User Guide - WatchGuard Technologies
User Guide - WatchGuard Technologies
User Guide - WatchGuard Technologies
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Central Policy Manager<br />
<strong>Guide</strong><br />
Central Policy Manager 4.0
Notice to <strong>User</strong>s<br />
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are<br />
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,<br />
electronic or mechanical, for any purpose, without the express written permission of <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc.<br />
Copyright, Trademark, and Patent Information<br />
Copyright© 1998 - 2002 <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc. All rights reserved.<br />
Firebox, Firebox 1000, Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II FastVPN, Firebox III,<br />
Firebox SOHO, Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10, LiveSecurity,<br />
RapidStream, RapidCore, <strong>WatchGuard</strong>, <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc., AppLock, AppLock/Web, Designing peace of<br />
mind, DVCP technology, Enforcer/MUVPN, FireChip, HackAdmin, HostWatch, LockSolid, RapidCare, SchoolMate,<br />
ServerLock, ServiceWatch, Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks<br />
or trademarks of <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc. in the United States and/or other countries.<br />
© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other<br />
patents pending.<br />
Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either<br />
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.<br />
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United<br />
States and other countries.<br />
RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA<br />
Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data<br />
Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved.<br />
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the<br />
United States and/or other countries.<br />
Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United<br />
States and other countries. All right reserved.<br />
© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved.<br />
© 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or<br />
without modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following<br />
disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following<br />
disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:<br />
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://<br />
www.openssl.org/)"<br />
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from<br />
this software without prior written permission. For written permission, please contact openssl-core@openssl.org.<br />
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without<br />
prior written permission of the OpenSSL Project.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software<br />
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"<br />
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL<br />
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br />
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR<br />
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
This product includes cryptographic software written by Eric Young<br />
(eay@cryptsoft.com). This product includes software written by Tim<br />
Hudson (tjh@cryptsoft.com).<br />
ii Central Policy Manager 4.0
© 1995-1998 Eric Young (eay@cryptsoft.com)<br />
All rights reserved.<br />
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).<br />
The implementation was written so as to conform with Netscapes SSL.<br />
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The<br />
following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the<br />
SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that<br />
the holder is Tim Hudson (tjh@cryptsoft.com).<br />
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is<br />
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in<br />
the form of a textual message at program startup or in documentation (online or textual) provided with the package.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the<br />
following conditions are met:<br />
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following<br />
disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:<br />
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic'<br />
can be left out if the routines from the library being used are not cryptographic related :-).<br />
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you<br />
must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"<br />
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<br />
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE<br />
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.<br />
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]<br />
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The<br />
detailed license information follows.<br />
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the<br />
following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following<br />
disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following<br />
disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:<br />
"This product includes software developed by Ralf S. Engelschall for use in the mod_ssl<br />
project (http://www.modssl.org/)."<br />
4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior<br />
written permission. For written permission, please contact rse@engelschall.com.<br />
5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without<br />
prior written permission of Ralf S. Engelschall.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software<br />
developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/)."<br />
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.<br />
ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
Central Policy Manager <strong>Guide</strong><br />
iii
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br />
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR<br />
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
The Apache Software License, Version 1.1<br />
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the<br />
following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following<br />
disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following<br />
disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:<br />
"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately,<br />
this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally<br />
appear.<br />
4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived<br />
from this software without prior written permission. For written permission, please contact apache@apache.org.<br />
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without<br />
prior written permission of the Apache Software Foundation.<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,<br />
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION<br />
OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,<br />
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE<br />
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<br />
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,<br />
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software<br />
Foundation. For more information on the Apache Software Foundation, please see .<br />
Portions of this software are based upon public domain software originally written at the National Center for<br />
Supercomputing Applications, University of Illinois, Urbana-Champaign.<br />
All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.<br />
Part No: 0833-003<br />
iv Central Policy Manager 4.0
Contents<br />
CHAPTER 1 About <strong>WatchGuard</strong> CPM .......................... 1<br />
About the CPM Server ................................................... 1<br />
About the CPM Client ................................................... 2<br />
Network Scope of CPM .................................................... 2<br />
Types of Appliances Administered with CPM ..................... 2<br />
CPM and <strong>WatchGuard</strong>/RapidStream security appliances ....... 3<br />
CPM and RapidStream "Secured by Check Point" security<br />
appliances ........................................................................ 3<br />
CPM and foreign security appliances ................................ 3<br />
CHAPTER 2 Installing or Upgrading CPM Software .... 5<br />
Installing and Setting Up a Firebox Vclass Appliance .......... 5<br />
Where You Can Install CPM Server and Client .................... 6<br />
Requirements for CPM Installation .................................... 7<br />
Server specifics ............................................................ 7<br />
Client specifics ............................................................. 7<br />
Hardware and software specifics ...................................... 8<br />
Java 2 runtime environment .......................................... 10<br />
Obtaining the Site License for CPM ................................ 10<br />
Installing the CPM Server Software ................................. 11<br />
Installing CPM Server on a Windows NT platform .............. 16<br />
Central Policy Manager <strong>Guide</strong><br />
v
Installing CPM Server on a Solaris host ............................ 16<br />
Installing the CPM Client Software .................................. 18<br />
Upgrading from Previous Versions of CPM ....................... 21<br />
Uninstalling the CPM Server or Client .............................. 22<br />
CHAPTER 3 Starting the CPM Client and Server ....... 23<br />
Starting the CPM Client for the First Time ........................ 23<br />
Starting the CPM Client After Initial Log In ....................... 27<br />
Changing Your CPM Client Login Password ..................... 27<br />
If CPM prompts a password change ................................ 28<br />
If you want to replace an existing password ..................... 29<br />
Upgrading your CPM Server License ............................... 30<br />
Stopping the CPM Server ............................................... 32<br />
Stopping CPM Server at the host computer ...................... 32<br />
Shutting down CPM Server at the CPM Client workstation ... 33<br />
Starting or Restarting the CPM Server ............................. 35<br />
CHAPTER 4 Creating CPM Administrator Accounts .. 37<br />
CPM Default Roles ......................................................... 37<br />
Setting Up New Roles (Optional) ..................................... 38<br />
Creating Administrator Accounts ..................................... 41<br />
Completing the Access Setup ......................................... 44<br />
Determining Which Other Administrators Are Online ....... 44<br />
Reserving a CPM Window .............................................. 45<br />
If you can’t reserve a window ......................................... 47<br />
CHAPTER 5 Discovering and Deploying Appliances .49<br />
Before You Begin ........................................................... 50<br />
Discovering A New Appliance ......................................... 50<br />
Deploying Profiles to New Appliances ............................. 51<br />
CHAPTER 6 Mapping your Network in CPM .............. 55<br />
Map Out Your Network on Paper .................................... 55<br />
About the Appliance Manager Window ........................... 56<br />
Transcribing the Map Into CPM ....................................... 57<br />
vi Central Policy Manager 4.0
CHAPTER 7 Creating Appliance Records ................... 61<br />
Creating CPM-Managed Appliance Records .................... 62<br />
Creating Non-CPM–Managed Appliance Records ............ 63<br />
CHAPTER 8 Configuring Appliances for Network Use 69<br />
Getting Started ............................................................. 69<br />
Importing Licenses and Certificates ................................ 70<br />
Obtaining the x.509 certificate ...................................... 72<br />
Importing the new x.509 certificate ................................ 73<br />
To import licenses for extended features ......................... 74<br />
Restoring the Appliance to a Factory-Default State .......... 75<br />
Creating the New Appliance Record ............................... 76<br />
Configuring the Appliance Hardware .............................. 78<br />
Running the CPM Default Policy Wizard .......................... 80<br />
Entering the Security Policies ......................................... 80<br />
Creating the Network Addresses Required ...................... 81<br />
Assembling the CPM Policy Components ........................ 82<br />
Defining the Required Alarms ......................................... 83<br />
Deploying the Profile ..................................................... 83<br />
Compiling the profiles ................................................. 83<br />
Discovering the profile-ready appliances ......................... 84<br />
Deploying profiles to new appliances ............................. 85<br />
Deploying the profiles ................................................. 87<br />
Relocating the Appliance ............................................... 89<br />
Copying a Configuration to New Appliance .................... 90<br />
CHAPTER 9 Completing the Appliance Configuration 93<br />
Running the CPM Default Policy Wizard .......................... 93<br />
If you can chose the extended network ........................... 95<br />
If you chose the local network ....................................... 96<br />
Assembling the CPM Policy Components ........................ 98<br />
Assembling a policy from available components ............... 98<br />
CHAPTER 10 Completing the System Configuration 101<br />
Configuring a New <strong>WatchGuard</strong> Appliance ................... 101<br />
Completing the General Entries ................................... 102<br />
Central Poicy Manager <strong>Guide</strong><br />
vii
Completing the Interfaces Entries ................................. 103<br />
Completing the Routing Entries .................................... 106<br />
Verifying the routes ................................................... 109<br />
Completing the DNS Entries ......................................... 111<br />
Completing the SNMP Entries ...................................... 112<br />
Completing the Log Settings Entries ............................. 115<br />
Completing the Hacker Prevention Entries ..................... 116<br />
About the High Availability Tab ..................................... 118<br />
About the VLAN Forwarding Tab ................................... 119<br />
Completing the Tunnel Switch Entries ........................... 121<br />
Saving the System Configuration Entries ........................ 122<br />
Importing a New License .............................................. 122<br />
Reviewing the current licenses ..................................... 124<br />
Deleting an out-of-date license .................................... 126<br />
Index .......................................................................... 127<br />
viii Central Policy Manager 4.0
CHAPTER 1<br />
About <strong>WatchGuard</strong> CPM<br />
Congratulations on your purchase of the <strong>WatchGuard</strong> Central Policy<br />
Manager (CPM). Using this product, you can simplify policy analysis<br />
deployment with a central console that lets you manage multiple Firebox<br />
Vclass installations across an entire enterprise infrastructure. This<br />
powerful and highly scalable network management platform offers global<br />
management for large enterprises, data centers, and service providers.<br />
About the CPM Server<br />
The CPM Server software includes a database that stores the<br />
configurations and policies for all appliances while it actively monitors<br />
the status of each appliance, alerting you if problems arise. You can assign<br />
more than one administrator (who would use the CPM Client) to manage<br />
various aspects of the overall task load. <strong>WatchGuard</strong> recommends that<br />
you install the CPM Server component onto a separate, high-capacity host<br />
computer. You can install both Client and Server onto a single<br />
workstation if your network environment is small and you do not plan to<br />
expand it.<br />
Your authorized client administrative users do not have to be “local” to<br />
participate in the CPM system. If you load VPN policies into the relevant<br />
appliances that would permit secure communications between a client<br />
Central Policy Manager <strong>Guide</strong> 1
CHAPTER 1: About <strong>WatchGuard</strong> CPM<br />
workstation and the server host, other remote administrators can assume<br />
their duties from their locations.<br />
About the CPM Client<br />
The stand-alone CPM Client application provides the primary access to<br />
the CPM Server. You can install and run the Client on any number of<br />
administrative workstations. After an administrator uses the Client to log<br />
into the CPM Server, he or she can record appliance-specific profiles,<br />
including policies, system configurations, log files, alarms, and activity<br />
monitors. If the administrator has fewer privileges, he or she might only<br />
be able to review the active alarms and clear them.<br />
A complex amount of RapidStream or Firebox Vclass appliance-specific<br />
information can be stored in the CPM Server database as appliancespecific<br />
profiles. When needed, you can prompt the database to use its<br />
secure connections to all your appliances to deploy new or updated<br />
profiles.<br />
Network Scope of CPM<br />
You can use CPM to maintain and monitor any number of Firebox Vclass<br />
and RapidStream security appliances both within your local firewall and<br />
outside the firewall. The key requirement is an SSL/HTTPS policy on<br />
each appliance that permits CPM to gain complete access to that<br />
appliance through whatever firewalls may exist between the Server and<br />
that appliance. This includes full-strength gateway security appliances,<br />
internal-use appliances that guard private network assets, and VPN client<br />
appliances, distributed throughout the Internet and serviced by ISPs.<br />
Types of Appliances Administered with CPM<br />
You can administer, monitor, and coordinate network communications<br />
between a number of devices in CPM:<br />
• <strong>WatchGuard</strong> Firebox Vclass security appliances<br />
• RapidStream appliances<br />
2 Central Policy Manager 4.0
Types of Appliances Administered with CPM<br />
• RapidStream "Secured by Check Point" appliances<br />
• Third-Party security appliances<br />
• "Virtual appliances" that represent VLAN or user domain tenants<br />
associated with an operational appliance<br />
CPM and <strong>WatchGuard</strong>/RapidStream security appliances<br />
You can use CPM to install and configure the operational profile for any<br />
“factory default” Firebox Vclass appliances from <strong>WatchGuard</strong> or legacy<br />
appliances manufactured by RapidStream. After the appliances are<br />
deployed and operational, you can monitor and troubleshoot them.<br />
CPM and RapidStream "Secured by Check Point" security<br />
appliances<br />
If you are using RapidStream appliances running pre-installed Check<br />
Point software, you can continue to use RapidStream Navigator to<br />
administer the appliances, while using CPM to identity the location of<br />
these appliances for policy-making purposes. (CPM can also be used to<br />
monitor certain SNMP status-indicating communications.)<br />
Because CPM includes a link to RapidStream Navigator, you can integrate<br />
CPM system—monitoring with the maintenance of Check Pointpreinstalled<br />
security appliances through RapidStream Navigator.<br />
Recording the Check Point appliances in CPM as network assets allows<br />
you to record security policies that establish traffic between the Check<br />
Point devices and Firebox Vclass or RapidStream devices.<br />
CPM and foreign security appliances<br />
You can record all third-party appliances, which include third-party<br />
security appliances or older-model Firebox appliances, as assets in your<br />
extended network. You can then use CPM to configure security policies<br />
for communications between Firebox Vclass appliances and these thirdparty<br />
appliances.<br />
Central Policy Manager <strong>Guide</strong> 3
CHAPTER 1: About <strong>WatchGuard</strong> CPM<br />
The following table summarizes all of the CPM management options, by<br />
appliance type:<br />
= via link to RapidStream Navigator<br />
4 Central Policy Manager 4.0
CHAPTER 2<br />
Installing or Upgrading CPM<br />
Software<br />
This chapter describes how to install or upgrade the two components of<br />
the CPM system: the CPM Server software and the CPM Client<br />
application. Each software installation relies on the use of an<br />
InstallShield Wizard stored on the CD-ROM enclosed with your<br />
manual and software registration. This chapter also covers software<br />
shutdown and removal of CPM software.<br />
Installing and Setting Up a Firebox Vclass Appliance<br />
If you plan to use the <strong>WatchGuard</strong> CPM system to configure “factory<br />
default” appliances, you must mount, connect, and power up the<br />
appliance before any initial configuration can occur. Use the <strong>WatchGuard</strong><br />
Vcontroller Installation <strong>Guide</strong> that came with your appliances to guide you<br />
through these tasks:<br />
• Mounting the appliance in a network setting<br />
• Connecting the network cabling to the appropriate data interfaces<br />
• Powering up the security appliance<br />
Be sure to mount any new Firebox Vclass appliance in the same subnet as<br />
the CPM Server host computer, so that you can proceed with the full CPM<br />
profile creation and deployment process.<br />
Central Policy Manager <strong>Guide</strong> 5
CHAPTER 2: Installing or Upgrading CPM Software<br />
Where You Can Install CPM Server and Client<br />
You can install both CPM Server and CPM Client onto any qualifying<br />
computer, workstation, or host/server. Or you can install the components<br />
onto separate machines; the choice depends upon the following<br />
requirements:<br />
Workstation only<br />
If your workstation CPU processor speed is sufficient, you can<br />
install both server and client software onto a workstation/<br />
desktop computer. <strong>WatchGuard</strong> recommends installing the CPM<br />
Server onto an auxiliary drive with at least fifty (50) megabytes of<br />
free space.<br />
You can install the CPM Client onto the main drive of the<br />
workstation. It will not increase in size during use.<br />
Workstation/Server<br />
<strong>WatchGuard</strong> recommends this mode of installation, in which you<br />
install the CPM Server software separately onto a server with an<br />
auxiliary drive or a separate partition that has at least 50 MB in<br />
free space.<br />
You can install the CPM Client onto the main drive of any locally<br />
networked workstation. It will not increase in size during use.<br />
6 Central Policy Manager 4.0
Requirements for CPM Installation<br />
Requirements for CPM Installation<br />
Server specifics<br />
• The computer hosting the CPM Server must be running one of the<br />
following operating systems:<br />
- Sun Solaris, v2.8 (Sparc)<br />
- Microsoft Windows NT, Windows 2000 Professional, or<br />
Windows XP Professional. Do not install Server software onto<br />
any non-NT computers such as Windows 98.<br />
• The computer that will host the CPM Server software should be<br />
located inside a corporate network/firewall.<br />
• The CPM Server software cannot be installed onto more than one host<br />
computer.<br />
• The CPM Server software must have been installed on the host<br />
computer and be currently active before any CPM Client can be<br />
installed and started.<br />
Client specifics<br />
• The workstation (or computer) onto which you’ll be installing the<br />
initial CPM Client must be inside the same corporate network/<br />
firewall as the CPM Server. Any subsequent Client installations (for<br />
other administrators) can be on workstations located either inside or<br />
outside the corporate network/firewall.<br />
• The workstation designated for CPM Client use can be running the<br />
Windows 98/2000/Me/XP operating system.<br />
• You can install the CPM Client application onto multiple<br />
workstations, giving access to as many administrative users as you<br />
want. Although, the CPM Server permits multiple logins, a lock-out<br />
feature prevents data manipulation conflicts within appliance<br />
profiles.<br />
• To manage more than one security appliance with CPM, you must<br />
have the appropriate <strong>WatchGuard</strong> CPM license. This license<br />
determines the number of appliances that you can administer. After<br />
the requisite license is entered during installation (or later, if needed)<br />
the CPM Server can contact and administer the maximum number of<br />
Central Policy Manager <strong>Guide</strong> 7
CHAPTER 2: Installing or Upgrading CPM Software<br />
licensed appliances. (If you add more appliances to your network,<br />
you can easily obtain and install an expanded-capacity license.)<br />
• All CPM Clients communicate with the CPM Server database through<br />
a Secure Socket Layer (SSL) connection, whether the client workstation<br />
is located inside or outside the firewall of the corporate network.<br />
If any client applications are intended for use outside the firewall, you<br />
must open a specific SSL connection has to be opened through the<br />
firewall. The SSL port can be customized by opening and editing the<br />
cpm_server.conf and cpm_client.conf files.<br />
• If you’ve installed several separate CPM Server software packages,<br />
you can connect to any number of them with the same CPM Client<br />
application. However, you must have an access account for each<br />
server.<br />
• After logging into a CPM Server on a separate host computer, you<br />
must have the IP address of that host. Once you have initially logged<br />
in, the CPM Client stores the IP address of this CPM Server host (and<br />
all other subsequent host connections) in its configuration file. This<br />
will make reconnection much more efficient.<br />
NOTE<br />
You can review “About the CPM Configuration Files" in the CPM Policy<br />
and Administration <strong>Guide</strong> for complete details of both cpm_server.conf<br />
and cpm_client.conf files.<br />
Hardware and software specifics<br />
The following lists provide the current system requirements for both CPM<br />
Server and Client.<br />
CPM Server<br />
Host computer<br />
Any PC-compatible workstation or server with sufficient hard<br />
drive capacity. A standalone server is recommended.<br />
8 Central Policy Manager 4.0
Requirements for CPM Installation<br />
Operating System<br />
Sun Solaris, v2.8 (Sparc)<br />
Windows NT 4.0 Server / NT Workstation (Service Pack 6a),<br />
Windows 2000 Server / 2000 Professional, or Windows XP<br />
Professional.<br />
Processor Type<br />
Pentium II or later version of Pentium CPU<br />
Processor Speed<br />
700 MHz minimum<br />
Memory<br />
256 Mb minimum<br />
Hard Disk Space<br />
50 MB minimum (for CPM Server database software)<br />
20 MB minimum (for CPM Client software)<br />
Input Device<br />
CD-ROM or DVD<br />
Network Interface<br />
NICs or embedded network connections<br />
CPM Client<br />
Host Computer<br />
Any desktop computer matching the following qualifications<br />
Operating System<br />
MS Windows 98/ME/XP or NT/2000/XP<br />
Processor Type<br />
Pentium II or later version of Pentium CPU<br />
Processor Speed<br />
500 MHz or faster<br />
Memory<br />
128 Mb minimum<br />
Input Device<br />
CD-ROM or DVD<br />
Central Policy Manager <strong>Guide</strong> 9
CHAPTER 2: Installing or Upgrading CPM Software<br />
Hard Disk Space<br />
10 Mb minimum (for CPM software)<br />
Network Interface<br />
NICs or embedded network connections<br />
Java 2 runtime environment<br />
Both CPM Server and Client require JRE Standard Edition v1.3.1 on their<br />
Microsoft Windows host computers. JRE v1.3.1 will run on most recent<br />
versions of Windows, including Windows 98, NT 4.0, and later. If it is not<br />
present, or if an older version is present, the Installer will detect this state<br />
and alert you. You can then choose to install JRE 1.3.1 at this time, or (if an<br />
older version of JRE is present) retain that older version. However,<br />
<strong>WatchGuard</strong> does not recommend using the older version with CPM.<br />
Obtaining the Site License for CPM<br />
Before you proceed with installation, you must obtain the license for<br />
CPM. To do so, follow these steps:<br />
1 Find the license key certificate that was included with your CPM<br />
package. This item contains the text of a code you must enter at a<br />
particular <strong>WatchGuard</strong> Web site.<br />
2 Use a Web browser to connect to the URL printed on the same card.<br />
3 Make all the relevant entries in that Web page, including your<br />
company’s name and the host name of the computer on which the<br />
CPM Server will be installed.<br />
After you successfully submit the entries:<br />
- You will be automatically sent an email with the license key text.<br />
- The license text will be printed in the browser, which you should<br />
cut and paste into a text file stored on your workstation.<br />
4 After you have obtained the license text and stored it safely on your<br />
workstation, you can proceed with the CPM installations. You won’t<br />
need the license text until you first start the CPM Client and attempt<br />
to log into the CPM Server.<br />
10 Central Policy Manager 4.0
Installing the CPM Server Software<br />
Installing the CPM Server Software<br />
You must install the CPM Server software directly onto the host, whether<br />
it is your administrative workstation or a network-accessible host server.<br />
This process cannot be done through a network connection to a local<br />
computer.<br />
To install the CPM Server software onto the target host computer, follow<br />
these steps:<br />
1 Take the <strong>WatchGuard</strong> CPM Software CD-ROM out of the package<br />
and insert it into the CD-ROM drive of either the administrative<br />
workstation or the host server.<br />
2 Locate and double-click the CD-ROM drive icon.<br />
NOTE<br />
The CD-ROM may not start automatically on some computers. If this is<br />
the case, open the Run dialog box and enter the CD-ROM drive letter and<br />
setup.exe to start the process.<br />
3 Open the CPM Server folder (inside the Windows folder).<br />
4 Double-click the Server installer icon (Setup.exe).<br />
The CPM Server Setup wizard appears, displaying the initial Welcome screen.<br />
Central Policy Manager <strong>Guide</strong> 11
CHAPTER 2: Installing or Upgrading CPM Software<br />
5 Click Next.<br />
The Wizard now displays the text of the <strong>WatchGuard</strong> CPM Server Software<br />
License.<br />
6 Read the complete agreement before proceeding. Click Yes to accept<br />
the terms of the agreement.<br />
12 Central Policy Manager 4.0
Installing the CPM Server Software<br />
7 If you clicked Yes, the Wizard prompts you for a destination<br />
directory, listing a default destination folder and its directory<br />
pathway. <strong>WatchGuard</strong> recommends that you use the default folder.<br />
If you are unsure of the drive location, click Browse to open the Choose Folder<br />
dialog box (shown below) which you can use to locate the computer, drive, and<br />
directory.<br />
8 Click Next to accept the selected drive, path, and directory.<br />
Central Policy Manager <strong>Guide</strong> 13
CHAPTER 2: Installing or Upgrading CPM Software<br />
9 The InstallShield Wizard prompts you for a default Program Folder to<br />
install the program icons. <strong>WatchGuard</strong> recommends that you accept<br />
the default location noted in the wizard. Click Next.<br />
NOTE<br />
The CPM Server software (a database) is treated as a service by Microsoft<br />
Windows, and as a result does not have a program folder listed under<br />
Programs in the Start menu. It will be set to start automatically in the<br />
Services dialog box of Control Panel during the installation process.<br />
10 The wizard now loads the archived installer files from the CD-ROM<br />
into the designated drive and directory. All of the CPM Server files<br />
will be stored in the CPM Server directory. Click Next.<br />
14 Central Policy Manager 4.0
Installing the CPM Server Software<br />
11 The Wizard now displays a confirmation message. Click Finish.<br />
A dialog box appears, asking whether you want to start the CPM Server at this<br />
time.<br />
12 Click Yes to proceed.<br />
Central Policy Manager <strong>Guide</strong> 15
CHAPTER 2: Installing or Upgrading CPM Software<br />
Installing CPM Server on a Windows NT platform<br />
If you are installing the CPM Server software onto a Windows NT 4.x<br />
computer, the following dialog box appears when you click Finish,<br />
prompting you to restart the CPM Server host.<br />
If you are installing the CPM Server onto a Windows 2000 computer, the<br />
installer will ask you if you want to start the CPM Server. Click OK to do<br />
so. (You do not have to restart the host computer.)<br />
If this is a convenient time to do so, click the button by Yes, and then click<br />
OK to close this dialog box and restart the host server. (If this is not a<br />
convenient time, you can wait until later to restart the host computer.)<br />
This will also start the CPM Server, which, from now on, will be restarted<br />
automatically each time the host server is rebooted.<br />
You can now proceed to install the CPM Client application on a<br />
designated client workstation inside the firewall.<br />
Installing CPM Server on a Solaris host<br />
The following section describes the process of installing the CPM Server<br />
on a Solaris host computer. You must use Solaris v2.8.<br />
To install the CPM Server, follow these steps:<br />
1 Insert the <strong>WatchGuard</strong> CD into the CD-ROM. (Under Solaris, the CD<br />
should automatically mount at /cdrom.)<br />
2 Run this command:<br />
cd /cdrom/<br />
3 Now run this command:<br />
16 Central Policy Manager 4.0
Installing the CPM Server Software<br />
/setup.sh<br />
4 During the resulting software installation process, the installer will<br />
ask if you have already installed the latest versions of the Java Runtime<br />
Environment and JDK. If you have done so, you must type “Y”<br />
and then type the pathway to the JRE/JDK directory.<br />
If this is an older version of JDK, the installer will alert you and ask if you prefer to<br />
use it instead of a more recent version. <strong>WatchGuard</strong> recommends you use the most<br />
recent version.<br />
5 If you haven’t installed JRE/JDK, type “N”. The installer will quit, but<br />
when it does, it will provide information on the Sun Web site to<br />
obtain the proper version of JRE/JDK software. (The default JDK<br />
install location is the current user’s home directory; however, you can<br />
type another directory at this time.)<br />
6 When the JDK software has been installed (and any needed Solaris<br />
updates are completed), run this command:<br />
cd/cdrom/watchguard<br />
Then run this command:<br />
./setup.sh<br />
This will restart the installation process.<br />
7 When asked by the installation script to indicate where the JDK is,<br />
type the pathway to that directory.<br />
The installation can now proceed to completion. When installation is complete, you<br />
can launch the CPM Server and start the installation of the CPM Client on a<br />
Microsoft Windows workstation, as detailed in the following section.<br />
If you want others to have access to this new appliance for administrative<br />
or monitoring purposes, you can allow them to install the Vcontroller<br />
software onto their workstations. Prior to their using the Vcontroller, you,<br />
as the System Administrator, should first configure the appliance, and<br />
then use the Vcontroller Account Manager window to set up access<br />
privileges and accounts for each additional user. These configuration and<br />
access management processes are fully detailed in the Vcontroller user<br />
documentation.<br />
Central Policy Manager <strong>Guide</strong> 17
CHAPTER 2: Installing or Upgrading CPM Software<br />
NOTE<br />
A script wgcpmsvr is generated during installtion to facilitate starting<br />
CPM Server during boot time. This script can be copied into the /etc/init.d<br />
directory and linked to variouls rcx.d directories so that the CPM Server<br />
can be started at boot time.<br />
Installing the CPM Client Software<br />
To install the <strong>WatchGuard</strong> CPM Client application on a computer<br />
running Microsoft Windows, follow these steps:<br />
1 Remove the <strong>WatchGuard</strong> CPM Software CD-ROM from the package<br />
and insert it into the CD-ROM drive of your administrative<br />
workstation.<br />
2 Locate and double-click the CD-ROM drive icon.<br />
3 Open the Client folder on the CD (inside the Windows folder).<br />
4 Double-click the CPM Client installer icon (Setup.exe).<br />
After startup is complete, the InstallShield Wizard appears, displaying the<br />
Welcome screen.<br />
18 Central Policy Manager 4.0
Installing the CPM Client Software<br />
5 Click Next to proceed.<br />
The Wizard displays the <strong>WatchGuard</strong> CPM Client Software License Agreement, as<br />
shown below, which you must accept to continue with the installation.<br />
6 Read the complete agreement before proceeding. Click Yes to accept<br />
the terms of the agreement.<br />
7 The Wizard suggests a default destination folder. Watchguard<br />
recommends using CPM Client as the installation directory. If you<br />
prefer, you can click Browse and enter a new folder. Click Next after<br />
you have selected a location.<br />
Central Policy Manager <strong>Guide</strong> 19
CHAPTER 2: Installing or Upgrading CPM Software<br />
8 The Wizard now prompts you for a default Program Folder in which<br />
to install the program icon. <strong>WatchGuard</strong> recommends you use the<br />
default location. Click Next.<br />
After the Wizard completes the installation, it displays a confirmation message.<br />
9 Click Finish.<br />
20 Central Policy Manager 4.0
Upgrading from Previous Versions of CPM<br />
10 A Question dialog box appears, asking if you would like to start the<br />
CPM Client. Click Yes if you are ready to proceed.<br />
Upgrading from Previous Versions of CPM<br />
If you are already using an earlier version of CPM (version 3.1 or 3.1.1),<br />
you can upgrade to version 4.0 by following the series of steps outlined in<br />
this section.<br />
You must have obtained a new version 4.0 site license (from the<br />
<strong>WatchGuard</strong> Web site) before you proceed with this upgrade, because<br />
CPM Server cannot inherit the previous license. For more information, see<br />
“Obtaining the Site License for CPM” on page 10.<br />
NOTE<br />
If you installed the Server onto a separate computer and have one or more<br />
Clients on other computers/workstations, you should first upgrade the<br />
Server on that machine before upgrading all other installations of the<br />
Client.<br />
To complete the upgrade, follow these steps:<br />
1 Log into the CPM Server (from the root admin workstation).<br />
2 Open the Backup/Restore window and back up your current<br />
database.<br />
3 (Optional) When the backup is complete, stop the "RapidStream CPM<br />
Server" service.<br />
4 Use the Windows Add/Remove Programs dialog box to remove the<br />
CPM Server, and then the CPM Client from your computer.<br />
5 Install the current version of CPM Server, as described in “Installing<br />
the CPM Server Software” on page 11.<br />
Central Policy Manager <strong>Guide</strong> 21
CHAPTER 2: Installing or Upgrading CPM Software<br />
6 When asked whether you want to start the CPM Server, click Yes.<br />
7 Start the CPM Client Installer and complete that installation on your<br />
root admin workstation. (For more information, see “Installing the<br />
CPM Client Software” on page 18.)<br />
8 When asked whether you want to start the CPM Client and log into<br />
the Server, click Yes.<br />
9 Use the Login dialog box to connect to the CPM Server.<br />
A dialog box appears, informing you that a valid license is needed.<br />
10 Use the CPM Server Info window that appears automatically to<br />
import the license.<br />
11 When this is complete, you can log into CPM Server and restore the<br />
archived CPM database.<br />
For more information on restoring the archived database, see the CPM Policy and<br />
Administration <strong>Guide</strong>.<br />
Uninstalling the CPM Server or Client<br />
If problems arise and you need to make a clean reinstallation of the CPM<br />
software or remove corrupted files, you must first uninstall the CPM<br />
Client or CPM Server software. To uninstall the software, use the<br />
Windows Add/Remove Program utility.<br />
Before uninstalling, you may want to preserve your existing database<br />
contents, such as appliance configurations and policies. To do so, you<br />
should back up the CPM database files (as described in the CPM Policy<br />
and Administration <strong>Guide</strong>) before proceeding. Removal of the CPM Server<br />
database will delete all of your appliance logs, configurations, and<br />
policies.<br />
22 Central Policy Manager 4.0
CHAPTER 3<br />
Starting the CPM Client and<br />
Server<br />
This chapter describes how to start the <strong>WatchGuard</strong> CPM Client and log<br />
into the CPM Server. At this point, the CPM Server should be running, so<br />
you can simply log in with the CPM Client.<br />
Starting the CPM Client for the First Time<br />
If the CPM Server has been installed on a host server with multiple<br />
network interface cards (NICs), you must use the IP address of the NIC<br />
used for the CPM Server as the Server IP address. The CPM Server IP<br />
address is stored in cpm_server.conf, which you can review in “About the<br />
CPM Configuration Files” in the System Administration <strong>Guide</strong>.<br />
The "cpmadmin" username and password give the user full root admin<br />
account access. <strong>WatchGuard</strong> recommends logging in as root<br />
("cpmadmin"), and then immediately using the Account Manager<br />
window to set up a range of other administrator access accounts. This is<br />
described in the next chapter.<br />
Central Policy Manager <strong>Guide</strong> 23
CHAPTER 3: Starting the CPM Client and Server<br />
To log into the CPM Server, follow these steps:<br />
1 Click Start => Programs => <strong>WatchGuard</strong> CPM Client, or double-click<br />
the <strong>WatchGuard</strong> CPM Client shortcut icon if one was placed on the<br />
Windows desktop.<br />
The CPM login dialog box appears.<br />
2 In the Server IP Name field, type the IP address of the host computer.<br />
(This may also be the IP address of a specific NIC that grants access to<br />
the server partition hosting the CPM Server.)<br />
If the CPM Server is on the same workstation as your Client, you can leave the<br />
default "127.0.0.1" in place and simply fill in your name and password to log in. If<br />
multiple NICs present in the workstation will cause problems, use the appropriate<br />
IP address.<br />
3 In the Name field, type cpmadmin.<br />
4 In the Password field, type cpmadmin.<br />
5 Click Log In to submit the access entries.<br />
If this is your first log-in attempt, an alert dialog box may appear to tell you that<br />
you need to import the basic <strong>WatchGuard</strong> license that allows you to use CPM for<br />
appliance management.<br />
24 Central Policy Manager 4.0
Starting the CPM Client for the First Time<br />
6 Click OK to proceed.<br />
The CPM Server Information window appears (in front of the CPM Console<br />
window), displaying the General Info tab.<br />
7 Locate the license file (a text file that you obtained and saved earlier)<br />
and open it.<br />
8 Copy the contents onto the Clipboard.<br />
9 Close the file.<br />
Central Policy Manager <strong>Guide</strong> 25
CHAPTER 3: Starting the CPM Client and Server<br />
10 Click Upgrade License in the General Info tab (as indicated in the<br />
previous illustration).<br />
The Upgrade License dialog box appears.<br />
11 Click in the empty text entry area and paste in the license text. Click<br />
OK.<br />
A confirmation dialog box appears, indicating the number of appliances this<br />
license will allow you to manage with CPM.<br />
12 Click OK to close this dialog box.<br />
The dialog box closes and the General Info tab now displays information about the<br />
license.<br />
26 Central Policy Manager 4.0
Starting the CPM Client After Initial Log In<br />
13 Close this window.<br />
The CPM Console window appears, ready for use.<br />
Starting the CPM Client After Initial Log In<br />
1 Select the Start => Programs => <strong>WatchGuard</strong> => CPM.<br />
2 When the Login dialog box appears, enter your account user name<br />
and password and click OK. (Note that CPM will "remember" the IP<br />
address of the Server.)<br />
The Console window appears, ready for use.<br />
Changing Your CPM Client Login Password<br />
You need to change the password used for access to the CPM Server on<br />
two occasions:<br />
• If you have not yet changed the default password since you<br />
completed the original installation. In this case, CPM will prompt you<br />
to make the change.<br />
• If you want to periodically change the password to maintain system<br />
security.<br />
Central Policy Manager <strong>Guide</strong> 27
CHAPTER 3: Starting the CPM Client and Server<br />
If CPM prompts a password change<br />
If you have never replaced the default password, a dialog box will<br />
eventually recommend that you change the original default “cpmadmin”<br />
password. You must change it by following these steps:<br />
1 When the following dialog box appears, click OK to close it.<br />
The Set Password dialog box appears.<br />
2 Type a new password into both New Password and Confirm<br />
Password text fields.<br />
Use only alphanumeric characters between 6 and 16 characters for the password.<br />
NOTE<br />
If you are replacing the main CPM “root admin” password, be sure to<br />
write your new password down and store the note in a safe, accessible<br />
place. If the password is forgotten and lost, all root admin access will be<br />
lost and you will have to uninstall and reinstall the CPM Server, losing all<br />
your settings and entries.<br />
3 Click OK to submit the new password.<br />
A confirmation dialog box appears.<br />
4 Click OK to close this dialog box. Your new password is in effect.<br />
You can continue using CPM during this login session without having to log out<br />
and log back in using the new password.<br />
28 Central Policy Manager 4.0
Changing Your CPM Client Login Password<br />
If you want to replace an existing password<br />
After changing the original password, you should periodically replace the<br />
current password to maintain system security:<br />
1 With the CPM Console active, click CPM Server.<br />
The CPM Server Information dialog box appears.<br />
2 Click Change Password (in the lower-right corner of the General Info.<br />
tab.)<br />
The Set Password dialog box appears.<br />
3 Type a new password into both New Password and Confirm<br />
Password text fields.<br />
Use only alphanumeric characters between 6 and 16 characters for the password.<br />
Central Policy Manager <strong>Guide</strong> 29
CHAPTER 3: Starting the CPM Client and Server<br />
NOTE<br />
If you are replacing the main CPM “root admin” password, be sure to<br />
write your new password down and store the note in a safe, accessible<br />
place. If the password is forgotten and lost, all root admin access will be<br />
lost and you will have to uninstall and reinstall the CPM Server, losing all<br />
your settings and entries.<br />
4 Click OK to submit the new password.<br />
A confirmation dialog box appears.<br />
5 Click OK to close this dialog box. Your new password is in effect.<br />
You may continue using CPM during this login session without having to log out<br />
and log back in using the new password.<br />
Upgrading your CPM Server License<br />
Two distinct types of licenses are required for full use of CPM:<br />
• The basic CPM Server license, (a site license) which controls how<br />
many appliances you can manage with this software<br />
• Separate extended-feature licenses for additional software features<br />
that might be used by the individual appliances, such as high<br />
availability, increased SA capacity, 3DES, or a greater number of<br />
concurrent VPN tunnels<br />
You need the CPM license to simply log into the Server before you can<br />
license additional features for each appliance.<br />
This section describes how to upgrade your CPM Server license after the<br />
original has expired.<br />
After you obtain the upgrade license (as a text file), follow these steps:<br />
1 Open the file containing the license text.<br />
30 Central Policy Manager 4.0
Upgrading your CPM Server License<br />
2 Select and copy all of the text onto the Clipboard.<br />
3 After logging into the CPM Server, click CPM Server in the CPM<br />
Console.<br />
4 When the CPM Server Information dialog box appears, click<br />
Upgrade License.<br />
5 When the Upgrade License dialog box appears, click in the text entry<br />
fields and paste the license text from the Clipboard.<br />
6 Click OK to load this information into the CPM Server database.<br />
If the upgrade is successful, a confirmation dialog box appears. The CPM Server<br />
Information dialog box should now indicate the new number of manageable<br />
appliances.<br />
Central Policy Manager <strong>Guide</strong> 31
CHAPTER 3: Starting the CPM Client and Server<br />
Stopping the CPM Server<br />
You may want to shut down the CPM Server (an optional step) before<br />
upgrading the Server software. You can shut down the CPM Server in<br />
two ways:<br />
• Using the Services control panel on the actual host server location<br />
where the CPM Server application is installed.<br />
• Using the CPM Client at the CPM Client workstation. You must first<br />
log into the CPM Server as the Root Admin user (using the<br />
“cpmadmin” login name).<br />
Stopping CPM Server at the host computer<br />
This section describes the process for the Microsoft Windows 2000 and XP<br />
operating systems. It is slightly different for Windows NT 4.<br />
1 Select Start => Settings => Control Panel.<br />
2 When the Control Panel opens on the desktop, double-click the<br />
Services icon.<br />
3 When the Services control panel appears, scroll down the list and<br />
select <strong>WatchGuard</strong> CPM Server.<br />
4 Click the square Stop button in the control panel toolbar.<br />
32 Central Policy Manager 4.0
Stopping the CPM Server<br />
A status dialog box appears.<br />
This dialog box will automatically close after the Service control panel<br />
has completed the shutdown of the <strong>WatchGuard</strong> CPM Server service.<br />
The control panel Status column will be blank, indicating that the<br />
service has stopped.<br />
5 You can now close the Services control panel.<br />
The CPM Server application can now be upgraded or removed from the server.<br />
Shutting down CPM Server at the CPM Client workstation<br />
1 If you have not already done so, start the CPM Client.<br />
2 Log into the CPM Server as the Root Admin user.<br />
Central Policy Manager <strong>Guide</strong> 33
CHAPTER 3: Starting the CPM Client and Server<br />
3 When the CPM Console appears, click CPM Server.<br />
The CPM Server Information dialog box appears.<br />
4 Click Shutdown (in the lower-right corner of the General Info tab.)<br />
A confirmation dialog box appears.<br />
5 Click Yes to proceed with shutdown.<br />
After an interval, the following information dialog box appears.<br />
6 Click OK.<br />
7 You can now quit (exit) the CPM Client.<br />
34 Central Policy Manager 4.0
Starting or Restarting the CPM Server<br />
Starting or Restarting the CPM Server<br />
This section explains how to start the <strong>WatchGuard</strong> CPM Server<br />
application. This is necessary only during unusual circumstances.<br />
1 Select Start => Settings => Control Panel.<br />
2 When the Control Panel opens on the desktop, double-click the<br />
Services icon.<br />
3 When the Services dialog box opens, scroll down the list until you<br />
locate the <strong>WatchGuard</strong> CPM Server listing.<br />
The Status message should read “Started”. If for some reason the CPM Server has<br />
been shut down, the Status message will read “Stopped”.<br />
4 Select the CPM Server entry and click Start.<br />
Microsoft Windows attempts to start the <strong>WatchGuard</strong> CPM Server. When the<br />
startup is complete, “Started” should appear in the Status column for CPM<br />
Server.<br />
5 You can now close the Control Panel.<br />
The CPM Server is now operational. You can now start the <strong>WatchGuard</strong> CPM<br />
Client and log into the CPM Server as described in a preceding section.<br />
NOTE<br />
If the host server ever needs to be rebooted, the CPM Server will<br />
automatically restart.<br />
Central Policy Manager <strong>Guide</strong> 35
CHAPTER 3: Starting the CPM Client and Server<br />
36 Central Policy Manager 4.0
CHAPTER 4<br />
Creating CPM Administrator<br />
Accounts<br />
Administrative accounts enable users to connect to the CPM Server so<br />
that they can monitor and manage the system to the extent of the group<br />
privileges assigned to them. You have the ability to allow one account<br />
user a wide range of controls over the appliance and policies, while other<br />
account users can be restricted to basic status checks and alarm<br />
monitoring.<br />
To set up the system for multi-user access (with multiple levels of role<br />
privileges), you will do the following:<br />
• Assess the existing default roles, to see if more are needed. (The<br />
default roles should cover most, if not all of your network<br />
management options.)<br />
• (Optional) Create as many additional roles as are needed to establish<br />
precise levels of CPM access.<br />
• Create separate Administrator accounts, for individual users.<br />
CPM Default Roles<br />
CPM is installed with five basic access-privilege roles. Starting with the<br />
lowest role, and proceeding to the highest level, the default roles are:<br />
Central Policy Manager <strong>Guide</strong> 37
CHAPTER 4: Creating CPM Administrator Accounts<br />
“Help Desk Staffs”<br />
<strong>User</strong>s have permitted read-only access to all features of CPM.<br />
“MIS Staffs”<br />
<strong>User</strong>s can configure and resolve all alarms, but all other features<br />
are read-only.<br />
"Network Operator"<br />
<strong>User</strong>s can set up and manage appliances and customize new<br />
alarm definitions.<br />
“Network Administrator”<br />
<strong>User</strong>s can create and manage appliance entries, configure new<br />
alarm definitions and policy creation/deployment.<br />
"MIS Admins"<br />
<strong>User</strong>s have the full range of access privileges, including appliance<br />
record entry/configuration and policy creation/deployment.<br />
They can also create new admin accounts.<br />
If you find these role definitions not fully inclusive, you can use CPM to<br />
add to the list more roles, or delete any default roles and replace them<br />
with your own combinations of responsibilities.<br />
Setting Up New Roles (Optional)<br />
If you decide that more roles need to be customized for your network<br />
administrative users, you can do so at this time. This section describes the<br />
creation of any additional access-privilege roles.<br />
To start the this process, log into the CPM Server and open the CPM<br />
Console, if it is not visible.<br />
1 Click Account.<br />
A shortcut menu appears with three options.<br />
38 Central Policy Manager 4.0
CHAPTER 4: Creating CPM Administrator Accounts<br />
Appliance Configuration (App Cfg)<br />
Can enter new appliance records and then configure and deploy<br />
the needed profile.<br />
Alarm Configuration (Alm Cfg)<br />
Can create any needed custom alarm definitions, whether<br />
individual or global.<br />
Appliance Control (App Clt)<br />
Can monitor and shut down or reboot problematic appliances.<br />
Admin Account Configuration (Adm Cfg)<br />
Can create or change administrative access accounts, including<br />
assignment of privileges.<br />
Policy Configuration (Pcy Cfg)<br />
Has allowed full access to the insertion and deployment of<br />
security policies.<br />
4 To add a new role (if needed), click New (to the right of the Roles list.)<br />
The Admin Role Properties dialog box appears, displaying the General tab.<br />
5 Delete the placeholder text in the Role Name text field and type a<br />
name for the role.<br />
A role name should consist of numbers and letters, up to 24 characters in length.<br />
Use hyphens (-), underscores (_), or spaces as separators.<br />
40 Central Policy Manager 4.0
Creating Administrator Accounts<br />
6 (Optional) Type a brief description of this group in the Description<br />
text field.<br />
7 Click to select the checkboxes (one or more) by the roles you want to<br />
assign to this group. You can combine any of the listed roles. For<br />
information on role options, see the definitions in Step 3.<br />
NOTE<br />
You can create a group for each separate level of access privileges, or<br />
create groups that incorporate varying combinations of privileges,<br />
according to your preferences.<br />
8 Click OK to save your selections.<br />
The New Group dialog box closes. When the Administrator Accounts dialog box<br />
becomes visible, it lists your first group entry below the default entries.<br />
9 Repeat the previous process to create any other groups to incorporate<br />
the levels of access privilege you want to assign to your network<br />
administrators.<br />
Creating Administrator Accounts<br />
This section describes how to create an administrator account (which you<br />
can include in one or more of the existing groups.) To do so, you should<br />
first determine the following:<br />
• Which people can administer the security appliances<br />
• A login name for each administrator<br />
• The full name of each administrator<br />
• A password for each administrator account<br />
• What role each administrator should undertake<br />
To create a new administrator account, follow these steps:<br />
1 If you have not already opened the Administrative Access dialog<br />
box, click Account in the CPM Console.<br />
The Administrator Accounts dialog box appears, listing the groups that have been<br />
previously created.<br />
Central Policy Manager <strong>Guide</strong> 41
CHAPTER 4: Creating CPM Administrator Accounts<br />
2 Click New (to the right of the Administrators list).<br />
The Admin Account Properties dialog box appears.<br />
3 In the Login Name text field, type a login name for the administrator.<br />
An administrator name should consist of numbers and letters, up to 24 characters<br />
in length. Use hyphens (-), underscores (_), or spaces as separators.<br />
4 In the Full Name text field, type the full name of the first<br />
administrator.<br />
Use only numbers and letters up to 24 characters in length, and use the space bar<br />
for spaces between names.<br />
5 In the Contact Info field, type any relevant contact information<br />
(phone number or email address).<br />
42 Central Policy Manager 4.0
Creating Administrator Accounts<br />
6 To add the group access privileges that you want this administrator to<br />
have, click Add Role.<br />
The Add Group dialog box appears.<br />
7 Make a selection from the listed privilege groups and click OK.<br />
8 Repeat this process to add other groups, if needed.<br />
9 Click Set Password.<br />
The Set Password dialog box appears, displaying the login name for this account in<br />
the title bar.<br />
10 In the New Password text field, type a password for this user account.<br />
Use only alphanumeric characters, between 6 and 16 characters in length.<br />
11 In the Confirm Password text field, reenter the same password.<br />
12 Click OK.<br />
The Set Password dialog box closes and the Admin Account dialog box reappears.<br />
13 Click OK to close the Admin Account dialog box.<br />
14 Repeat this process to enter all of the anticipated admin access<br />
accounts and to assign them the appropriate group privileges.<br />
Central Policy Manager <strong>Guide</strong> 43
CHAPTER 4: Creating CPM Administrator Accounts<br />
Completing the Access Setup<br />
Now that you have defined the access privileges and the administrator<br />
accounts, you can do the following:<br />
• Contact each potential administrator<br />
• Verify that they have installed the CPM Client onto their workstations<br />
• Deliver to them an account login name and password<br />
• Define their responsibilities and provide instructions for the<br />
performance of their tasks. (You can distribute the Acrobat file<br />
containing this user guide as a teaching aid to all network<br />
administrators or support staff.)<br />
Determining Which Other Administrators Are Online<br />
CPM provides a way to see which other administrators are online in<br />
active sessions, who has been locked out of particular windows, or who<br />
has locked a particular window. You can also use CPM to view a snapshot<br />
of your current session.<br />
1 Click Account.<br />
A shortcut menu appears, as shown here.<br />
2 To view a summary of your current CPM administrative session,<br />
select Show My Session.<br />
The My Session Info dialog box appears.<br />
44 Central Policy Manager 4.0
Reserving a CPM Window<br />
This dialog box summarizes your login information, along with your administrative<br />
group privileges.<br />
3 Click OK to close this dialog box when you are finished.<br />
4 To view a summary of the other administrators actively using CPM,<br />
from the Account shortcut menu, select Show All Sessions.<br />
The All Session Info dialog box appears.<br />
This window lists the following:<br />
- All currently active administrative sessions<br />
- The initial session login time<br />
- The current time<br />
- Whether any active administrator has locked a particular CPM<br />
window (naming the window if it has been locked.)<br />
For more information on locking Windows, see the next section.<br />
5 If you need to use a locked window and you have the proper<br />
privileges, you can contact the locking administrator and confer with<br />
them on access to that window.<br />
Reserving a CPM Window<br />
You can reserve the following CPM windows for your exclusive use:<br />
• The Configuration Editor window<br />
Central Policy Manager <strong>Guide</strong> 45
CHAPTER 4: Creating CPM Administrator Accounts<br />
• The System Configuration dialog box (on a per-appliance basis)<br />
• The Alarm Definition dialog box (the Alarm Console is not lockable)<br />
• The main Administrative Accounts window<br />
If more than one CPM administrator logs into the CPM Server, the Server<br />
allows the first one who opens one of these four windows to make it<br />
Writable, and to reserve it for his or her own use for as long as is needed.<br />
Other administrator can open these windows with View only access.<br />
The status of a window is indicated by the two icons below:<br />
Click the icon to toggle the status and change the icon accordingly.<br />
If the second administrator needs to have full access, he or she can use the<br />
Account Administrator All Session Info window to determine who locked<br />
that window, and then contact that administrator and ask them to change<br />
the access to View only (which releases the lock).<br />
To lock a window for your own use, follow these steps:<br />
1 Log into the CPM Server.<br />
2 Open any one of these lockable windows:<br />
- Configuration Editor window<br />
- System Configuration dialog box (on a per-appliance basis)<br />
- Alarm Definition dialog box (the Alarm Console is not lockable)<br />
- Administrative Accounts window<br />
3 Click the "View Only" icon at the bottom of the window to change it to<br />
the “writable” icon.<br />
4 To make this window "writable" for another’s use, if requested by<br />
another administrator, click the "Writable" icon to return it to "View<br />
Only".<br />
At this point, you are (potentially) prevented from working in this<br />
window by any other super administrator who chooses to make it<br />
"Writable".<br />
46 Central Policy Manager 4.0
If you can’t reserve a window<br />
Reserving a CPM Window<br />
Another administrator may have reserved the window. If this occurs,<br />
you’ll see this dialog box when you try to change "View Only" to<br />
"Writable".<br />
This dialog box notes the user name and the IP address of the<br />
administrative workstation so that you can contact that user and request a<br />
release of the window.<br />
NOTE<br />
If you reserve a window as "Writable" for your exclusive use, remember<br />
that your CPM Client will NOT release that window after a certain<br />
amount of idle time has elapsed. You must manually return the window to<br />
“View only”.<br />
Central Policy Manager <strong>Guide</strong> 47
CHAPTER 4: Creating CPM Administrator Accounts<br />
48 Central Policy Manager 4.0
CHAPTER 5<br />
Discovering and Deploying<br />
Appliances<br />
<strong>WatchGuard</strong> CPM discovers unconfigured security appliances and then<br />
assigns a temporary IP address that is used while a new profile is<br />
deployed. This profile includes system configurations, settings, and<br />
security policies.<br />
This process involves:<br />
• Creating an appliance record (in CPM Configuration Editor)<br />
• Completing the system configuration of the appliance<br />
• Entering all the necessary settings and policies<br />
• Discovering the appliance, assigning a temporary IP address, and<br />
deploying the profile<br />
• Powering down and disconnecting the appliance<br />
• Shipping it to the service location, connecting it, and powering it up<br />
• Connecting to it with CPM, and beginning system monitoring<br />
If you using Vcontroller (or the CLI) to set up and install security<br />
appliances, the complete profile– configurations and policies–must be<br />
ready to load into the appliance before the discovery process begins.<br />
Central Policy Manager <strong>Guide</strong> 49
CHAPTER 5: Discovering and Deploying Appliances<br />
Before You Begin<br />
Before using CPM to discover an uninstalled or factory default appliance<br />
and then deploy a profile to it, you must have this information ready:<br />
• A temporary IP address, for use in discovery and the initial<br />
deployment<br />
• A unique password that CPM uses to gain access to the appliance<br />
• A basic profile, ready for deployment<br />
• (Optional) A file containing the text of any required x.509 certificates<br />
used in VPN authentication<br />
• (Optional) A file containing extended-feature licensing<br />
NOTE<br />
You cannot discover and deploy a profile to any factory-default appliance<br />
mounted on a network outside the firewall. Instead, you must temporarily<br />
install the appliance inside your local network in the subnet, discover and<br />
preliminarily configure it, set it up for remote CPM access, and then<br />
transport it to the remote site and reinstall it.<br />
Discovering A New Appliance<br />
1 Open the Configuration Editor. Click the Profiles tab.<br />
2 Click Discover (in the tab toolbar.)<br />
The first Discovery dialog box appears on screen.<br />
3 Click Find.<br />
50 Central Policy Manager 4.0
Deploying Profiles to New Appliances<br />
A status dialog box appears during the discovery process. Next, one<br />
of two dialog boxes appear:<br />
- If no devices are found on the network, a Devices Not Found<br />
dialog box appears. Click Find Again, or click Close to close this<br />
dialog box. If the discovery process is unsuccessful, check the<br />
status (on or off) of the appliance and the network connections.<br />
- If locally networked <strong>WatchGuard</strong> appliances are discovered, the<br />
appliance Discovery window appears.<br />
This window enables you to match up profiles and appliances for deployment.<br />
Deploying Profiles to New Appliances<br />
1 Select an appliance from the list.<br />
2 Click the To Do cell. From the now-active menu, select Set IP.<br />
"Set IP" appears in this cell.<br />
Central Policy Manager <strong>Guide</strong> 51
CHAPTER 5: Discovering and Deploying Appliances<br />
3 Click the Temp IP cell. When it becomes a text entry field, type in the<br />
IP address for use in the deployment process.<br />
4 Click the Mask cell. When it becomes a text entry field, type in the<br />
subnet mask.<br />
5 Click the Associated Appliance cell. From the menu, select the<br />
relevant profile.<br />
6 Click to select the checkbox marked CPM Password.<br />
The Set Password dialog box appears.<br />
7 In both Password fields, type the text of the password that CPM will<br />
use to establish a connection with the appliance. (This is for CPM use;<br />
52 Central Policy Manager 4.0
Deploying Profiles to New Appliances<br />
administrative use passwords serve a separate function and are not<br />
related to this password.)<br />
8 Click OK to save the password.<br />
9 When you have completed the profile entries, click Apply (at the<br />
bottom of the window).<br />
A confirmation dialog box appears.<br />
10 Click OK to proceed.<br />
A "Processing" message appears in the Processing Status column. If the application<br />
is successful, an "Up-to-date" message appears in the Processing Status column.<br />
11 Close the appliance Discovery window.<br />
The Profiles tab now lists this appliance’s profile. The Status column displays<br />
"Needs Deployment.”<br />
12 Select the new appliance/profile record.<br />
13 With this profile still selected, click the Deploy button. (Or, right-click<br />
the appliance record and select Deploy from the shortcut menu.)<br />
A confirmation dialog box appears, to alert you that the primary management IP<br />
address will be changed—and contact lost with this appliance—after deployment is<br />
complete.<br />
14 Click OK to proceed.<br />
CPM now proceeds to deploy the new profile to this appliance, where<br />
it will be immediately put into effect.<br />
- The Status column notes "Deployment started.”<br />
- The Details column notes "Deployment in progress..."<br />
These status messages remain until replaced by the following<br />
combination of messages:<br />
Central Policy Manager <strong>Guide</strong> 53
CHAPTER 5: Discovering and Deploying Appliances<br />
No Contact<br />
Noted in the Status column.<br />
Successful<br />
Noted in the Last Deployed column, along with the date and time<br />
this profile was deployed. This is the key message.<br />
Unable to connect...<br />
Noted in the Details column.<br />
54 Central Policy Manager 4.0
CHAPTER 6<br />
Mapping your Network in<br />
CPM<br />
Before you start setting up and configuring your appliances, your first<br />
step is to create a folder hierarchy that represents your current security<br />
appliance distribution and allows you to prioritize appliances.<br />
Map Out Your Network on Paper<br />
Make a list of the following:<br />
• The separate (geographic) sites where appliances are in use–by<br />
country, state, city, or even building or floor<br />
• The network locations in each site where an appliance is in use,<br />
whether as a gateway or for internal traffic management<br />
• The types of security appliances, on a per-manufacturer basis<br />
For example, you might have a top-level set of folders for each city, a<br />
second level of folders for offices in each city, and a third level of folders<br />
for types of appliances at use in those offices.<br />
Central Policy Manager <strong>Guide</strong> 55
CHAPTER 6: Mapping your Network in CPM<br />
About the Appliance Manager Window<br />
You use the Appliance Manager window to create your folder hierarchy.<br />
The Appliance Manager is your real-time window into the status of your<br />
Firebox Vclass and RapidStream appliances and the dynamic state of all<br />
network traffic being managed by those appliances.<br />
The Appliance<br />
Manager menus<br />
The Appliance<br />
Groups tool bar<br />
The current collection<br />
of group folders<br />
(and appliance<br />
entries)<br />
A set of buttons that open other CPM windows.<br />
The left side of the Appliance Manager incorporates these features:<br />
Menus<br />
Provides access to related sets of Appliance Manager features.<br />
Appliance Groups tool bar<br />
Allows you to create, edit, or delete group folders or appliance<br />
entries.<br />
Appliance Groups list area<br />
Provides a listing of groups and appliances in this area.<br />
CPM window buttons<br />
Allows you to open other CPM windows.<br />
The right side of the Appliance Manager incorporates these features:<br />
56 Central Policy Manager 4.0
Transcribing the Map Into CPM<br />
The complete set of<br />
Appliance Manager<br />
tools<br />
A table listing the<br />
appliances in the<br />
selected folder.<br />
Note that all the appliance rows listed in this table use<br />
color and status messages to highlight the current condition<br />
of the appliance and all traffic involving the<br />
appliance.<br />
Transcribing the Map Into CPM<br />
Using Appliance Manager, you can now transcribe this network<br />
information into CPM. This produces a hierarchy that sorts appliances by<br />
site and location or by usage. Be sure to make an entry for every type of<br />
device that exchanges traffic with one of your Firebox Vclass,<br />
RapidStream, or RapidStream Check Point devices:<br />
1 Log into CPM as an MIS admin user.<br />
2 Open Appliance Manager.<br />
Central Policy Manager <strong>Guide</strong> 57
CHAPTER 6: Mapping your Network in CPM<br />
3 Right-click the parent folder in the list and select Add Appliance<br />
Group.<br />
A new folder appears, labelled "Group0". The "(0)" next to the folder name is a<br />
dynamic counter that summarizes how many appliances are stored in each folder<br />
(or in the subfolders inside a parent folder).<br />
4 Right-click this new folder and select Appliance Group Properties.<br />
The Appliance Group Properties dialog box appears.<br />
5 Delete the "group0" text in the Name field and type a name for this<br />
group folder that indicates its purpose.<br />
For example, type a location name, a department, network, or function name, or<br />
the model or type of appliances to be grouped in this folder.<br />
6 (Optional) In the Comments field, type a description of the folder.<br />
58 Central Policy Manager 4.0
Transcribing the Map Into CPM<br />
7 Click OK.<br />
The folder reappears, displaying a new name.<br />
8 Repeat this process to create a complete set of first-level, site-specific<br />
folders in the Appliance Groups column, as suggested in this<br />
illustration.<br />
9 Create additional levels of new folders inside the site folders (as<br />
suggested below), to represent finer details of your appliance<br />
distribution.<br />
Central Policy Manager <strong>Guide</strong> 59
CHAPTER 6: Mapping your Network in CPM<br />
You can make this hierarchy as shallow or as deep as required to help<br />
you visualize your network’s distribution of appliances.<br />
Factors to consider:<br />
- Which appliances are site gateways?<br />
- Which appliances are internal-asset gateways?<br />
- Which appliances are used as VPN clients for remote user<br />
connections? (and should you group them in one folder?)<br />
Your completed hierarchy might resemble the following illustration.<br />
Geographic location<br />
Specific office/department/group<br />
of users<br />
Actual appliances<br />
Geographic location<br />
Specific office/department/group<br />
of users<br />
60 Central Policy Manager 4.0
CHAPTER 7<br />
Creating Appliance Records<br />
You can now create new records for each type in the Configuration Editor<br />
(or Appliance Manager, depending upon your purposes), and sort them<br />
into the proper folders.<br />
This includes the following categories of appliances:<br />
• RapidStream legacy appliances<br />
• <strong>WatchGuard</strong> Firebox Vclass appliances<br />
• RapidStream "Secured by Check Point" appliances<br />
• Other models of <strong>WatchGuard</strong> appliances<br />
• Security appliances from other manufacturers<br />
• Security devices such as OEM devices running third-party firewall/<br />
VPN software<br />
Central Policy Manager <strong>Guide</strong> 61
CHAPTER 7: Creating Appliance Records<br />
Creating CPM-Managed Appliance Records<br />
You use the Configuration Editor window to create new records for<br />
all the equipment you are managing with CPM. The Configuration<br />
Editor offers these features, organized into tabs.<br />
IKE Proposals listed in this tab.<br />
Schedules listed in this tab.<br />
QoS actions listed in this tab.<br />
IPSec actions listed in this tab.<br />
Services listed in this tab.<br />
Menu bar (varies per open tab)<br />
Appliances and addresses<br />
listed in this tab.<br />
Click a button to open a window<br />
62 Central Policy Manager 4.0
Creating Non-CPM–Managed Appliance Records<br />
Policy tab assists in creation of<br />
complex security policies<br />
IKE Pairs tab assists in configuration of<br />
IKE authentication of VPN pairs<br />
Remote Access tab assists in RAS<br />
client connection configuration<br />
Profiles tab assists in deploying<br />
profiles to appliances<br />
Using this window, configure and assemble a complete profile<br />
(configurations, settings, and policies) for each device. To get started, click<br />
New (in Appliance/Addresses tab toolbar), and select New Appliance.<br />
Fill in the appropriate information in the dialog boxes provided.<br />
Creating Non-CPM–Managed Appliance Records<br />
You might have RapidStream or Firebox V-series appliances that you will<br />
not be managing with CPM but which are integral parts of your network.<br />
You need to enter the appliances in the Appliance Manager for the<br />
following reasons:<br />
• To have them in CPM as network addresses that can be applied to<br />
security policies for traffic between them and your Vclass or<br />
RapidStream appliances.<br />
• To monitor them, to a limited extent, depending upon the SNMP<br />
setup.<br />
Consider entering any appliance that exchanges data traffic with a<br />
RapidStream, RapidStream Check Point, or Firebox Vclass appliance.<br />
Central Policy Manager <strong>Guide</strong> 63
CHAPTER 7: Creating Appliance Records<br />
To enter all such appliances into CPM’s Appliance Manager, follow these<br />
steps:<br />
1 Select the appropriate group folder.<br />
2 Click the New Appliance button (in the Appliance Groups toolbar).<br />
A Choose Appliance Type dialog box appears.<br />
3 For an appliance or security device manufactured by <strong>WatchGuard</strong> or<br />
RapidStream, select Firebox V series or RSSA. For a RapidStream<br />
appliance running Check Point software, select Check Point security<br />
software.<br />
64 Central Policy Manager 4.0
Creating Non-CPM–Managed Appliance Records<br />
4 Click OK.<br />
Depending upon your choice, one of these dialog boxes appears.<br />
Do not use these dialog boxes to enter records for appliances you are configuring<br />
and managing with CPM.<br />
5 Click to select the checkbox marked Open Mgmt Settings. Click OK.<br />
Central Policy Manager <strong>Guide</strong> 65
CHAPTER 7: Creating Appliance Records<br />
The Mgmt Setting and Password dialog box appears.<br />
6 Review the text in the dialog box, especially the Management Settings<br />
entries:<br />
Management IP<br />
If a number is present, it should represent the IP address of the<br />
interface used by CPM to connect to and manage the appliance.<br />
Serial Number<br />
If this appliance is a Firebox V10 or other security appliance with<br />
a dynamically assigned IP address, the number noted in this area<br />
should be the actual serial number assigned to this appliance (and<br />
"burned into" the appliance firmware).<br />
66 Central Policy Manager 4.0
Creating Non-CPM–Managed Appliance Records<br />
7 If both are empty, or if the relevant setting is incorrect, click Change<br />
Management Settings.<br />
The [NAME] Mgmt Settings dialog box appears.<br />
8 Click the button by IP Address (usually the default selection). In the<br />
empty text field to the right, type the IP address by which CPM can<br />
have access to this appliance. Or, if an IP address is present, delete it<br />
and type the correct administrative access interface.<br />
For appliances inside your local firewall, the address will be a data interface for<br />
trusted traffic. For appliances outside the firewall, the address will be the public/<br />
untrusted interface.<br />
9 If this appliance record represents an appliance to which the ISP<br />
assigns a network identity by PPPoE or DHCP, click the button by<br />
Serial Number. In the empty text field, type the exact serial number<br />
of the appliance.<br />
10 Click OK to save this entry and close the dialog box.<br />
11 When the Management Settings dialog box reappears, click Change<br />
Password.<br />
The Change Password dialog box appears.<br />
Central Policy Manager <strong>Guide</strong> 67
CHAPTER 7: Creating Appliance Records<br />
12 In both New Password and Confirm Password fields, type the CPM<br />
access password that was recorded in this appliance when you<br />
inserted the "cpm_access" security policy.<br />
NOTE<br />
If you plan to switch to the Configuration Editor and want to complete the<br />
configuration/profile using those features, note that you can use the<br />
System Configuration window to change these settings at that time.<br />
13 Click OK to save the password and close this dialog box.<br />
14 When the main Management Settings and Password dialog box<br />
reappears, click Close to save your entries and close this dialog box.<br />
A new appliance record (represented by the icons shown below)<br />
appears in the Groups list. You can drag this icon into the proper<br />
folder if it’s not already in the folder you want.<br />
A <strong>WatchGuard</strong> Firebox Vclass appliance<br />
A RapidStream appliance<br />
A RapidStream Check Point appliance<br />
68 Central Policy Manager 4.0
CHAPTER 8<br />
Configuring Appliances for<br />
Network Use<br />
The chapter describes how to use CPM to initialize, configure, and<br />
prepare new security appliances for your network.<br />
Getting Started<br />
To start the process of entering a new appliance record in CPM, follow<br />
these steps:<br />
1 Connect your factory default security appliances (either a new<br />
<strong>WatchGuard</strong> Firebox Vclass appliance or a legacy RapidStream) to the<br />
subnet shared by the CPM Server.<br />
2 Power up the new appliance. (The process takes about three minutes<br />
maximum.)<br />
3 Log into the CPM Server, using a "super admin" account with full<br />
appliance-creation and management privileges.<br />
4 When the CPM Console appears, you can open either the Appliance<br />
Manager window or the Configuration Editor window, which are<br />
used in the tasks in this chapter.<br />
Central Policy Manager <strong>Guide</strong> 69
CHAPTER 8: Configuring Appliances for Network Use<br />
Importing Licenses and Certificates<br />
If a factory-default security appliance needs an x.509 certificate (for use in<br />
IKE authentication), you must import the certificate contents before<br />
performing the full setup and configuration. Additionally, if you have<br />
certain extended-feature licenses that you’ve purchased for use in this<br />
appliance, you should import those licenses at this time.<br />
To import licenses and certificates into a factory default security<br />
appliance:<br />
1 Open the Appliance Manager window.<br />
2 Click Discover (in the Appliance Manager toolbar.)<br />
When the first Discovery dialog box appears on screen, click Find.<br />
If locally networked <strong>WatchGuard</strong> Firebox Vclass devices were discovered, the<br />
Device Discovery window appears.<br />
This window lists any factory default appliances found on your local subnet.<br />
3 Make your selection from the list.<br />
70 Central Policy Manager 4.0
Importing Licenses and Certificates<br />
4 Click the To Do cell. From the drop list, select Set IP.<br />
Set IP appears in this cell.<br />
5 Click the Temp IP cell. When it becomes a text entry field, enter a<br />
unique local-subnet IP address for use in the deployment process.<br />
6 Click the Mask cell. When it becomes a text entry field, enter the<br />
subnet mask.<br />
7 Click the Associated Appliance cell to activate the menu. From the<br />
menu, select Create New.<br />
CPM creates a basic WG appliance profile, with a basic configuration.<br />
8 Click to select the CPM Password checkbox.<br />
The Set Password dialog box appears.<br />
Central Policy Manager <strong>Guide</strong> 71
CHAPTER 8: Configuring Appliances for Network Use<br />
9 In both Password fields, enter the CPM password. (This is for CPM<br />
use; administrative use passwords serve a separate function and are<br />
not related to this password.)<br />
10 Click OK to save the password.<br />
11 When you complete the profile entries, click Apply (at the bottom of<br />
the Profiles tab).<br />
A confirmation dialog box appears, asking if you intend to apply all the settings<br />
made in this window.<br />
12 Click OK to proceed.<br />
A "Processing" message appears in the Processing Status column of this window.<br />
If the apply action is successful, a lengthy summary of what was applied appears in<br />
the Processing Status column.<br />
13 Close the Device Discovery window.<br />
The Appliance Manager lists this device and notes its status as up-to-date.<br />
You can now import the x.509 certificate, along with any extended-feature<br />
licenses.<br />
Obtaining the x.509 certificate<br />
1 Right-click the new appliance record and select Certificate from the<br />
shortcut menu.<br />
When the Certificates dialog box appears, the Certificates tab should be visible.<br />
2 Click Create Request and use the resulting four-stage wizard dialog<br />
box to prepare the x.509 request for the preferred Certificate<br />
Authority (CA).<br />
72 Central Policy Manager 4.0
Importing Licenses and Certificates<br />
3 When you are finished with the request (and have copied the text to<br />
the Clipboard), open a Web browser window and connect to the Web<br />
site of the preferred CA.<br />
4 Open the CA site certificate request form and paste this text into the<br />
relevant field.<br />
5 Fill in the other fields.<br />
6 Provide the required payment information.<br />
7 Submit the request, and then close the browser window.<br />
You now wait for the certificate (in the form of a text file sent to you by the cosigning<br />
authority). When you receive it, import it into the Firebox.<br />
Importing the new x.509 certificate<br />
To import the newly received x.509 certificate:<br />
1 Log into the CPM Server.<br />
2 Open the Appliance Manager window.<br />
3 Right-click the row that represents the appliance that uses this new<br />
certificate. Select Certificate from the shortcut menu.<br />
4 Click Import Certificate/CRL.<br />
5 When the Import dialog box appears, you have two options:<br />
- Use a text editor to open the certificate data file, and then copyand-paste<br />
the text contents into the text field in this dialog box.<br />
- Click Load the certificate from a file and use the resulting<br />
dialog box to locate and import the certificate data file.<br />
If the process is successful, the certificate data appears in the Import<br />
Certificate/CRL dialog box’s text field.<br />
6 When the certificate text is present in the dialog box’s text field, click<br />
Import Certificate.<br />
Central Policy Manager <strong>Guide</strong> 73
CHAPTER 8: Configuring Appliances for Network Use<br />
To import licenses for extended features<br />
1 Right-click the record of the appliance that will use this feature and<br />
select Show License.<br />
The [Appliance Name] License window appears.<br />
2 Click Add.<br />
The Import New License dialog box appears.<br />
74 Central Policy Manager 4.0
Restoring the Appliance to a Factory-Default State<br />
3 You have several options:<br />
- Open the license file in a text editor, copy the text onto the<br />
Clipboard, and then paste it into the text area in this dialog box.<br />
- Open a Select License File dialog box. Use this dialog box to<br />
find and open the license file, which places the license text in the<br />
text area of this dialog box.<br />
- Manually transcribe the license text from some open source.<br />
4 Click OK to complete the import.<br />
The newly applied license is listed in the License window.<br />
5 Click OK to close the License window.<br />
The extended-feature license has now been incorporated in the appliance.<br />
Restoring the Appliance to a Factory-Default State<br />
Now that you’ve imported the certificate and licenses into the appliance,<br />
you must restore the appliance to a factory-default state so that you can<br />
proceed with the full CPM profile setup and deployment process.<br />
Because x.509 certificates and licenses are loaded into the appliance at a<br />
level lower than can be administered by the CPM Server, restoring an<br />
Central Policy Manager <strong>Guide</strong> 75
CHAPTER 8: Configuring Appliances for Network Use<br />
appliance to factory-default state will not delete the certificate or license<br />
information.<br />
1 Right-click the appliance record and select Operations => Restore<br />
Default.<br />
A confirmation dialog box appears.<br />
2 Click Yes to proceed.<br />
After a short interval, the status of this appliance will be “out of contact.”<br />
The restored-but-licensed/certified appliance (and the initial CPM<br />
record) is now ready for the full profile deployment process. See<br />
“Configuring the Appliance Hardware” on page 78 to proceed. You can<br />
reuse the existing appliance record, even though the appliance has been<br />
reverted to a blank state.<br />
Creating the New Appliance Record<br />
If you don’t need to import certificates or any extended-feature licenses,<br />
create a new appliance record in the Configuration Editor prior to starting<br />
the configuration process:<br />
1 Open the Configuration Editor.<br />
2 Open the Addresses/Appliances tab (left side), if it is not already<br />
visible.<br />
76 Central Policy Manager 4.0
Creating the New Appliance Record<br />
3 Click New (in Appliance/Addresses tab toolbar), and select New<br />
Appliance from the drop list.<br />
The Add [NAME] Appliance dialog box appears.<br />
4 Delete the placeholder text in the Name field and type a name for this<br />
appliance.<br />
5 Click Blank if this is a new "factory default" appliance.<br />
A new set of appliance-entry menu options appear below.<br />
Central Policy Manager <strong>Guide</strong> 77
CHAPTER 8: Configuring Appliances for Network Use<br />
6 From the Model menu, select the (global) model number of this<br />
appliance.<br />
This menu includes both Firebox Vclass and older RapidStream models.<br />
7 From the Version menu, select the version of <strong>WatchGuard</strong> or<br />
RapidStream operating software installed on the appliance.<br />
Additional operating system options appear if you select a RapidStream model.<br />
8 Click to select the checkbox marked Open System Configuration.<br />
9 Click OK to proceed.<br />
The System Configuration dialog box now appears. For information on completing<br />
this dialog box, see Chapter 10, “Completing the System Configuration.”<br />
Configuring the Appliance Hardware<br />
As an automatic extension of the new appliance entry process, the System<br />
Configuration window allows you to complete the hardware<br />
configurations required by this appliance.<br />
If you are beginning this procedure after restoring an appliance to a<br />
factory-default state, you should first open the Configuration Editor<br />
window before proceeding. Locate the new appliance record in the<br />
78 Central Policy Manager 4.0
Configuring the Appliance Hardware<br />
Appliances/Addresses tab and right-click it. Select Edit/View, and the<br />
System Configuration window opens.<br />
1 After the System Configuration window appears, fill in the General<br />
tab text fields with appliance-specific information.<br />
2 Open the Timezone menu and select the geographic setting for this<br />
appliance.<br />
3 You can now work through all of the remaining System Configuration<br />
tabs and make the necessary entries. The tabs include the following,<br />
depending upon the security appliance model number.<br />
All appliance models<br />
General (information), Interfaces, Routing, DNS, SNMP, Log<br />
Settings, Hacker Prevention<br />
V80/V100 models<br />
Tunnel Switching, High Availability, VLAN Forwarding<br />
For more information on the tabs and their contents, see Chapter 10,<br />
“Completing the System Configuration.”<br />
Central Policy Manager <strong>Guide</strong> 79
CHAPTER 8: Configuring Appliances for Network Use<br />
Running the CPM Default Policy Wizard<br />
After you’ve completed the initial appliance entry (including<br />
configuration), you should run (or update) the Default Policy Wizard,<br />
which establishes policies for secure administrative communications<br />
between the newly recorded appliance and the CPM Server. For more<br />
information, see “Running the CPM Default Policy Wizard” on page 93.<br />
Entering the Security Policies<br />
The Configuration Editor assists you in the creation of security policies by<br />
organizing many policy “building blocks” into convenient tabs or dialog<br />
boxes.<br />
The tabs to the left in the Configuration Editor are Appliances/Addresses,<br />
Services, IPSec actions, QoS actions, Schedules, and IKE proposals.<br />
80 Central Policy Manager 4.0
Creating the Network Addresses Required<br />
The Configuration Editor shortcut menu (which you open by rightclicking<br />
the Action cell in a policy row) provides access to other policy<br />
action options, as shown here.<br />
The tabs to the left of this window comprise catalogs of components that<br />
you can add to or customize before starting on the policy-creation<br />
process. (Each tab contains a default selection of basic items, which you<br />
might find adequate for your use.)<br />
Creating the Network Addresses Required<br />
Note that this appliance has been automatically registered in the<br />
Configuration Editor window as new address entries for the appliance<br />
itself and for each of the data interfaces. You now need to create address<br />
entries associated with this appliance that represent all network entities<br />
behind each of the interfaces. To view the automatic entries:<br />
1 Open the Configuration Editor window.<br />
2 Look in the Appliances/Addresses tab for this new appliance record.<br />
Central Policy Manager <strong>Guide</strong> 81
CHAPTER 8: Configuring Appliances for Network Use<br />
3 Click the toggle to the left of this entry, as shown here.<br />
The record expands to show the automatically generated interface address entries.<br />
Note: These addresses represent the data interface, not the networks behind them.<br />
4 Right-click the appliance entry to open the shortcut menu, and select<br />
New Address.<br />
The Add Address dialog box appears, which you can use to enter the first of any<br />
required network-entity address records for later use in policies. THis process is<br />
fully described in the “Cataloging Your Network Addresses” chapter in the CPM<br />
Policy and Administration <strong>Guide</strong>.<br />
Assembling the CPM Policy Components<br />
After entering the network addresses associated with this appliance, you<br />
should enter the following before compiling policies:<br />
• Any additional, custom services or combined service groups<br />
• Any custom IPSec actions including transforms and proposals<br />
• Any additional, custom QoS actions<br />
• Any pertinent custom schedules<br />
For more information, see Chapter 10, “Completing the Appliance<br />
Configuration.”<br />
82 Central Policy Manager 4.0
Defining the Required Alarms<br />
Defining the Required Alarms<br />
At this time you can open the CPM Alarm Console and review the default<br />
alarm definitions, and if needed, customize and add new definitions for<br />
use in this appliance. For more information on the alarm definition<br />
process, see the CPM Policy and Administration <strong>Guide</strong>.<br />
Deploying the Profile<br />
After you have completed all of the relevant tasks outlined in this chapter,<br />
you are ready to deploy the resulting profiles to the newly recorded<br />
appliances. This makes the appliances active and enables the monitoring<br />
and maintenance of these appliances.<br />
The deployment process involves this sequence of tasks:<br />
• Using the Profiles tab to discover the appliance<br />
• Assigning the discovered appliance a temporary IP address<br />
• Generating an up-to-date profile (including system configurations,<br />
settings, and security policies)<br />
• Deploying a profile.<br />
Before using CPM to discover an uninstalled ("factory default") appliance<br />
and then deploying a profile to it, you must have the following:<br />
• A temporary IP address, for use in discovery and the initial<br />
deployment<br />
• A unique password that CPM will use to gain access to this appliance<br />
• A basic appliance profile, ready for deployment<br />
Compiling the profiles<br />
NOTE<br />
If the Compile or Deploy buttons (as noted in the following) are not active,<br />
the most likely cause is a missing or erroneous IP address in one of the<br />
listed appliance records. Review the System Configuration window<br />
Central Policy Manager <strong>Guide</strong> 83
CHAPTER 8: Configuring Appliances for Network Use<br />
Interface tab entries for each appliance until you find and change the<br />
error—at which time you will be able to compile and deploy the profiles.<br />
1 Open the Configuration Editor. Click the Profiles tab.<br />
2 Select any (or all) appliance entries.<br />
3 Click the Compile button (in the tab’s top toolbar).<br />
The profile-compilation process begins, and a status message appears in the Status<br />
column.<br />
After the profiles have been compiled from the database, the Status<br />
column reports one of the following states for each profile entry:<br />
No Contact<br />
The appliance is not in communication with CPM. Use the<br />
Appliance Manager to assess the situation.<br />
Needs Deployment<br />
This profile has been changed since the last deployment, and you<br />
should redeploy the contents to the relevant appliance.<br />
Up to date<br />
The appliance profile has not been changed since the last<br />
deployment and you do not need to redeploy the contents.<br />
If the profile for your new appliance displays "Needs Deployment,”<br />
you can proceed with the discovery/deployment process.<br />
Discovering the profile-ready appliances<br />
1 Click the Profiles tab.<br />
2 Click Discover (in the tab toolbar.)<br />
The first Discovery dialog box appears on screen.<br />
84 Central Policy Manager 4.0
Deploying the Profile<br />
3 Click Find.<br />
If locally networked <strong>WatchGuard</strong> devices were discovered, the Device Discovery<br />
window appears.<br />
This window enables you to match up profiles and appliances for deployment.<br />
Deploying profiles to new appliances<br />
1 Select an appliance from the list.<br />
2 Click the To Do cell. From the now-active menu, select Set IP.<br />
"Set IP" appears in this cell.<br />
Central Policy Manager <strong>Guide</strong> 85
CHAPTER 8: Configuring Appliances for Network Use<br />
3 Click the Temp IP. When it becomes a text entry field, type in the IP<br />
address for use in the deployment process.<br />
4 Click the Mask cell. When it becomes a text entry field, type in the<br />
subnet mask.<br />
5 Click the Associated Appliance cell. From the menu, select the<br />
relevant profile.<br />
NOTE<br />
If you have not yet created a basic profile including the network identity of<br />
this appliance, you can do so at this time by selecting Create New from<br />
this menu. It opens the Add New Appliance dialog box, which you can use<br />
to create the profile. When finished, make the Profile tab active, select the<br />
profile from this menu, and proceed.<br />
86 Central Policy Manager 4.0
Deploying the Profile<br />
6 Click to select the checkbox marked CPM Password.<br />
The Set Password dialog box appears.<br />
7 In both Password fields, type the text of the password that CPM will<br />
use to establish a connection with the appliance. (This is for CPM use;<br />
administrative use passwords serve a separate function and are not<br />
related to this password.)<br />
8 Click OK to save the password.<br />
9 When you have completed the profile entries, click Apply (at the<br />
bottom of the window).<br />
A confirmation dialog box appears.<br />
10 Click OK to proceed.<br />
A "Processing" message appears in the Processing Status column. If the application<br />
is successful, an "Up-to-date" message appears in the Processing Status column.<br />
11 Close the Device Discovery window.<br />
The Profiles tab now lists this appliance’s profile. The Status column displays<br />
"Needs Deployment,” and the Details column displays “Never Deployed.”<br />
Deploying the profiles<br />
1 Select the new appliance/profile record.<br />
2 If you want to verify the profile’s readiness, click the now-active<br />
Compile button in the tab’s top toolbar.<br />
The Status column now displays "Compiling" (while the Details column displays<br />
"Profile compilation in progress..."). When profile generation is complete, the<br />
Status column displays "Compilation done".<br />
Central Policy Manager <strong>Guide</strong> 87
CHAPTER 8: Configuring Appliances for Network Use<br />
3 With this compiled profile still selected, click the Deploy button. (Or,<br />
right-click the appliance record and select Deploy.)<br />
NOTE<br />
If the Deploy button is not active, the most likely cause is a missing or<br />
erroneous IP address in an appliance record. Review the System<br />
Configuration window Interface tab entries for each appliance until you<br />
find and change the error—at which time you can deploy the profiles.<br />
A confirmation dialog box appears, to alert you that the primary management IP<br />
address will be changed—and contact lost with this appliance—after deployment is<br />
complete.<br />
4 Click OK to proceed.<br />
CPM now proceeds to deploy the new profile to this appliance, where<br />
it will be immediately put into effect.<br />
- The Status column notes “Deployment started.”<br />
- The Details column notes "Deployment in progress..."<br />
These status messages remain until replaced by the following<br />
combination of messages:<br />
No Contact<br />
As noted in the Status column.<br />
Successful<br />
As noted in the Last Deployed column, along with the date and<br />
time this profile was deployed. This is the key message.<br />
Unable to connect...<br />
As noted in the Details column.<br />
88 Central Policy Manager 4.0
Relocating the Appliance<br />
Relocating the Appliance<br />
At this time, you can power down the appliance and disconnect it, prior<br />
to shipping it to its service location.<br />
After it is delivered to its location, the appliance should be connected to<br />
the appropriate networks and then powered up.<br />
A few minutes after power-up is complete and the Ready LED on the<br />
appliance is lit solidly (not blinking), you can use CPM to remotely<br />
establish contact with the device, for all future monitoring and<br />
maintenance. To do so, follow these steps:<br />
1 After logging into CPM (if you’ve not already done so), open the<br />
Appliance Manager window.<br />
2 Locate the appliance record in the group folder and select it.<br />
The appliance entry appears in the table to the right, shaded Green (for "in contact<br />
with CPM"). The Status column should read "Normal".<br />
NOTE<br />
In certain circumstances, a minor alarm will be triggered and the<br />
appliance row will be Yellow. You can simply open the Appliance Detail<br />
dialog box to get an accurate reading of the appliance’s status, as noted in<br />
the remainder of this section.<br />
3 Double-click the appliance row.<br />
The Appliance Detail dialog box appears.<br />
Central Policy Manager <strong>Guide</strong> 89
CHAPTER 8: Configuring Appliances for Network Use<br />
4 Review the Availability indicator, highlighted above. It should be<br />
green, and should display “Contacted.” The Interface/Port indicators<br />
should list the proper IP addresses and be green.<br />
5 If the row is yellow, you can now open the Alarm Console window<br />
and review or clear any minor alarms that were triggered during the<br />
initial contact phase. This restores the row to green and changes the<br />
Status message to “In contact.”<br />
You’ve successfully configured and deployed a working appliance.<br />
Copying a Configuration to New Appliance<br />
Among the time-saving techniques in CPM, you may find this setup<br />
technique to be most helpful. This configuration shortcut allows you to<br />
create new appliance records, bypass the manual entries, and copy the<br />
configuration from a matching model of appliance. You can then quickly<br />
fine-tune this new configuration for the new appliance.<br />
1 Create and deploy a complete profile for a factory default appliance;<br />
for example, a V80.<br />
2 When you need to create a profile for a second V80, open the Add<br />
[NAME] Appliance dialog box.<br />
3 Delete the placeholder text in the Name field and type the name<br />
assigned to this appliance.<br />
90 Central Policy Manager 4.0
Copying a Configuration to New Appliance<br />
4 Click Copy From (as highlighted above). (Do not click Blank.)<br />
An Appliance menu appears below, listing all the current appliances.<br />
5 From this Appliance menu, select the original V80 appliance entry.<br />
6 Click OK.<br />
The System Configuration window now appears, containing all the copied settings.<br />
7 You can make any changes necessary to the General and Interfaces<br />
tab contents, relevant to this new appliance.<br />
8 Make any necessary changes to the other tabs that apply to this<br />
appliance.<br />
9 Click OK when you are finished.<br />
The new appliance record appears in the Appliances/Addresses tab of the<br />
Configuration Editor (and a new record automatically appears in the Appliance<br />
Manager window—including address entries for the principal data interfaces.<br />
Central Policy Manager <strong>Guide</strong> 91
CHAPTER 8: Configuring Appliances for Network Use<br />
92 Central Policy Manager 4.0
CHAPTER 9<br />
Completing the Appliance<br />
Configuration<br />
After you’ve completed the initial appliance entry (including<br />
configuration), you should run (or update) the Default Policy Wizard.<br />
This process establishes policies for secure administrative<br />
communications between the newly recorded appliance and the CPM<br />
Server.<br />
Running the CPM Default Policy Wizard<br />
1 Open the Configuration Editor window, if it has not already been<br />
opened.<br />
Central Policy Manager <strong>Guide</strong> 93
CHAPTER 9: Completing the Appliance Configuration<br />
2 From the Policy menu, select Wizards => Create CPM Default<br />
Policies.<br />
The Policy Wizard appears.<br />
This initial wizard displays two topology drawings:<br />
- The one on the left shows an extended network with the CPM<br />
system connected to a gateway appliance, through which it is<br />
connected to other appliances through the Internet (outside the<br />
local firewall.)<br />
- The one on the right shows a local network with the CPM<br />
system connected to a collection of appliances, all inside the local<br />
firewall.<br />
3 Click either drawing, depending upon which topology your network<br />
matches. Click Next.<br />
94 Central Policy Manager 4.0
Running the CPM Default Policy Wizard<br />
If you can chose the extended network<br />
If you clicked the extended network drawing, the following screen<br />
appears.<br />
1 From the Appliance menu, select the appliance acting as your local<br />
firewall gateway.<br />
2 In the IP Address field, type the IP address of your CPM Server.<br />
NOTE<br />
If the host computer for the CPM Server software has more than one<br />
interface (usually when several NICs are in use,) you should enter the IP<br />
address configured previously for the CPM Server, which is recorded in<br />
the cpm_server.conf file in the installation directory.<br />
3 If your external connection does not use dynamic NAT, and your host<br />
computer has its own IP address, click the DNAT option No button.<br />
(Otherwise, the default connection state is that DNAT is active and<br />
does apply to your CPM host computer’s external connections.)<br />
4 Click Next to proceed.<br />
The next screen appears, summarizing what is about to be accomplished.<br />
5 Review the information, and then click Next to finish the process.<br />
When the policy wizard is finished, the wizard will have closed and<br />
the Policy window will now list two “global” policies:<br />
Central Policy Manager <strong>Guide</strong> 95
CHAPTER 9: Completing the Appliance Configuration<br />
- An "Allow CPM" policy that permits outgoing CPM HTTPS<br />
traffic, for use in contacting all remote appliances.<br />
- A "Heartbeat Tunnels" policy, for incoming IPSec traffic that<br />
directs the remote appliance’s heartbeats to the CPM Server.<br />
If you chose the local network<br />
If you clicked the right-hand local network drawing, the following screen<br />
appears.<br />
1 Delete any text that might appear in the IP Address field, and type the<br />
IP address of the CPM Server.<br />
NOTE<br />
If the host computer for the CPM Server software has more than one<br />
interface (usually when several NICs are in use,) you should enter the IP<br />
address configured previously for the CPM Server, which is recorded in<br />
the cpm_server.conf file in the installation directory.<br />
96 Central Policy Manager 4.0
Running the CPM Default Policy Wizard<br />
2 Click Next to proceed.<br />
The final screen appears.<br />
3 Click Next to finish.<br />
When the wizard is finished, it closes and the Policy tab in the<br />
Configuration Editor lists a single new policy that permits SSL traffic<br />
exchanged between all sources, including the management port IP<br />
addresses of the local security appliances.<br />
The Configuration Editor also adds a new "address" entry (named<br />
"Mgmt Ports"), representing all management interfaces for all<br />
appliances.<br />
Central Policy Manager <strong>Guide</strong> 97
CHAPTER 9: Completing the Appliance Configuration<br />
Assembling the CPM Policy Components<br />
After entering the network addresses associated with this appliance, you<br />
should enter the following before compiling policies out of the CPM<br />
building blocks:<br />
• Any additional, custom Services or combined service groups (along<br />
with the large number of default options)<br />
• Any custom IPSec Actions (including transforms, proposals) (along<br />
with the default options)<br />
• Any additional, custom QoS actions (along with the default options)<br />
• Any pertinent custom Schedules (along with the default options)<br />
Assembling a policy from available components<br />
1 Create a new policy row in the Policies tab.<br />
2 Double-click the Name cell and type a name representing the policy.<br />
3 Drag and drop (or click and select) the Traffic Specification<br />
components:<br />
Source<br />
Drag one or more entries from the Appliance/Addresses tab<br />
Destination<br />
Drag one or more entries from the Appliance/Addresses tab<br />
Service<br />
Drag one or more entries from the Services tab<br />
98 Central Policy Manager 4.0
Assembling the CPM Policy Components<br />
4 Drag and drop (or click and select) the required Action components:<br />
- Pass, Block, or Reject (the firewall options)<br />
- IPSec (manual key or automatic key VPN actions)<br />
- Bidirectional IPSec/VPN (set after completing a new policy)<br />
- Dynamic NAT (activates DNAT)<br />
- Static NAT (with a menu for directional options)<br />
- Load Balancing<br />
- QoS<br />
- TOS Marking<br />
5 Repeat this process to create policies for other devices<br />
Central Policy Manager <strong>Guide</strong> 99
CHAPTER 9: Completing the Appliance Configuration<br />
100 Central Policy Manager 4.0
CHAPTER 10<br />
Completing the System<br />
Configuration<br />
The System Configuration dialog box assists in the recording of a<br />
spectrum of appliance-specific options that optimize your appliance for<br />
your specific network environment. You can also use the System<br />
Configuration dialog box to revise existing system settings in operational<br />
appliances, as needed.<br />
Although appliance configurations are immediately stored in the CPM<br />
Server database, they are not put into effect until you deploy a complete<br />
appliance profile to the actual device. Do this after completing the profile,<br />
adding policies, alarm definitions, and log file settings to the profile.<br />
Configuring a New <strong>WatchGuard</strong> Appliance<br />
1 After starting CPM, open the Configuration Editor window.<br />
2 Right-click an appliance record (in the Appliances/Addresses list)<br />
and select Edit/View.<br />
The System Configuration dialog box appears, displaying the General tab.<br />
Central Policy Manager <strong>Guide</strong> 101
CHAPTER 10: Completing the System Configuration<br />
Completing the General Entries<br />
You can use the General tab to enter a basic set of appliance-informational<br />
entries. To do so, follow these steps:<br />
1 If you accepted the default appliance name in the Add New<br />
Appliance dialog box, you can delete it from the Appliance Name<br />
field, type a more appropriate name at this time.<br />
2 In the Location field, type the location (current or intended) of this<br />
appliance.<br />
The entry can be a city, state, or country name, a building and floor<br />
number, any combinations of these, or a simple identifier such as<br />
“my_office.”<br />
3 In the Contact field, type the name of the person who will be locally<br />
responsible for administration of this appliance–if anyone has been<br />
assigned that responsibility.<br />
4 Click Local Admin if you want to assign a password for use by any<br />
local administrator.<br />
NOTE<br />
This local password will supersede the existing “admin” or "rsadmin"<br />
access password after the initial deployment of CPM-generated<br />
configurations. If anyone needs to use the <strong>WatchGuard</strong> Vcontroller,<br />
RapidStream Manager, or CLI to administer that appliance, he or she<br />
must use this new password. Otherwise, all local access will be obtained<br />
through the CPM Client, as described in an earlier chapter.<br />
The Local Admin Account dialog box appears.<br />
5 In the Local Admin Password text field, type the new password text,<br />
using between 6—16 alphanumeric characters.<br />
6 Click OK to save the new settings and close this dialog box.<br />
102 Central Policy Manager 4.0
Completing the Interfaces Entries<br />
7 From the Timezone menu, select the time zone for the geographical<br />
location where the appliance will be used.<br />
Completing the Interfaces Entries<br />
When the Interfaces tab appears, you must enter the IP addresses and<br />
network (or subnet) masks for all of the accelerated data interfaces<br />
incorporated into this appliance.<br />
1 Click the Interfaces tab.<br />
The Interfaces tab displays a set of features corresponding to the<br />
specifications of the appliance model number. In every case, you will<br />
see a different set of interface options.<br />
NOTE: The contents of this<br />
tab will vary, according to<br />
the model number of Firebox<br />
Vclass appliance. For<br />
example, configuring a v10<br />
will require different entries<br />
from those of a v80—as<br />
shown here.<br />
This illustration shows the Interface options for a v80 model.<br />
2 In each pair of interface-specific text fields, enter the IP Address and<br />
Network Mask assigned to that data interface.<br />
Central Policy Manager <strong>Guide</strong> 103
CHAPTER 10: Completing the System Configuration<br />
3 From the Use [NAME] IP address... menu, select the preferred CPM<br />
management access interface, depending upon the following:<br />
- Select the 0 (private) interface if this appliance is located inside<br />
your current site’s firewall.<br />
- Select the 1 (public) interface if this appliance is or will be<br />
located outside your current site’s firewall.<br />
This option determines which interface will be used by the CPM<br />
Server for connecting to and managing this appliance.<br />
NOTE<br />
If you don’t specify an interface management port for CPM Server<br />
(depending on the one selected), Invalid Mgmt IP will appear in the status<br />
column of the appliance record when you are finished.<br />
If you need to change the IP address information for any of these<br />
interfaces at a later time, you can do so by reopening this dialog box<br />
tab and making the changes.<br />
4 Click to select the Enable Port-Shaping checkbox if you want to<br />
activate system-wide port shaping for the available port interfaces.<br />
A Detail button appears in the Interfaces tab.<br />
5 Click Detail to open the Specify Port Bandwidth dialog box.<br />
This dialog box allows you to precisely adjust the output/throughput of the<br />
available accelerated data interfaces and can be recorded in either Kbps or Mbps.<br />
6 In each interface-specific field (as needed), type the appropriate<br />
number, according to your selections from the Increment menus.<br />
104 Central Policy Manager 4.0
Completing the Interfaces Entries<br />
In most cases, you will want to set bandwidth for the Public port only,<br />
as that network connection will probably be the slowest.<br />
7 From the Use [PORT NAME] menu, select the interface to be used for<br />
CPM management connections (after this appliance has been<br />
relocated).<br />
8 If you want to use CPM to change the management settings for this<br />
appliance according to these interface entries (after the configuration<br />
is deployed), leave the checkbox selected. This ensures that CPM can<br />
do the following:<br />
- Use a new IP address to contact the appliance if the management<br />
interface IP address changes<br />
- Use the appliance’s serial number (embedded in the heartbeat)<br />
to manage the appliance if the designated management interface<br />
of the appliance is dynamically assigned by the ISP<br />
NOTE<br />
If you initially created this appliance record in the Appliance Manager,<br />
and if you opened and used the Management Settings dialog boxes to<br />
enter the CPM access settings, any changes or additions you make at this<br />
time in this dialog box will overwrite the original entries if there is a<br />
conflict. This will not pose a problem to CPM or the appliance.<br />
9 If you don’t want to use these settings, click to clear the checkbox.<br />
10 Click OK to save your entries.<br />
11 Click Apply to save the changes in the Interfaces tab.<br />
Central Policy Manager <strong>Guide</strong> 105
CHAPTER 10: Completing the System Configuration<br />
Completing the Routing Entries<br />
You use the Routing tab to set up static or dynamic routes. If you select<br />
dynamic routing, the options include RIP, RIP version 2, and OSPF. All<br />
routing configurations depend upon the following qualifications:<br />
• The appliance listens on the Private interface, not the Public or DMZ<br />
interfaces<br />
• RIP and RIPv2 run in silent mode, and do not advertise the routes<br />
• OSPF runs in host mode and cannot act as a designated router<br />
• Authentication is only supported for OSPF<br />
To enter the preferred routes, follow these steps:<br />
1 Click the Routing tab.<br />
106 Central Policy Manager 4.0
Completing the Routing Entries<br />
2 To catalog the first of any static routes that will be used by network<br />
traffic passing through this appliance, click Add.<br />
The Add Route dialog box appears.<br />
3 In the Destination, Network Mask, and Gateway fields, enter the<br />
information necessary for a route.<br />
4 From the Interface/Port menu, select the port used for this route.<br />
5 In the Metric field, type the number of hops in this route.<br />
6 Click OK to close the dialog box and add this route to the tab<br />
contents.<br />
7 Repeat this process to catalog all other static routes.<br />
8 To configure dynamic routing for this appliance, from the Protocol<br />
menu, select a protocol.<br />
The dynamic routing protocol selections include the following:<br />
None<br />
This is the default setting, which remains in effect if you do not<br />
activate dynamic routing.<br />
RIP<br />
This option, an acronym for “Routing Information Protocol,”<br />
permits the Firebox Vclass appliance to record routes advertised<br />
by other routers using the RIP protocol.<br />
Central Policy Manager <strong>Guide</strong> 107
CHAPTER 10: Completing the System Configuration<br />
RIPv2<br />
This option permits the appliance to record routes advertised by<br />
other routers also using the RIPv2 protocol.<br />
OSPF<br />
This option, an acronym for “Open Shortest Path First,” activates<br />
additional routing options, which you must customize according<br />
to your preferences.<br />
If you select RIP or RIPv2, no additional features appear. You can<br />
click Apply and then proceed to the DNS tab, as described in<br />
“Completing the DNS Entries” on page 111.<br />
If you select the OSPF protocol, the Area ID and Authentication<br />
Type options become active, as shown here.<br />
9 In the Area ID field, type the appropriate IP address.<br />
10 From the Auth Type menu, select an authentication option from the<br />
following:<br />
None<br />
Requires no authentication.<br />
Simple<br />
Requires a key for authentication.<br />
MD5<br />
Requires both a key identity and the key text for authentication.<br />
108 Central Policy Manager 4.0
Completing the Routing Entries<br />
11 If you selected Simple as the Auth Type, the Auth. Key<br />
(Authentication Key) text field appears, as shown here. In the Auth.<br />
Key field, type the assigned text of the key.<br />
If you selected MD5 as the Auth Type, the Authentication Key and<br />
Key ID fields appear, as shown here. In the Auth Key field, type the<br />
assigned text of the key. In the Key ID field, type the assigned<br />
number (between 1 and 255) that will identify this key.<br />
12 When you have finished making changes to the Routing tab, click<br />
Apply to save all the new entries.<br />
Verifying the routes<br />
You cannot use CPM to verify static route entries until the appliance has<br />
been relocated to its assigned spot and put in service. At that time you can<br />
verify the routing entries by doing the following:<br />
1 Use CPM to verify that the appliance is in contact.<br />
2 Right-click the appliance (in the Configuration Editor), and select<br />
Edit/View.<br />
3 When the System Configuration window appears, click the Routing<br />
tab.<br />
4 Open the Appliance Manager window.<br />
5 Right-click the same appliance record and select Appliance Details.<br />
Central Policy Manager <strong>Guide</strong> 109
CHAPTER 10: Completing the System Configuration<br />
6 When the Appliance Details window appears, click the Routing<br />
Table tab.<br />
7 Align the System Configuration and Appliance Details windows so<br />
that you can visually verify that both lists of routes fully match one<br />
another.<br />
If a route is missing in the Appliance Details window, the<br />
corresponding entry in the Routing tab in the System Configuration<br />
window needs to be corrected.<br />
8 Make all the changes necessary in the Routing tab of the System<br />
Configuration dialog box.<br />
9 Regenerate and redeploy that appliance’s profile.<br />
10 Repeat the two-window verification process. After both tabs are the<br />
same, you’ll know the routing tables are identical and in effect.<br />
110 Central Policy Manager 4.0
Completing the DNS Entries<br />
Completing the DNS Entries<br />
The Domain Name Server (DNS) tab allows you to catalog all local DNS<br />
servers that might be used by this security appliance.<br />
1 Click the DNS tab.<br />
2 In the Domain Name field, type the domain name used for this<br />
security appliance.<br />
3 To start cataloging the DNS servers, click Insert.<br />
The DNS Server dialog box appears, as shown here.<br />
4 In the blank numeric text field, type the IP address of a DNS server.<br />
5 Click the Add button to save this entry in the DNS Servers list.<br />
Central Policy Manager <strong>Guide</strong> 111
CHAPTER 10: Completing the System Configuration<br />
6 Repeat this process to record the IP addresses of other DNS servers.<br />
7 If more than one server is listed in this tab, you can shuffle the search<br />
order by choosing a server entry and then clicking the Up or Down<br />
buttons until each server appears in the proper order.<br />
8 When you are finished with the DNS tasks, click Apply to save your<br />
new entries.<br />
Completing the SNMP Entries<br />
The CPM software allows you to assign this security appliance to an<br />
SNMP community, so it can be monitored through SNMP management<br />
stations. You can also configure this appliance so that an SNMP trap will<br />
be sent to management stations when certain alarms are triggered. This<br />
tab assists you in the following:<br />
• Adding needed IP addresses of management stations<br />
• Recording the SNMP community string<br />
• Activating the SNMP trap<br />
112 Central Policy Manager 4.0
Completing the SNMP Entries<br />
NOTE<br />
For a complete list of supported MIBs in the CPM software, open and<br />
review the MIB files that are stored on the CPM CD.<br />
1 Click the SNMP tab.<br />
The Management Stations area (currently empty) lists the IP addresses (one or<br />
more) of all the network management stations that will receive SNMP traps when<br />
generated by this <strong>WatchGuard</strong> appliance.<br />
2 To add a specific management station to this list, click Add.<br />
The SNMP Management Station dialog box appears.<br />
3 Type the station’s IP address in the blank numeric text field.<br />
Central Policy Manager <strong>Guide</strong> 113
CHAPTER 10: Completing the System Configuration<br />
4 Click the Add button to catalog this management station in the SNMP<br />
tab.<br />
5 If necessary, repeat the SNMP Management Station dialog box<br />
process to record the IP addresses of all other management stations<br />
that will be monitoring this security appliance.<br />
6 If you are going to enable the SNMP trap, in the Community String<br />
field, type the password text that will identify the appliance to the<br />
management station.<br />
7 If you want this security appliance to send any alarm-triggered traps<br />
to the listed management stations, click to select the Enable SNMP<br />
Trap checkbox.<br />
Although no traps will be sent if you deactivate this option, any triggered alarms<br />
will still be logged in the appliance or emailed to the appropriate <strong>WatchGuard</strong><br />
appliance administrator.<br />
8 When you are finished with the SNMP tab, click Apply to save your<br />
new entries.<br />
114 Central Policy Manager 4.0
Completing the Log Settings Entries<br />
Completing the Log Settings Entries<br />
1 Click the Log Settings tab.<br />
2 The Settings workspace provides two sets of options pertaining to the<br />
two separate log types–Traffic and Event:<br />
- Click to select the Enable Traffic Logging checkbox to activate<br />
the <strong>WatchGuard</strong> logging function for all data traffic passed<br />
through this <strong>WatchGuard</strong> appliance.<br />
- Click to select the Enable Event Logging with Log Level<br />
checkbox, and then click the slider below this checkbox and<br />
move it until it is level with the desired logging level.<br />
The slider allows you to include fewer events or more events in your<br />
event log file–depending upon which selection you make. The<br />
“Critical Events only” selection creates a basic log file including only<br />
major events, while the remaining selections below add increasing<br />
amounts of information and detail to the log file.<br />
Central Policy Manager <strong>Guide</strong> 115
CHAPTER 10: Completing the System Configuration<br />
NOTE<br />
Because the system will purge the contents of the log files when a certain<br />
size is reached (usually a maximum of 200 Kb), the more events you<br />
include the more often the logs will be purged. See the CPM Policy and<br />
Administration <strong>Guide</strong> for more information about appliance logging.<br />
3 When you have finished with the Log Settings tab, click Apply to<br />
save your new entries.<br />
For more information about configuring a syslog server to accurately<br />
store all log files from a range of Firebox Vclass appliances, review the<br />
tech notes available in the <strong>WatchGuard</strong> support Web site.<br />
Completing the Hacker Prevention Entries<br />
1 Click the Hacker Prevention tab.<br />
116 Central Policy Manager 4.0
Completing the Hacker Prevention Entries<br />
The Hacker Prevention tab appears, displaying the default values.<br />
2 Select and configure the Denial-of-Service Prevention options.<br />
The following anti-hacker attack options safeguard your servers from<br />
denial-of-service attacks. All such attacks flood your network with<br />
“requests” for information, clogging your servers and possibly<br />
shutting down your site. After you activate these options and set<br />
threshold numbers for this Firebox Vclass appliance, it will prevent<br />
such attacks. If there are more than the specified number of requests<br />
(per second), the security appliance will drop the excess number of<br />
requests within the same second while permitting the acceptable<br />
number of requests to pass through. This will protect your servers<br />
from becoming overwhelmed by too many requests within a short<br />
period of time.<br />
ICMP Flood Attack<br />
Allows you to safeguard your network from a sustained flood of<br />
ICMP pings. You can change the threshold number in the<br />
accompanying text field to a value that will trigger the denial-ofservice<br />
protection.<br />
SYN Flood Attack<br />
Allows you to safeguard your network from a sustained flood of<br />
TCP syn requests without the corresponding attack response. You<br />
can change the threshold number in the accompanying text field<br />
to a value that will trigger the denial-of-service protection.<br />
UDP Flood Attack<br />
Allows you to safeguard your network from a sustained flood of<br />
UDP packets. You can change the threshold number in the<br />
accompanying text field to a value that will trigger the denial-ofservice<br />
protection.<br />
Ping of Death<br />
Safeguards your network from user-defined large data-packet<br />
pings.<br />
IP Source Route<br />
Safeguards your network from a flood of false client IP addresses,<br />
designed to bypass firewall security.<br />
3 Select the Distributed Denial-of-Service Prevention options.<br />
Central Policy Manager <strong>Guide</strong> 117
CHAPTER 10: Completing the System Configuration<br />
As a subset of denial-of-service attacks, distributed DoS attacks occur<br />
when hackers coordinate a number of “borrowed” computers for<br />
malicious purposes and program them to simultaneously assault a<br />
network with information requests. If allowed to pass through, they<br />
can overwhelm and crash your Web servers.<br />
Per Server Quota<br />
Allows you to safeguard your servers from coordinated denial-ofservice<br />
attacks against any single server. You can change the<br />
threshold number in the accompanying text field to a value that<br />
represents the maximum request capacity (per second) of that<br />
server. If there are more than the specified number of connection<br />
requests within a second, the Firebox Vclass appliance will drop<br />
the excess requests within that same second. This will protect<br />
your server from being overwhelmed by too many connection<br />
requests in a short period of time.<br />
Per Client Quota<br />
Restricts the number of connection requests from a single client<br />
within a second. You can change the threshold number in the<br />
accompanying text field to a value that represents the maximum<br />
number of requests (per second) from a single client. If there are<br />
more than the specified number of connection requests within a<br />
second, the Firebox Vclass appliance will drop the excess requests<br />
within that same second.<br />
4 When you have finished with the Hacker Prevention tab, click Apply<br />
to save your new entries.<br />
About the High Availability Tab<br />
The High Availability tab appears only if the model of Firebox Vclass<br />
appliance being configured incorporates one or more HA interfaces. High<br />
Availability (HA) allows you to set up a system that activates an almost<br />
instantaneous replacement of a primary appliance with a secondary<br />
appliance in the event of system failure. This identically profiled<br />
secondary appliance will take over all traffic control in place of the failed<br />
primary appliance.<br />
You can also use this feature to establish an Active-Standby HA pairing.<br />
118 Central Policy Manager 4.0
About the VLAN Forwarding Tab<br />
<strong>WatchGuard</strong> recommends bypassing this tab for now and undertaking<br />
this process at a more convenient time. To learn how to set up an HA<br />
system with this appliance, see the CPM Policy and Administration <strong>Guide</strong>.<br />
About the VLAN Forwarding Tab<br />
Your network may include a number of VLANs (either classic VLAN or<br />
multi-tenant domains). As a result, you may need to create security<br />
policies to route traffic between two separate domains that use the same<br />
VLAN switch. In such a situation, which is known as "VLAN<br />
forwarding,” you can enter such inter-VLAN policies in CPM, but you<br />
must activate the related hardware functionality beforehand, as described<br />
in this section.<br />
VLAN forwarding is a feature built into certain Firebox Vclass models.<br />
This function is inactive by default. As the example in the following<br />
illustration shows, VLAN forwarding enables you to use a CPM Client<br />
workstation in VLAN 1 to connect through the local gateway appliance<br />
Central Policy Manager <strong>Guide</strong> 119
CHAPTER 10: Completing the System Configuration<br />
and to manage another security appliance assigned to VLAN 3–which<br />
entails inter-VLAN connections.<br />
To activate the VLAN forwarding components of a Firebox appliance,<br />
follow these steps:<br />
1 Open the System Configuration window for the designated appliance.<br />
2 Click the VLAN Forwarding tab.<br />
If this tab is not visible, the selected Firebox model does not incorporate VLANforwarding<br />
capabilities.<br />
3 Click to select the checkbox marked Enable inter-VLAN forwarding.<br />
120 Central Policy Manager 4.0
Completing the Tunnel Switch Entries<br />
4 Click Apply. Click OK to close the window.<br />
After you deploy this revised profile, the appliance will be ready for inter-VLAN<br />
communications.<br />
Completing the Tunnel Switch Entries<br />
If this model of security appliance incorporates Tunnel Switch hardware<br />
functionality, the Tunnel Switch tab appears in the System<br />
Configuration dialog box. You can use this tab to enable the hardware<br />
features. After that, you must then set up the policies required to enact<br />
tunnel switching with qualifying data streams.<br />
1 Click the Tunnel Switch tab.<br />
2 Click to select the checkbox marked Enable Tunnel Switch if you<br />
want to enable these features.<br />
Central Policy Manager <strong>Guide</strong> 121
CHAPTER 10: Completing the System Configuration<br />
3 Click Apply to save this change to the configuration.<br />
You can now save all your new configuration entries and close the<br />
System Configuration dialog box. For more information about tunnel<br />
switching configuration and setup, see the CPM Policy and<br />
Administration <strong>Guide</strong>.<br />
Saving the System Configuration Entries<br />
After you have completed the settings in the System Configuration<br />
dialog box for this appliance, click OK. This will save all the entries and<br />
close the dialog box.<br />
Importing a New License<br />
You can import the text of extended-feature licenses into CPM. You must<br />
first purchase and obtain the license text. With the text on-hand (or stored<br />
temporarily on the Clipboard), you can use the CPM License window to<br />
import the text into the relevant appliance. For more information about<br />
licensing additional features and capacity in your Firebox Vclass<br />
appliance, visit the <strong>WatchGuard</strong> Web site.<br />
1 Open the Appliance Manager window.<br />
122 Central Policy Manager 4.0
Importing a New License<br />
2 Right-click the appropriate appliance record, and select Show<br />
License.<br />
The [Appliance Name] License window appears.<br />
3 Click Add.<br />
The Import License dialog box appears.<br />
4 You have several options:<br />
Central Policy Manager <strong>Guide</strong> 123
CHAPTER 10: Completing the System Configuration<br />
- Open the license file in a text editor, copy the text onto the<br />
Clipboard, and then paste it into the text area in this dialog box.<br />
- Open a Select License File dialog box and use it to find and<br />
open the license file, which places the license text in the text area<br />
of this dialog box.<br />
- Manually transcribe the text of the license into this dialog box<br />
from an open source.<br />
5 Click OK.<br />
The license is listed in the Licenses window.<br />
6 Click OK to close the License window.<br />
The extended-feature license has now been incorporated in the appliance.<br />
Reviewing the current licenses<br />
If you have already configured an active appliance and want to review<br />
the extended-feature licenses previously imported into the appliance,<br />
follow these steps:<br />
1 Right-click an appliance record in the Appliance Manager window<br />
and select Show Licenses.<br />
The [Appliance Name] Licenses window appears, listing any licenses present in this<br />
appliance.<br />
124 Central Policy Manager 4.0
Importing a New License<br />
2 To review the complete set of active features, click Show Active<br />
Features.<br />
The Active Features dialog box appears.<br />
This dialog box shows the feature names, the capacity (dictated by the current<br />
license) and the expiration date.<br />
3 When you are finished reviewing the contents, click Close to close the<br />
dialog box.<br />
4 To review the actual text of a license, double-click the license entry in<br />
the License window.<br />
The License Detail dialog box appears, displaying the license text.<br />
This text cannot be copied and applied to any other appliances,<br />
because it is linked to the serial number hard-coded into the<br />
appliance.<br />
Central Policy Manager <strong>Guide</strong> 125
CHAPTER 10: Completing the System Configuration<br />
Deleting an out-of-date license<br />
You can remove old or out-of-date licenses from this appliance by<br />
following these steps:<br />
1 Open the License window.<br />
2 Select an expired license and click Delete.<br />
A confirmation dialog box appears.<br />
3 Click OK to confirm.<br />
The license entry is erased from the window.<br />
126 Central Policy Manager 4.0
Index<br />
A<br />
Active Features dialog box 125<br />
Add Address dialog box 82<br />
Add Appliance dialog box 77, 90<br />
Add Group dialog box 43<br />
Add Route dialog box 107<br />
addresses, creating required 81<br />
Admin Account Properties dialog box 42<br />
Admin Role Properties dialog box 40<br />
Administrative Access dialog box 41<br />
administrator accounts<br />
creating new 41<br />
described 37<br />
Administrator Accounts dialog box 39<br />
administrators, seeing which are online 44<br />
alarms 83<br />
All Session Info dialog box 45<br />
Appliance Detail dialog box 89<br />
Appliance Group Properties dialog box 58<br />
Appliance Manager<br />
described 56<br />
features of 56<br />
using to create folder hierarchy 57<br />
using to create non-CPM managed records 63<br />
appliances<br />
activating tunnel switching hardware 121<br />
configuring for network use 69–91<br />
configuring hardware for 78<br />
configuring interfaces 104<br />
configuring local DNS server connections 111<br />
configuring local SNMP workstation<br />
connections 113<br />
configuring routes 106<br />
copying configurations to 90<br />
creating records for 61–68, 76<br />
deploying profiles to 51<br />
deploying profiles to new 85<br />
discovering 84<br />
discovering new 50<br />
enabling logging for 115<br />
entering records for 69<br />
installing 5<br />
not managed by CPM 63<br />
relocating 89<br />
requirements for discovering 50<br />
restoring to factory-default state 75<br />
C<br />
specifying location 102<br />
specifying name 102<br />
specifying time zone 103<br />
types managed by CPM 2<br />
certificates<br />
importing 70, 73<br />
obtaining 72<br />
Change Password dialog box 67<br />
Choose Appliance Type dialog box 64<br />
Configuration Editor<br />
described 62<br />
using to create CPM-managed records 62<br />
configurations, copying to new appliances 90<br />
CPM<br />
appliances managed by 2<br />
described 1<br />
hardware and software requirements 7–10<br />
network scope of 2<br />
obtaining site license for 10<br />
system requirements 7–10<br />
upgrading from previous versions 21<br />
CPM Client<br />
changing your CPM Client login password 27<br />
described 2<br />
installing 18–21<br />
installing on a server 6<br />
installing on a workstation 6<br />
starting 23–35<br />
uninstalling 22<br />
CPM Server<br />
described 1<br />
installing 11–17<br />
installing on a server 6<br />
installing on a workstation 6<br />
installing on Solaris host 16<br />
installing on Windows NT 16<br />
restarting the CPM Server 35<br />
starting 23–35<br />
Stopping the server 32<br />
uninstalling 22<br />
upgrading the license 30<br />
CPM Server Information dialog box 31<br />
CPM windows, locking 45<br />
D<br />
Default Policy Wizard<br />
Central Policy Manager <strong>Guide</strong> 127
described 93<br />
running 80, 93–97<br />
Denial-of-Service Prevention options 117<br />
dialog boxes<br />
Active Features 125<br />
Add Address 82<br />
Add Appliance 77, 90<br />
Add Group 43<br />
Add Route 107<br />
Admin Account Properties 42<br />
Admin Role Properties 40<br />
Administrative Access 41<br />
Administrator Accounts 39<br />
All Session Info 45<br />
Appliance Detail 89<br />
Appliance Group Properties 58<br />
Change Password 67<br />
Choose Appliance Type 64<br />
CPM login 24<br />
CPM Server Information 31<br />
CPM Server Information (General tab) 29, 34<br />
CPM Server shutdown confirmation 34<br />
Devices Found 51, 85<br />
Discovery 50, 70, 84<br />
DNS Server 111<br />
Import 73<br />
Import Certificate/CRL 73<br />
Import License 123<br />
Import New License 74<br />
Information (CPM Server shut down) 34<br />
License Details 125<br />
Local Admin Password 102<br />
Mgmt Setting and Password 66<br />
My Session Info 44<br />
Password Change Confirmation 28, 30<br />
Select the CRL file 73<br />
Service Control status 33<br />
Set Password 28, 29, 43, 52, 71, 87<br />
SNMP Management Station 113<br />
Specify Port Bandwidth 104<br />
System Configuration 101–126<br />
Upgrade License 31<br />
Discovery dialog box 50, 70, 84<br />
Distributed Denial-of-Service Prevention<br />
options 117<br />
DNS Server dialog box 111<br />
DNS servers<br />
cataloging 111<br />
configuring local network connections 111<br />
DNS tab, System Configuration dialog box 111<br />
F<br />
folders, creating hierarchy of 55<br />
G<br />
General tab, System Configuration dialog<br />
box 102<br />
H<br />
Hacker Prevention tab, System Configuration<br />
dialog box 116<br />
hardware configuration 78<br />
High Availability 118<br />
High Availability tab, System Configuration<br />
dialog box 118<br />
I<br />
ICMP Flood Attacks 117<br />
Import Certificate/CRL dialog box 73<br />
Import dialog box 73<br />
Import License dialog box 123<br />
Import New License dialog box 74<br />
Interfaces tab, System Configuration dialog<br />
box 103<br />
IP Source Routes 117<br />
J<br />
Java 2, version required for CPM 10<br />
L<br />
License Detail dialog box 125<br />
licenses<br />
deleting 126<br />
for CPM 10<br />
importing 70, 74, 122<br />
reviewing current 124<br />
upgrading the CPM Server license 30<br />
Local Admin Password dialog box 102<br />
128 Central Policy Manager 4.0
Log Settings tab, System Configuration dialog<br />
box 115<br />
logging, enabling 115<br />
M<br />
Mgmt Setting and Password dialog box 66<br />
My Session Info dialog box 44<br />
N<br />
network, mapping using Appliance Manager 55<br />
O<br />
OSPF 108<br />
P<br />
passwords<br />
changing the Client login password 27<br />
local admin 102<br />
Per Client Quota 118<br />
Per Server Quota 118<br />
Ping of Death 117<br />
policy components, assembling 98<br />
port shaping, enabling 104<br />
profiles<br />
compiling 83<br />
deploying 83–88<br />
deploying to new appliances 85<br />
described 2<br />
R<br />
RIP 107<br />
RIPv2 108<br />
roles<br />
creating new 38<br />
default 37<br />
routes<br />
setting up 106<br />
verifying 109<br />
Routing tab, System Configuration dialog<br />
box 106<br />
S<br />
security policies, creating 80<br />
Set Password dialog box 43, 52, 71, 87<br />
SNMP Management Station dialog box 113<br />
SNMP tab, System Configuration dialog<br />
box 113<br />
SNMP traps 112<br />
Specify Port Bandwidth dialog box 104<br />
SSL connection 8<br />
Sun Solaris<br />
installing CPM Server on 16<br />
version required for CPM Server 7<br />
SYN Flood Attacks 117<br />
System Configuration dialog box 101–126<br />
system requirements 7–10<br />
T<br />
time zones 103<br />
Tunnel Switch tab, System Configuration dialog<br />
box 121<br />
U<br />
UDP Flood Attacks 117<br />
upgrading CPM 21<br />
V<br />
VLAN forwarding 119<br />
VLAN Forwarding tab, System Configuration<br />
dialog box 120<br />
W<br />
Windows<br />
versions required for CPM Client 7<br />
versions required for CPM Server 7<br />
Windows NT, installing CPM Server on 16<br />
Central Policy Manager <strong>Guide</strong> 129