O 

OSPF 108 

P 

passwords 

changing the Client login password 27 

local admin 102 

Per Client Quota 118 

Per Server Quota 118 

Ping of Death 117 

policy components, assembling 98 

port shaping, enabling 104 

profiles 

compiling 83 

deploying 83–88 

deploying to new appliances 85 

described 2 

R 

RIP 107 

RIPv2 108 

roles 

creating new 38 

default 37 

routes 

setting up 106 

verifying 109 

Routing tab, System Configuration dialog 

box 106 

S 

security policies, creating 80 

Set Password dialog box 43, 52, 71, 87 

SNMP Management Station dialog box 113 

SNMP tab, System Configuration dialog 

box 113 

SNMP traps 112 

Specify Port Bandwidth dialog box 104 

SSL connection 8 

Sun Solaris 

installing CPM Server on 16 

version required for CPM Server 7 

SYN Flood Attacks 117 

System Configuration dialog box 101–126 

system requirements 7–10 

T 

time zones 103 

Tunnel Switch tab, System Configuration dialog 

box 121 

U 

UDP Flood Attacks 117 

upgrading CPM 21 

V 

VLAN forwarding 119 

VLAN Forwarding tab, System Configuration 


W 

Windows 

versions required for CPM Client 7 

versions required for CPM Server 7 

Windows NT, installing CPM Server on 16

User Guide - WatchGuard Technologies

Create successful ePaper yourself

Delete template?

Save as template?