WatchGuard Firebox Vclass v5.1 User Guide
Add to my manuals
303 Pages
Watchguard Firebox Vclass is a network security appliance that provides comprehensive protection for your network. It offers a wide range of features to keep your network safe from threats, including firewall protection, intrusion prevention, and web filtering. With its easy-to-use interface and powerful security features, Firebox Vclass is the ideal solution for businesses of all sizes.
advertisement
WatchGuard
®
Central Policy
Manager User
Guide
Central Policy Manager 5.1
Copyright
Copyright © 1998-2003 WatchGuard Technologies, Inc.
All rights reserved.
Notice to Users
Information in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copied as outlined in the Firebox System software end-user license agreement. No part of this manual may be reproduced by any means, electronic or mechanical, for any purpose other than the purchaser’s personal use, without prior written permission from WatchGuard Technologies, Inc.
TRADEMARK NOTES
WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock,
DVCP, and Designing peace of mind are trademarks of
WatchGuard Technologies, Inc. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Part No: 1200016 ii Central Policy Manager 5.1
WatchGuard Technologies, Inc.
Firebox System Software
End-User License Agreement
WatchGuard Central Policy Manager (CPM) End-User
License Agreement
IMPORTANT - READ CAREFULLY BEFORE ACCESSING
WATCHGUARD SOFTWARE:
This Central Policy Manager End-User License Agreement
('AGREEMENT') is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies,
Inc. ('WATCHGUARD') for the WATCHGUARD optional software product for the WatchGuard Firebox product you have purchased, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product) and may include associated media, printed materials, and online or electronic documentation, and any updates or modifications thereto, including those received through the
WatchGuard LiveSecurity Service (or its equivalent), (the '
OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is willing to license the OPTIONAL SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing, activating or using the OPTIONAL
SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this
AGREEMENT, WATCHGUARD will not license the
OPTIONAL SOFTWARE PRODUCT to you, and you will not have any rights in the OPTIONAL SOFTWARE PRODUCT.
In that case, promptly return the OPTIONAL SOFTWARE
PRODUCT/license key certificate, along with proof of payment, to the authorized dealer from whom you obtained the OPTIONAL SOFTWARE PRODUCT/license key certificate for a full refund of the price you paid.
Central Policy Manager User Guide iii
iv
1.
Ownership and License. The OPTIONAL SOFTWARE
PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the
OPTIONAL SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and pallets incorporated into the
OPTIONAL SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the OPTIONAL
SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the OPTIONAL SOFTWARE
PRODUCT are as specified in this AGREEMENT, and
WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.
2.
Permitted Uses. You are granted the following rights to the OPTIONAL SOFTWARE PRODUCT:
(A) You may install and use the OPTIONAL SOFTWARE
PRODUCT on that number of WATCHGUARD hardware products (or manage that number of WATCHGUARD hardware products) at any one time as permitted in the license key certificate that you have purchased and may install and use the OPTIONAL SOFTWARE PRODUCT on multiple workstation computers. You must also maintain a current subscription to the WatchGuard LiveSecurity Service
(or its equivalent) for each additional WATCHGUARD hardware product on which you will use a copy of an updated or modified version of the OPTIONAL SOFTWARE
PRODUCT received through the WatchGuard LiveSecurity
Service (or its equivalent).
(B) To use the OPTIONAL SOFTWARE PRODUCT on more
WATCHGUARD hardware products than provided for in
Section 2(A), you must license additional copies of the
OPTIONAL SOFTWARE PRODUCT as required.
(C) In addition to the copies described in Section 2(A), you may make a single copy of the OPTIONAL SOFTWARE
PRODUCT for backup or archival purposes only.
Central Policy Manager 5.1
3.
Prohibited Uses. You may not, without express written permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the
OPTIONAL SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the OPTIONAL
SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the OPTIONAL
SOFTWARE PRODUCT;
(D) Transfer this license to another party unless
(i) the transfer is permanent,
(ii) the third party recipient agrees to the terms of this
AGREEMENT, and
(iii) you do not retain any copies of the OPTIONAL
SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the
OPTIONAL SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the OPTIONAL SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer:
(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase.
(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL
SOFTWARE PRODUCT will materially conform to the documentation that accompanies it or its license key certificate. If the OPTIONAL SOFTWARE PRODUCT fails
Central Policy Manager User Guide v
vi to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the OPTIONAL
SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the OPTIONAL
SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES,
OBLIGATIONS AND LIABILITIES OF WATCHGUARD,
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS
4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN
SUBSTITUTION FOR, AND YOU HEREBY WAIVE,
DISCLAIM AND RELEASE ANY AND ALL OTHER
WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD AND ITS LICENSORS AND ALL OTHER
RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE
AGAINST WATCHGUARD AND ITS LICENSORS,
EXPRESS OR IMPLIED, ARISING BY LAW OR
OTHERWISE, WITH RESPECT TO ANY
NONCONFORMANCE OR DEFECT IN THE OPTIONAL
SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED
TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE, ANY
IMPLIED WARRANTY ARISING FROM COURSE OF
PERFORMANCE, COURSE OF DEALING, OR USAGE OF
TRADE, ANY WARRANTY OF NONINFRINGEMENT,
ANY WARRANTY THAT THE OPTIONAL SOFTWARE
PRODUCT WILL MEET YOUR REQUIREMENTS, ANY
WARRANTY OF UNINTERRUPTED OR ERROR-FREE
OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,
CLAIM OR REMEDY IN TORT, WHETHER OR NOT
ARISING FROM THE NEGLIGENCE (WHETHER
ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF
WATCHGUARD AND ITS LICENSORS AND ANY
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY
FOR LOSS OR DAMAGE TO, OR CAUSED BY OR
CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE
PRODUCT).
Central Policy Manager 5.1
Limitation of Liability. WATCHGUARD'S LIABILITY
(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND
NOTWITHSTANDING ANY FAULT, NEGLIGENCE,
STRICT LIABILITY OR PRODUCT LIABILITY) WITH
REGARD TO THE OPTIONAL SOFTWARE PRODUCT
WILL IN NO EVENT EXCEED THE PURCHASE PRICE
PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY. IN NO EVENT WILL WATCHGUARD
BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER
ARISING IN CONTRACT (INCLUDING WARRANTY),
TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED
NEGLIGENCE AND STRICT LIABILITY AND FAULT),
FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT
LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION) ARISING OUT OF OR IN CONNECTION
WITH THIS WARRANTY OR THE USE OF OR INABILITY
TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF
WATCHGUARD HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY.
5.United States Government Restricted Rights. The
OPTIONAL SOFTWARE PRODUCT is provided with
Restricted Rights. Use, duplication or disclosure by the U.S.
Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights
Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite
500, Seattle, WA 98104.
6.Export Controls. You agree not to directly or indirectly transfer the OPTIONAL SOFTWARE PRODUCT or
Central Policy Manager User Guide vii
viii documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.
7.Termination. This license and your right to use the
SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the OPTIONAL SOFTWARE PRODUCT in your possession, or voluntarily return the OPTIONAL
SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the OPTIONAL
SOFTWARE PRODUCT and documentation remaining in your control or possession.
8.Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United
National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the OPTIONAL SOFTWARE
PRODUCT, and supersedes any prior purchase order, communications, advertising or representations concerning the OPTIONAL SOFTWARE PRODUCT AND BY USING
THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO
THESE TERMS. IF THE SOFTWARE PRODUCT IS
BEING USED BY AN ENTITY, THE INDIVIDUAL
INDICATING AGREEMENT TO THESE TERMS
REPRESENTS AND WARRANTS THAT (A) SUCH
INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS
AGREEMENT ON BEHALF OF THE ENTITY AND TO
BIND THE ENTITY TO THE TERMS OF THIS
AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,
CORPORATE OR OTHERWISE, TO ENTER INTO THIS
AGREEMENT AND PERFORM ITS OBLIGATIONS
UNDER THIS AGREEMENT AND; (C) THIS
AGREEMENT AND THE PERFORMANCE OF THE
ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO
NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO
WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD.
Central Policy Manager 5.1
Contents
CHAPTER 1
About WatchGuard CPM
...........................1
.............................................1
........................................................2
..................................................................2
CPM Client ..................................................................3
Network Security Basics ....................................................3
Offline and Online Configuration ......................................4
Address Objects in CPM Security Policies
.....................................................6
CPM and Network Configuration .....................................10
Types of Appliances Administered with CPM ....................12
CPM and WatchGuard Vclass/RapidStream security appliances
...........................................................................12
CPM and RapidStream "Secured by Check Point" security appliances
..........................................................12
Remote appliances running MUVPN ................................13
CPM and third-party security appliances ..........................13
About Router Mode and Transparent Mode
..............................................................14
Transparent Mode .......................................................16
Central Policy Manager User Guide ix
x
More information ........................................................ 17
CHAPTER 2
Installing or Upgrading CPM Software
.. 19
Where You Can Install CPM Server and Client .................. 19
Installation requirements .............................................. 20
System Requirements for CPM Server
Obtaining the Site License for CPM
............................. 21
System Requirements for CPM Client
Java 2 runtime environment (JRE)
.............................. 22
.................................. 23
................................ 24
Installing the CPM Server Software
Installing the CPM Client Software
Uninstalling CPM Server or Client
................................. 25
.................................. 29
Upgrading from a Previous Versions of CPM
................................................. 35
................................... 36
CHAPTER 3
Starting the CPM Client and Server
....... 37
Starting the CPM Client for the First Time ....................... 37
Changing Your CPM Client Login Password
If CPM prompts a password change
............................... 41
If you want to replace an existing password ..................... 42
Starting the CPM Client After Initial Log In
......................................... 44
Stopping the CPM Server ............................................... 46
Stopping CPM Server at the host computer ..................... 46
Shutting down CPM Server at the CPM Client workstation .. 48
Starting or Restarting CPM Server ................................... 49
CHAPTER 4
Creating CPM Administrator Accounts
. 51
CPM Default Roles ......................................................... 52
Creating Administrator Accounts
....................................... 52
.................................... 56
Completing the Access Setup ........................................ 58
Reviewing the Current CPM Session ............................... 58
Determining Which Other Administrators Are Online ....... 59
Reserving a CPM Window .............................................. 60
If you can’t reserve a window ........................................ 62
Central Policy Manager 5.1
CHAPTER 5
Configuring Appliances for Network Use
..
.......................................................................63
Getting Started ..............................................................64
Installing and Setting Up a Firebox Vclass Appliance ........64
.............................................65
.....................................................65
Adding a new appliance record ......................................68
Importing Licenses and Certificates (Optional)
Obtaining the x.509 certificate
.......................................70
Importing the new x.509 certificate .................................71
Importing licenses for extended features ..........................72
Reviewing the current licenses
Deleting an out-of-date license
.......................................74
......................................76
.............................................76
Restoring the Appliance to a Factory-Default State ...........78
Configuring the Appliance Hardware ...............................78
Running the CPM Default Policy Wizard
If you chose the extended network
.................................81
If you chose the local network ........................................83
Entering the Security Policies
...........................................85
..........................................86
Assembling the CPM Policy Components ........................87
Assembling a policy from available components ................88
Defining the Required Alarms .........................................90
......................................................90
..................................................90
Deploying the profiles ..................................................91
Relocating the Appliance ................................................92
CHAPTER 6
Completing the Appliance Configuration
..
.......................................................................95
Configuring a New WatchGuard Appliance ......................95
Completing the General Entries
Completing the Interfaces Entries
Completing the Routing Entries
......................................96
....................................98
....................................109
Central Policy Manager User Guide xi
Completing the DNS Entries ........................................ 111
Completing the SNMP Entries ...................................... 113
Completing the Log Settings Entries ............................. 114
Completing the Hacker Prevention Entries .................... 117
Completing the High Availability Tab ............................ 120
Configuration comparison between Active/Standby and Active/
.................................................... 122
Completing the Tunnel Switch Entries
Completing the VLAN Forwarding Tab
........................... 125
.......................... 127
Completing the NTP Tab .............................................. 129
Completing the Blocked Sites tab
................................. 130
................................................. 133
Completing the Advanced tab ..................................... 134
Completing the System Configuration Setup
Reviewing the current licenses
..................................... 137
CHAPTER 7
Defining Security Policies in CPM
........ 139
Security Policy Components ......................................... 139
.................................................. 140
........................................................... 140
............................................... 141
............................................ 141
Addresses and address groups .................................... 141
Cataloging Addresses for Use in Policies
..................................... 145
Entering a new RAS address ....................................... 146
Creating a New Policy .................................................. 147
Cataloging Services for Use in Policies
.......................... 150
................................................ 150
Adding a new protocol .............................................. 151
Combining services in a group .................................... 153
............................................ 154
............................................ 154
Applying an existing schedule to a policy ...................... 155
xii Central Policy Manager 5.1
CHAPTER 8
Using Policy Actions
...............................157
Combining Policy Actions .............................................157
Blocking and Rejecting Traffic .......................................158
About Network Address Translation (NAT)
.............................................159
Activating Static NAT .................................................160
About Load Balancing ..................................................161
About QoS Actions ......................................................164
Activating port shaping ..............................................166
...............................................166
...........................................166
Activating TOS marking ..............................................167
CHAPTER 9
Defining Proxies in CPM
........................169
In This Chapter ............................................................170
.........................................................170
.....................................................170
SMTP proxy ..............................................................171
Rules and rulesets .....................................................171
General Proxy Configuration .........................................173
Using a proxy action in the configuration editor ...............173
Creating a proxy action ..............................................173
Editing an existing proxy action ....................................175
Configuring proxy rules ..............................................177
Ordering listed rules in a proxy action ...........................180
..........................................182
.....................................................182
SMTP Proxy ..............................................................203
Reference Sources ........................................................219
CHAPTER 10 About Virtual Private Networks
...........221
About VPN Policies ......................................................222
VPN Policies and IPSec Actions
.....................................224
.........................................................225
Overview of Creating a VPN .........................................225
Central Policy Manager User Guide xiii
CHAPTER 11 Creating an Automatic Key IPSec Action
..
.................................................................... 229
An Overview of VPN Policies ........................................ 229
Creating a New Automatic Key VPN Policy .................... 230
Making a VPN Policy Bi-directional
............................... 232
.......................................... 232
Customizing an IPSec Action ........................................ 235
Customizing an IPSec proposal using a single transform ... 236
Customizing an IPSec proposal with more than one transform .
........................................................................ 237
Customizing multiple IPSec proposals with one or more transforms
....................................................... 240
CHAPTER 12 Creating Remote Access VPN Policies
243
Creating a Policy for a Firebox V10
Creating the Addresses entries
............................... 243
.................................... 243
Creating the RAS security policy
.................................. 244
........................................ 244
Generating and deploying profiles ............................... 245
Creating a Policy for MUVPN Client Software
Creating the RAS address group
.................................. 245
Creating the security policy ......................................... 246
Confirming the IKE pair settings .................................. 246
Confirming the authentication method .......................... 246
CHAPTER 13 Establishing Tunnel Switching
.............. 251
About Tunnel Switching ............................................... 251
Activating Tunnel Switching on the Central Appliance
Activating Tunnel Switching Between Sites
CHAPTER 14 Monitoring Appliances
.......................... 255
How CPM Monitors Appliances .................................... 255
............................................... 255
............................................. 256
....................................... 257
....................................... 257
............................................... 259
xiv Central Policy Manager 5.1
Reorganizing Appliance Manager Window Columns .......259
Working with Appliance Groups Folders ........................261
Reorganizing the Appliance Manager window ................261
Filtering Appliance Manager Window Entries
Color-Coding in the Appliance Manager
Changing Appliance Manager Row Colors .....................263
Ignoring an Appliance’s Status Reports
.....................................265
Ignoring an entire appliance ........................................265
Using the Appliance Detail Dialog Box ..........................266
Using the Performance Graph .......................................267
Opening the Performance Graph ..................................268
Setting up the Performance Graph
Viewing several counters at once
................................268
..................................272
CHAPTER 15 Responding to Alarms
...........................275
Viewing new alarms ...................................................275
Using the Alarm Console window
................................276
............................................277
Acknowledging alarms ...............................................277
Reopening acknowledged alarms .................................277
Clearing alarms .........................................................278
Reopening cleared alarms ...........................................278
Purging cleared alarms ...............................................278
Reorganizing the list of alarms .....................................279
Filtering alarms .........................................................279
Disabling alarm filtering ..............................................280
Index ......................................................................... 281
Central Policy Manager User Guide xv
xvi Central Policy Manager 5.1
CHAPTER 1
About WatchGuard
CPM
Congratulations on your purchase of the WatchGuard
Central Policy Manager (CPM). Using this product, you can simplify security policy deployment with a central console that lets you manage multiple Firebox
Vclass installations across an entire enterprise infrastructure. This powerful and highly scalable network management platform offers global management for large enterprises, data centers, and service providers.
Why Use WatchGuard CPM?
With WatchGuard CPM, you can configure and monitor hundreds of Firebox Vclass appliances. It is the ideal global management solution for distributed enterprises, data centers, and service providers who depend on Firebox Vclass appliances for their highspeed security.
Central Policy Manager User Guide 1
CHAPTER 1: About WatchGuard CPM
Components of CPM
CPM consists of two main components, CPM Server and
CPM Client. CPM can be used to manage many different types of appliances, as shown in the following figure.
2
CPM Server
The CPM Server software includes a database that stores the configurations and policies for all appliances while it actively monitors the status of each appliance, alerting you if problems arise. WatchGuard recommends that you install the CPM Server component onto a separate, high-
Central Policy Manager 5.1
Network Security Basics capacity host computer. You can install both Client and
Server onto a single workstation if your network environment is small and you do not plan to expand it.
A large amount of appliance-specific information can be stored in CPM Server as appliance-specific profiles . When needed, you can prompt CPM Server to use its secure connections to all your appliances to deploy new or updated profiles.
CPM Client
The CPM Client application gives administrative workstations access to CPM Server. You can install and run the Client on any number of administrative workstations. After an administrator uses the Client to log into CPM Server, he or she can set up global policies and record appliance-specific profiles, including policies, system configurations, log files, alarms, and activity monitors. If the administrator has fewer privileges, he or she might only be able to review the active alarms and clear them.
You can assign more than one administrator to manage various aspects of the overall task load. Your authorized client administrative users do not have to be “local” to participate in the CPM system. If you load VPN policies into the relevant appliances that would permit secure communications between a client workstation and the server host, other remote administrators can assume their duties from their locations.
Network Security Basics
You begin your assessment of how to secure a site or network with a
security stance
. Simply put, a security stance is a statement of how an organization protects its assets. An effective organization-wide security stance considers:
Central Policy Manager User Guide 3
CHAPTER 1: About WatchGuard CPM
• Implementation and maintenance of the stance, and how the stance fits in with the organization’s goals and objectives
• The level of access provided to the various users and groups within the organization
• Whether the organization allows recreational use of facilities and systems
• What level of remote access communication is allowed
The stance generally accepted by the Internet security community is to discard all packets not explicitly allowed; stated simply, “that which is not explicitly allowed is denied.” WatchGuard Firebox Vclass appliances, like most commercial firewalls, adopt this as the default stance. Discarding all data packets not explicitly allowed through the firewall protects against attacks based upon new, unfamiliar, or obscure IP services. It also provides a safety net regarding unknown services and configuration errors that can threaten network security.
This means that for the Firebox to pass
any
traffic, it must be configured to pass the traffic your customer wants to allow through the firewall. The network administrator must actively select the services and protocols you or your customers want, configure each one to define which hosts can send and receive them, and set other individual properties for the service.
Offline and Online Configuration
Unlike WatchGuard Vcontroller and other single-appliance management tools, CPM performs most configuration tasks offline. During offline configuration, CPM does not need a connection to an appliance. All configuration for an appliance is completed on the CPM server, compiled into a profile for the appliance, and deployed to the appliance at
4 Central Policy Manager 5.1
Address Objects in CPM Security Policies a later time. Depending on the changes initiated by the new profile, the appliance may or may not be rebooted.
Address Objects in CPM Security Policies
In the CPM Policy Editor, a security network includes one
Internet object at the center, and multiple surrounding private networks and hosts, connecting to the internet through appliances.
Each address object is located either at the Internet or at a
Private or DMZ port on the appliance. Address objects are created either under the Internet object, or under appliances with private or DMZ ports. Internet addresses by definition apply to all Public ports.
Address objects can be defined as:
• any IP address behind an interface
• a single IP address behind an interface
• a range of IP addresses behind an interface
• an IP address subnet behind an interface
• the IP address of the interface
In addition, address groups can contain any of the previous types of address objects.
Address objects and address groups simplify the configuration of multiple appliances. A new security policy can be defined once, compiled once, and deployed once. However, depending on its definition, the policy might apply to a single IP address, an entire corporate network, a collection of networks, or the entire Internet. And a single CPM policy can create one policy on one appliance, or multiple policies on multiple appliances, and other objects related to those policies.
Central Policy Manager User Guide 5
CHAPTER 1: About WatchGuard CPM
CPM Policy Examples
The following examples illustrate various network topologies and their related CPM policies.
Internet traffic to a Web server
In this example, a policy is created that allows HTTP and
HTTPS traffic from any IP address on the Internet to reach a Web server. The Web server is a single IP address object called “WebServer,” located behind the Vclass appliance named “V80.” The Web server is located on Port 3 (DMZ2).
Address
Internet
Internet any IP address 1 3
Address
WebServer@V80
Vclass "V80" Web server
The policy configuration is shown as Policy 1:
6
Source
Any
After the policy is compiled and deployed, the resulting policy on the Vclass “V80” is:
Destination In port
WebServer 1 (Public)
Service
HTTP
HTTPS
Action
Allow
Branch office to an FTP server
In this example, a policy is created that allows FTP traffic from a range of addresses behind one appliance to reach an
FTP server behind a different appliance. The appliances are
Central Policy Manager 5.1
Address
BranchFTPusers
@BranchOffice
BranchOffice
FTP users
Address Objects in CPM Security Policies in different physical locations, and communication occurs over the internet, using single-direction IPSec. The
“BranchFTPUsers” address is an IP) address range located behind Port 0 (Private) of the Vclass appliance called
“BranchOffice.” The “FTPServer” address is located behind Port 2 (DMZ1) of the Vclass appliance “V80.”
0 1
Vclass "BranchOffice"
Internet
Address
FTPServer@V80
1 2
Vclass "V80"
The policy configuration is shown as Policy 2:
FTP server
Central Policy Manager User Guide 7
CHAPTER 1: About WatchGuard CPM
Source
BranchFTP
Users
After the policy is compiled and deployed, the resulting policy on the Vclass “BranchOffice” is:
Destination In port
FTPServer Private
Service
FTP
Action
IPSec
Source
BranchFTP
Users
A policy is also created on the Vclass appliance “V80.”
Destination In port
FTPServer Public
Service
FTP
Action
IPSec
In addition, an IKE policy is created for this connection. In the IKE Pairs tab in CPM, the following policy appears.
Pair IKE Proposals
BranchOffice - V80 Default
Authentication Status
Pre-Shared Key Ready
Branch office to a corporate network
In this example, all users at the branch office are allowed access to all services on the private network of the main corporate office. The appliances are in different physical locations, and communication occurs over the internet, using bi-directional IPSec. The “BranchNetwork” address is an IP subnet located behind Port 0 (Private) of the Vclass appliance “BranchOffice.” The main corporate network is a subnet located behind Port 0 (Private) of the Vclass appliance “V80.”
8 Central Policy Manager 5.1
Address Objects in CPM Security Policies
Address
BranchNetwork@
BranchOffice
Branch office IP subnet
0
Vclass "BranchOffice"
1
Internet
Address
CorporateNetwork@V80
1 0
Vclass "V80"
The policy configuration is shown in Policy 3:
Corporate network
After the policy is compiled and deployed, the resulting policy on the Vclass “Branch” is:
Source
BranchNetwork
Destination In port Service Action
CorporateNetwork Private ANY IPSec (bidirectional)
Central Policy Manager User Guide 9
CHAPTER 1: About WatchGuard CPM
A policy is also created on the Vclass appliance “V80.”
Source Destination
CorporateNetwork BranchNetwork
In port Service Action
Private ANY IPSec (bidirectional)
In this example, the same IKE pair is used as in the previous example.
Pair
BranchOffice - V80
IKE Proposals
Default
Authentication Status
Pre-Shared Key Ready
Multiple addresses
Policies can include multiple addresses. For example, you can create a single policy that includes separate subnets under “BranchOffice,” and even other appliances at other offices as sources. You can combine destination addresses; for example combining different subnets at the corporate office, or IP address ranges behind the Private interface.
You can use any combination of services and actions you want, if the actions are compatible. CPM creates the correct policies for each appliance, including all required IPSec actions and policies.
CPM and Network Configuration
You can use CPM to maintain and monitor any number of
Firebox Vclass and RapidStream security appliances both within your local firewall and outside the firewall. The key requirement is an SSL/HTTPS policy on each appliance that permits CPM to gain complete access to that appliance through whatever firewalls may exist between the Server and that appliance. This includes full-strength gateway security appliances, internal-use appliances that guard pri-
10 Central Policy Manager 5.1
CPM and Network Configuration vate network assets, and VPN client appliances, distributed throughout the Internet and serviced by ISPs.
Most networks using CPM have one of the two following configurations:
• An extended network has CPM connected to a gateway appliance, through which it is connected to other appliances outside the local firewall.
• A local network has CPM connected to a collection of appliances, all inside the local firewall.
Central Policy Manager User Guide 11
CHAPTER 1: About WatchGuard CPM
Types of Appliances Administered with CPM
You can administer, monitor, and coordinate network communications between a number of devices in CPM:
• WatchGuard Firebox Vclass security appliances
• RapidStream appliances
• RapidStream “Secured by Check Point” appliances
• Third-party security appliances
• “Virtual appliances” that represent VLAN or user domain tenants associated with an operational appliance
• Remote appliances running MUVPN
CPM and WatchGuard Vclass/RapidStream security appliances
You can use CPM to install and configure the operational profile for any “factory default” Firebox Vclass appliances from WatchGuard or legacy appliances manufactured by
RapidStream. After the appliances are deployed and operational, you can monitor and troubleshoot them.
CPM and RapidStream "Secured by Check
Point" security appliances
If you are using RapidStream appliances running preinstalled Check Point software, you can continue to use
RapidStream Navigator to administer the appliances, while using CPM to identity the location of these appliances for policy-making purposes. CPM can also be used to monitor appliance status using SNMP.
Because CPM includes a link to RapidStream Navigator, you can integrate CPM system—monitoring with the maintenance “Secured by Check Point” security appliances through RapidStream Navigator.
Recording the Check Point appliances in CPM as network assets allows you to record security policies that establish
12 Central Policy Manager 5.1
Types of Appliances Administered with CPM traffic between the Check Point devices and Firebox Vclass or RapidStream devices.
Remote appliances running MUVPN
Telecommuters working from home and traveling employees who need corporate network access are common fixtures in today’s business environment. Mobile User VPN
(MUVPN) creates an IPSec tunnel between an unsecured remote host and your trusted and optional networks using a standard Internet dial-up or broadband connection without compromising security. This type of VPN requires only one Firebox for the private network and the Mobile User
VPN software module.
Maintaining and managing VPN tunnels established between a main corporate office and one or more branch offices can become an overwhelming task. CPM centralizes all intersite communication, which preserves network performance and simplifies maintenance.
Appliances running MUVPN are recorded as “RAS user” in CPM.
CPM and third-party security appliances
You can record all third-party appliances, which include third-party security appliances or older-model Firebox appliances, as assets in your extended network. You can then use CPM to configure security policies for communications between Firebox Vclass appliances and these thirdparty appliances.
The following table summarizes all of the CPM management options, by appliance type:
Central Policy Manager User Guide 13
CHAPTER 1: About WatchGuard CPM
WatchGuard Firebox Vclass appliances
WatchGuard Firebox appliances
RapidStream appliances
RapidStream Check Point appliances
Third-party appliances
X
X
X
Use CPM to configure
X
X
Use CPM to monitor
X
Use as addresses in CPM policies
X
X
X
X
X
About Router Mode and Transparent Mode
Vclass appliances can operate in two distinctly different modes–Router Mode and Transparent Mode. Descriptions of these modes are included in this section.
Router Mode
Router Mode is the default mode for Vclass appliances.
Vclass appliances running in Router Mode integrate firewall, VPN, and routing functions in a single appliance. In this mode, the Vclass appliance functions as a security gateway, as shown in Figure 2, “Vclass Router Mode operation,” on page 15.
Depending on the Vclass model, up to four network interfaces are provided, which you can use to route traffic between a private network, the public network or Internet, and DMZ networks. Private and DMZ networks are considered to be trusted, and the public network is not trusted.
Networks are on different subnets.
In Router Mode, all interfaces are routable. Each individual interface is assigned an IP address on the subnet it is connected to. Packets crossing the Vclass appliance are man-
14 Central Policy Manager 5.1
About Router Mode and Transparent Mode aged by configured policies and proxies. Allowed packets are routed to their destinations. In this mode, the Vclass appliance only receives the packets that are addressed to it.
Packets sent out from the Vclass are marked with the
Vclass interface MAC as their source.
DMZ Network
Untrusted Trusted
Internet
Vclass
Private Network
Figure 2:
Vclass Router Mode operation
No special configuration is required to set an appliance to
Router Mode. Vclass appliances are set to Router Mode by default. Use the instructions provided throughout this guide to configure your Router Mode appliance.
You can switch an appliance to Router Mode at any time, using Device Discovery, the Installation Wizard, the System Configuration window on the Interfaces page, or by importing a Router mode XML configuration.
Central Policy Manager User Guide 15
CHAPTER 1: About WatchGuard CPM
Transparent Mode
Internet
Not Trusted
Router
Existing Network
Not Trusted
16
Not Trusted Trusted
Internet
Router Vclass
Existing Network with a Transparent Mode Vclass appliance
Figure 3:
Vclass Transparent Mode operation
Vclass Transparent Mode is designed to allow simple
“drop-in” integration of the Vclass appliance in an existing network topology. Figure 3, “Vclass Transparent Mode operation,” on page 16, depicts a typical Transparent Mode scenario. In this scenario, the Vclass is placed between an existing router gateway and an internal network. Routing functions are handled by the router, and the Vclass provides firewall and VPN functions.
The main differences between Transparent and Router modes are:
• Transparent mode interfaces are promiscuous. A promiscuous interface receives not only the packets addressed to it (as in Router Mode), but also packets addressed to other hosts on the network. However, the
Vclass appliance passes packets without taking any action, if both the packet source and target are connected and reachable on the same interface.
• In Transparent Mode, the Vclass appliance uses one IP address and one Subnet Mask for all interfaces. These
Central Policy Manager 5.1
About Router Mode and Transparent Mode addresses are called the System IP and the System Mask .
All interfaces on the Vclass appliance use these addresses.
• The System IP is used as the IPSec tunnel peer address.
• In contrast to Router Mode operation, in Transparent
Mode the Vclass switches a packet to its destination, if the packet is allowed. Like a typical network switch, the packet’s source MAC address is preserved.
Unsupported features in Transparent Mode
Not all features available in Router Mode are feasible or usable in Transparent Mode. Unsupported features are:
• Backup WAN connection (WAN Failover)
• DHCP Client and Server
• Proxies
• Dynamic Routing
• High Availability (Active/Standby or Active/Active)
• VLAN and Tenants
• NAT, including SNAT, DNAT, VIP
• PPPoE
• Secondary IP
• Spanning Tree Protocol
• Tunnel Switching
More information
Information on Router Mode and Transparent Mode configuration options is included in the relevant material throughout this User Guide.
Central Policy Manager User Guide 17
CHAPTER 1: About WatchGuard CPM
18 Central Policy Manager 5.1
CHAPTER 2
Installing or
Upgrading CPM
Software
This chapter describes how to install or upgrade the two components of the CPM system: the CPM Server software and the CPM Client application. Each software installation relies on the use of an InstallShield™
Wizard stored on the CD-ROM enclosed with your manual and software registration. This chapter also covers backing up and removing CPM software.
For information on installing CPM Server on a Solaris host, see the CPM Applications Guide .
Where You Can Install CPM Server and Client
You can install both CPM Server and CPM Client onto any qualifying computer, workstation, or host/server.
Or you can install the components onto separate machines; the choice depends upon the following requirements:
Central Policy Manager User Guide 19
CHAPTER 2: Installing or Upgrading CPM Software
Workstation only
If your workstation CPU processor speed is sufficient, you can install both server and client software onto a workstation/desktop computer.
WatchGuard recommends installing CPM Server onto an auxiliary drive with at least 50 megabytes of free space.
You can install CPM Client onto the main drive of the workstation. It does not increase in size during use.
20
Workstation/Server
WatchGuard recommends this mode of installation, in which you install the CPM Server software separately onto a server with an auxiliary drive or a separate partition that has at least 50 MB in free space.
You can install CPM Client onto the main drive of any locally networked workstation. It does not increase in size during use.
Installation requirements
To manage more than one security appliance with CPM, you must have the appropriate WatchGuard CPM license.
This license determines the number of appliances that you can administer. After the required license is entered, CPM
Central Policy Manager 5.1
System Requirements for CPM Server
Server can contact and administer the maximum number of licensed appliances. (If you add more appliances to your network, you can easily obtain and install an expandedcapacity license.) For information about obtaining a site
license for CPM, see “Obtaining the Site License for CPM” on page 24.
All CPM Clients communicate with CPM Server through a
Secure Socket Layer (SSL) connection, whether the client workstation is located inside or outside the firewall of the corporate network.
If any client applications are intended for use outside the firewall, you must open a specific SSL connection through the firewall. The SSL port can be customized by opening and editing the cpm_server.conf and cpm_client.conf files.
• If you’ve installed several separate CPM Server software packages, you can connect to any of them with the same CPM Client application assuming that you have an access account for that server.
• When logging into a CPM Server on a separate host computer, you must have the IP address of that host.
After you have initially logged in, CPM Client stores the IP address of this CPM Server host in its configuration file and uses it as the default host next time you bring up CPM Client.
N
OTE
You can review “About the CPM Configuration Files” in the
CPM Applications Guide for complete details on both cpm_server.conf and cpm_client.conf files.
System Requirements for CPM Server
Host computer
Any workstation or server with sufficient hard drive capacity located inside the corporate network/firewall. A standalone server is
Central Policy Manager User Guide 21
CHAPTER 2: Installing or Upgrading CPM Software recommended. The CPM Server software cannot be installed on more than one host computer.
Operating System
Windows NT 4.0 Server, Windows NT 4.0
Workstation (Service Pack 6a), Windows 2000
Server, Windows 2000 Professional, or Windows
XP Professional. Do not install the CPM Server software onto non-NT computers such as Windows
98.
Sun Solaris, v2.8 (Sparc)
Processor Type
Pentium II or later version of Pentium CPU
Processor Speed
700 MHz minimum
Memory
256 MB minimum
Hard Disk Space
50 MB minimum (for CPM Server database software)
20 MB minimum (for CPM Client software)
Input Device
CD-ROM or DVD
Network Interface
NICs or embedded network connections
System Requirements for CPM Client
Host Computer
Any desktop computer. The CPM Server software must be installed on a host computer and be currently active before you install any CPM Client.
For the initial CPM Client, the computer must be inside the same corporate network/firewall as
22 Central Policy Manager 5.1
System Requirements for CPM Client
CPM Server. You can install subsequent Client installations on any computers located either inside or outside the network.
Operating System
MS Windows 98/ME/XP or NT/2000/XP
Processor Type
Pentium II or later version of Pentium CPU
Processor Speed
500 MHz or faster
Memory
128 MB minimum
Hard Disk Space
10 MB minimum (for CPM software)
Input Device
CD-ROM or DVD
Network Interface
NICs or embedded network connections
Java 2 runtime environment (JRE)
When CPM is installed on a Windows system, a local copy of the Java Runtime Environment is installed in the CPM installation directory. CPM ignores other installed versions of JRE on the computer, to prevent conflicts with other
Java-based applications and guarantee the correct version of JRE for all CPM functions.
CPM for Solaris requires that you install JRE version
1.4.1_01 before you install CPM.
Central Policy Manager User Guide 23
CHAPTER 2: Installing or Upgrading CPM Software
Obtaining the Site License for CPM
Before you proceed with installation, you must obtain the license for CPM.
1 Find the license key certificate that was included with your CPM package. This item contains a code you must enter at the WatchGuard Web site.
2 Use a Web browser to connect to the URL printed on the same card.
3 Make all the relevant entries in that Web page, including your company’s name and the host name of the computer on which CPM Server will be installed.
To find the host name, on a Windows computer, rightclick My Computer and then select the Property menu to bring up the System Properties dialog box. Select the Network Information tab to view the full computer name. The name may be followed by the domain name, which you should not include in the license request. For example, if abc.mydomain.com
is listed as the full computer name, enter only abc as the host name.
On a Solaris computer, enter “uname-n” to find the host name.
After you successfully submit the entries, the feature key text is printed in the browser, which you should cut and paste into a text file stored on your workstation.
After you have obtained the feature key and stored it safely on your workstation, you can proceed with the CPM installations. You don’t need the feature key text until you first start CPM Client and attempt to log into CPM Server.
24 Central Policy Manager 5.1
Installing the CPM Server Software
Installing the CPM Server Software
To install the CPM Server software onto the target host computer running the Windows operating system:
1 If you have a WatchGuard CPM CD-ROM, remove the
CD-ROM from the package and insert it into the CD-
ROM drive of either the administrative workstation or the host server.
If you do not have a CD-ROM, but have downloaded the installation package, go to step 5.
2 Locate and double-click the CD-ROM drive icon.
N OTE
The CD-ROM may not start automatically on some computers. If this is the case, open the Run process.
Run enter the CD-ROM drive letter and setup.exe
to start the
3 Open the CPM Server folder (inside the Windows folder).
4 Double-click the Server installer icon (Setup.exe).
The CPM Server Setup Wizard appears, displaying the initial
Welcome screen.
5 If you do not have a CD-ROM, but have downloaded the installation files from LiveSecurity, locate the files you have downloaded, and double-click the file
WGCPMServer50.exe
.
Central Policy Manager User Guide 25
CHAPTER 2: Installing or Upgrading CPM Software
6 Click Next .
The Wizard displays the WatchGuard CPM Server Software
License Agreement, as show below, which you must accept to continue with the installation.
26
7 Read the complete agreement before proceeding. Click
Yes to accept the terms of the agreement.
Central Policy Manager 5.1
Installing the CPM Server Software
8 Assuming you clicked Yes , the wizard prompts you for a destination directory, and lists a default destination folder and its directory pathway. WatchGuard recommends that you use the default folder.
If you would like to change the installation folder, click
Browse to open the Choose Folder dialog box (shown below) which you can use to locate the computer, drive, and directory. However, you cannot choose a folder on a network drive.
Central Policy Manager User Guide 27
CHAPTER 2: Installing or Upgrading CPM Software
28
9 Click Next to accept the selected drive, path, and directory.
10 The wizard now loads the archived installer files from the CD-ROM into the designated drive and directory.
All of the CPM Server files are stored in the CPM
Server directory. Click Next .
N
OTE
The CPM Server software is installed as a service by
Microsoft Windows, and as a result does not have a program folder listed under Programs in the Start menu. It is set to start automatically in the Services dialog box of Control
Panel during the installation process.
11 The wizard now displays a confirmation message.
Click Finish .
Central Policy Manager 5.1
Installing the CPM Client Software
12 Click the checkbox to select whether you want to start the CPM Server, then click Finish to close the dialog box. If you start CPM Server, it runs as a service. If you do not click the checkbox to start CPM Server, you can start it later manually. CPM Server also starts each time the host computer is rebooted.
Installing the CPM Client Software
You can install multiple CPM clients onto the same compputer. Each CPM client is represented by a separate icon.
You are not required to uninstall previous CPM clients, but each CPM client can log in only to a CPM Server that is the same version. You can only install one version of CPM
Server per computer.
Central Policy Manager User Guide 29
CHAPTER 2: Installing or Upgrading CPM Software
To install the WatchGuard CPM Client application on a computer running Microsoft Windows, follow these steps:
1 Remove the WatchGuard CPM CD-ROM from the package and insert it into the CD-ROM drive of your administrative workstation.
2 Locate and double-click the CD-ROM drive icon.
3 Open the Client folder on the CD (inside the Windows folder).
4 Double-click the CPM Client installer icon (Setup.exe).
After startup is complete, the InstallShield Wizard appears, displaying the Welcome screen.
30
5 Click Next to proceed.
The Wizard displays the WatchGuard CPM Client Software
License Agreement, as shown below, which you must accept to continue with the installation.
Central Policy Manager 5.1
Installing the CPM Client Software
6 Read the complete agreement before proceeding. Click
Yes to accept the terms of the agreement.
7 Assuming you clicked Yes , the wizard prompts you for a destination directory, and lists a default destination folder and its directory pathway. WatchGuard recommends that you use the default folder.
Central Policy Manager User Guide 31
CHAPTER 2: Installing or Upgrading CPM Software
If you are unsure of the drive location, click Browse to open the Choose Folder dialog box (shown below) which you can use to locate the computer, drive, and directory.
8 Click Next to accept the selected drive, path, and directory.
9 The wizard now prompts you for a default Program
Folder in which to install the program icon.
WatchGuard recommends you use the default location.
Click Next .
32 Central Policy Manager 5.1
Installing the CPM Client Software
After the wizard completes the installation, it displays a confirmation message.
10 Click the checkbox to select whether you want to start the CPM Client, then click Finish .
Central Policy Manager User Guide 33
CHAPTER 2: Installing or Upgrading CPM Software
Upgrading from a Previous Versions of CPM
CPM 5.0 does not accept the CPM 4.x or 3.x database. If you are using CPM 4.xand want to use the database in
CPM 5.0, you must first convert it to a CPM 5.x database.
To convert a database, you must first back up the database while running the old version of CPM, uninstall the old version, install and run the new version, and then copy the backed-up database into the new version.
If you want to convert a CPM 3.x database, you must first convert it to a CPM 4.x database, then convert that to a
CPM 5.x database.
N OTE
If you installed the Server onto a separate computer and have one or more Clients on other computers/workstations, you should first upgrade the Server on that machine before upgrading all other installations of the Client.
To complete the upgrade, follow these steps:
1 Log into CPM Client (from the root admin workstation).
2 Open the Backup/Restore window and back up your current CPM database. For more information on how
to back up a CPM database, see “Backing Up CPM
3 Use the Windows Add/Remove Programs dialog box to remove CPM Server, and then CPM Client from your computer.
4 Install the current version of CPM Server, as described
in “Installing the CPM Server Software” on page 25.
5 When asked whether you want to start CPM Server, click the checkbox.
6 Start the CPM Client Installer and complete that installation on your root admin workstation. (For more
information, see “Installing the CPM Client Software” on page 29.)
34 Central Policy Manager 5.1
Backing Up CPM Server
7 When asked whether you want to start CPM Client and log into the Server, click the checkbox.
8 Use the Login dialog box to connect to CPM Server.
A dialog box appears, informing you that a valid license is needed.
9 Use the CPM Server Info window that appears automatically to import the license.
10 When this is complete, you can log into CPM Server and restore the archived CPM database.
For more information on restoring the archived database, see the
CPM Applications Guide.
Backing Up CPM Server
Before uninstalling, you may want to preserve your existing database contents, such as appliance configurations and policies. To do so, you should back up the CPM database files before proceeding. Removal of the CPM Server database deletes all of your appliance logs, configurations, and policies.
To back up the CPM database, follow these steps:
1 Log into CPM Client (from the root admin workstations).
2 Click Backup/Restore .
The Backup/Restore dialog box appears.
Central Policy Manager User Guide 35
CHAPTER 2: Installing or Upgrading CPM Software
3 Enter the directory path and file name of where you want to save the backup image.
4 Click Backup .
When the backup image is complete, a message dialog box appears.
5 Click OK .
6 Click Close .
Uninstalling CPM Server or Client
If problems arise and you need to make a clean reinstallation of the CPM software or remove corrupted files, you must first uninstall the CPM Client or CPM Server software. To uninstall the software, use the Windows Add/
Remove Program dialog box.
36 Central Policy Manager 5.1
CHAPTER 3
Starting the CPM
Client and Server
Prior to starting CPM Client, make sure CPM Server is running. For information on starting CPM Server, see
“Starting or Restarting CPM Server” on page 49.
N OTE
If the CPM Server has been installed on a host server with multiple network interface cards (NICs), you must use the IP address of the NIC used for the CPM Server as the server IP address. The CPM Server IP address is stored in cpm_server.conf, which you can review in
“About the CPM Configuration Files” in the CPM
Applications Guide .
Starting the CPM Client for the First Time
The “cpmadmin” username and password give the user full admin account access. WatchGuard recommends logging in as “cpmadmin”, then using the
Account Manager window to set up a range of other administrator access accounts. This is described in the next chapter.
Central Policy Manager User Guide 37
CHAPTER 3: Starting the CPM Client and Server
To log into the CPM Client, follow these steps:
1 Click Start => Programs => WatchGuard CPM Client , or double-click the WatchGuard CPM Client shortcut icon if one was placed on the Windows desktop.
The CPM login dialog box appears.
2 In the Server IP Name field, type the IP address or hostname of the server computer.
If multiple NICs present in the workstation may cause problems, use the appropriate IP address.
3 In the Password field, type cpmadmin .
4 Click Log In to submit the access entries.
If this is your first login attempt, an alert dialog box may appear to tell you that you need to import the basic WatchGuard license that allows you to use CPM for appliance management.
38
5 Click OK to proceed.
The CPM Server Information window appears (in front of the
CPM Console window), displaying the General Info tab.
Central Policy Manager 5.1
Starting the CPM Client for the First Time
6 Open the license file (a text file that you obtained and saved earlier) and copy the contents onto the
Clipboard. For information on how to access a license
file, see “Obtaining the Site License for CPM” on page 24.
7 Close the license file.
8 Click Upgrade License in the General Info tab (as indicated in the previous illustration).
The Upgrade License dialog box appears.
Central Policy Manager User Guide 39
CHAPTER 3: Starting the CPM Client and Server
9 Click Paste to insert the license text. Click OK .
A confirmation dialog box appears, indicating the number of appliances this license will allow you to manage with CPM.
10 Click OK to close this dialog box.
The dialog box closes and the General Info tab now displays information about the license.
40
11 Close this window.
The CPM Console window appears, ready for use.
Central Policy Manager 5.1
Changing Your CPM Client Login Password
Changing Your CPM Client Login Password
You must change the password used for access to the CPM
Server on two occasions:
• If you have not yet changed the default password since you completed the original installation. In this case,
CPM prompts you to make the change.
• If you want to periodically change the password to maintain system security.
If CPM prompts a password change
If you have never replaced the default password, a dialog box recommends that you change the original default
“cpmadmin” password. You must change it by following these steps:
1 When the following dialog box appears, click OK to close it.
The Set Password dialog box appears.
Central Policy Manager User Guide 41
CHAPTER 3: Starting the CPM Client and Server
2 Type the new password into both New Password and
Confirm Password text fields.
Use only alphanumeric characters between 6 and 16 characters for the password.
N OTE
After replacing the password for “cpmadmin”, be sure to write down your new password and store it in a safe, accessible place. If the password is forgotten and lost, all root admin access is lost and you must uninstall and reinstall the CPM Server, losing all your policies and configurations.
3 Click OK to submit the new password.
A confirmation dialog box appears.
4 Click OK to close this dialog box. Your new password is in effect.
You can continue using CPM during this login session without having to log out and log back in using the new password.
If you want to replace an existing password
After changing the original password, you should periodically replace the current password to maintain system security:
1 With the CPM Console active, click CPM Server .
The CPM Server Information dialog box appears.
42 Central Policy Manager 5.1
Changing Your CPM Client Login Password
2 Click Change Password (in the lower-right corner of the General Info. tab).
The Set Password dialog box appears.
3 Type a new password into both New Password and
Confirm Password text fields.
Use only alphanumeric characters between 6 and 16 characters for the password.
N OTE
After replacing the password for “cpmadmin”, be sure to write down your new password and store it in a safe, accessible place. If the password is forgotten and lost, all root admin access is lost and you must uninstall and reinstall
CPM Server, losing all your settings and entries.
4 Click OK to submit the new password.
A confirmation dialog box appears.
Central Policy Manager User Guide 43
CHAPTER 3: Starting the CPM Client and Server
5 Click OK to close this dialog box. Your new password is in effect.
You can continue using CPM during this login session without having to log out and log back in using the new password.
Starting the CPM Client After Initial Log In
1 Select the Start => Programs => WatchGuard => CPM .
2 When the Login dialog box appears, enter your account user name and password. Click OK . (Note that
CPM “remembers” the IP address of the Server.)
3 The Console window appears, ready for use.
Upgrading your CPM License
You need a new CPM license if you want to:
• Increase the number of appliances your CPM can manage
• Change the hostname of the computer running CPM
Server
describes how to upgrade your CPM Server license after the original has expired.
44 Central Policy Manager 5.1
Upgrading your CPM License
After you obtain the upgrade license (as a text file), follow these steps:
1 Open the file containing the license text and copy the text to the Clipboard.
2 After logging into CPM Client, click CPM Server in the
CPM Console.
3 When the CPM Server Information dialog box appears, click Upgrade License .
4 When the Upgrade License dialog box appears, click
Paste to insert the license text from the Clipboard.
Central Policy Manager User Guide 45
CHAPTER 3: Starting the CPM Client and Server
5 Click OK to load this information into the CPM Server database.
If the upgrade is successful, a confirmation dialog box appears.
The CPM Server Information dialog box should now indicate the new number of manageable appliances.
Stopping the CPM Server
You may want to shut down CPM Server (an optional step) before upgrading the Server software. You can shut down
CPM Server in two ways:
• Using the Services control panel on the actual host server location where the CPM Server application is installed.
• Using the CPM Client on the host computer logged in as the Root Admin.
Stopping CPM Server at the host computer
This section describes the process for the Microsoft Windows 2000 and XP operating systems. It is slightly different for Windows NT 4.
1 Select Start => Settings => Control Panel .
46 Central Policy Manager 5.1
Stopping the CPM Server
2 When the Control Panel opens on the desktop, click
Administrative Tools => Services .
3 When the Services control panel appears, scroll down the list and select WatchGuard CPM Server .
4 Click the Stop button in the control panel toolbar.
A status dialog box appears.
This dialog box automatically closes after the Service control panel has completed the shutdown of the
WatchGuard CPM Server service.
The control panel Status column will be blank, indicating that the service has stopped.
Central Policy Manager User Guide 47
CHAPTER 3: Starting the CPM Client and Server
5 You can now close the Services control panel.
The CPM Server application can now be upgraded or removed from the server.
Shutting down CPM Server at the CPM
Client workstation
1 If you have not already done so, start the CPM Client.
2 Log into the CPM Server as “cpmadmin”.
3 When the CPM Console appears, click CPM Server .
The CPM Server Information dialog box appears.
48
4 Click Shutdown .
A confirmation dialog box appears.
5 Click Yes to proceed with shutdown.
After an interval, the following information dialog box appears.
Central Policy Manager 5.1
Starting or Restarting CPM Server
6 Click OK .
7 You can now quit (exit) CPM Client.
Starting or Restarting CPM Server
The WatchGuard CPM Server application runs as a systemlevel service, which you can manually start or restart. This section explains how to start CPM Server. This is necessary only during unusual circumstances.
1 Select Start => Settings => Control Panel .
2 When the Control Panel opens on the desktop, click
Administrative Tools => Services .
3 When the Services dialog box opens, scroll down the list until you locate the WatchGuard CPM Server listing.
The Status message should read “Started”. If for some reason the CPM Server has been shut down, the Status message will read “Stopped”.
4 Select the CPM Server entry and click Start .
Microsoft Windows attempts to start the WatchGuard CPM
Server. When the startup is complete, “Started” should appear in the Status column for CPM Server.
5 You can now close the Control Panel.
The CPM Server is now operational. You can now start the
WatchGuard CPM Client and log into the CPM Server as described in a preceding section.
N OTE
If the host server ever needs to be rebooted, the CPM Server will automatically restart.
Central Policy Manager User Guide 49
CHAPTER 3: Starting the CPM Client and Server
50 Central Policy Manager 5.1
CHAPTER 4
Creating CPM
Administrator
Accounts
Administrative accounts enable users to connect to
CPM Server so that they can monitor and manage the system to the extent of the group privileges assigned to them. You can give one account user a wide range of controls over the appliance and policies, while you can restrict other account users to basic status checks and alarm monitoring.
To set up the system for multi-user access (with multiple levels of role privileges), you must do the following:
• Assess the existing default roles, to see whether more are needed. (The default roles should cover most, if not all of your network management options.)
• (Optional) Create as many additional roles as are needed to establish precise levels of CPM access.
• Create separate administrator accounts, for individual users.
Central Policy Manager User Guide 51
CHAPTER 4: Creating CPM Administrator Accounts
CPM Default Roles
CPM is installed with five basic access-privilege roles.
Starting with the lowest role, and proceeding to the highest role, the default roles are:
“Help Desk Staff”
Users have read-only access to all features of CPM.
“MIS Staff”
Users can configure and resolve all alarms, but all other features are read-only.
“Network Operator”
Users can set up and manage appliances and customize new alarm definitions.
“Network Administrator”
Users can create and manage appliance entries, configure new alarm definitions, and create and deploy policies.
“MIS Admins”
Users have the full range of access privileges, including appliance record entry/configuration and policy creation/deployment. They can also create new admin accounts.
If you find these role definitions not fully inclusive, you can use CPM to add more roles to the list, or delete any default roles and replace them with your own combinations of responsibilities.
Creating New Roles (Optional)
If you decide that more roles need to be customized for your network administrative users, you can do so at this
52 Central Policy Manager 5.1
Creating New Roles (Optional) time. This section describes the creation of any additional access-privilege roles.
1 Log onto CPM Client.
2 Click Account .
A shortcut menu appears with three options.
3 Select Setup Admin Users .
The Administrator Accounts dialog box appears.
4 If the icon at the bottom of the window is set to View
Only, as shown below to the left, click it so that it changes to Writable, as shown on the right.
You can use this dialog box to set up and coordinate both administrative role privileges and individual user
Central Policy Manager User Guide 53
CHAPTER 4: Creating CPM Administrator Accounts accounts. The Privileges column includes the following:
CPM Control (CPM Ctl)
Can shut down and restart CPM Server.
Alarm Clearance (Alm Clr)
Can review and clear any alarms that are triggered in CPM-managed appliances.
Appliance Configuration (App Cfg)
Can enter new appliance records and then configure and deploy the required profile.
Alarm Configuration (Alm Cfg)
C an create any needed custom alarm definitions, whether individual or global.
Appliance Control (App Clt)
Can monitor and shut down or reboot problematic appliances.
Admin Account Configuration (Adm Cfg)
Can create or change administrative access accounts, including assignment of privileges.
Policy Configuration (Pcy Cfg)
Is allowed full access to the insertion and deployment of security policies.
5 If you want to add a new role, click New Role (to the right of the Roles list).
The Admin Role Properties dialog box appears, displaying the
General tab.
54 Central Policy Manager 5.1
Creating New Roles (Optional)
6 In the Role Name text field, type a name for the role.
A role name should consist of numbers and letters, up to 24 characters in length. Use hyphens (-), underscores (_), or spaces as separators.
7 (Optional) Type a brief description of the role in the
Description text field.
8 Select one or more checkboxes corresponding to the access privileges you want to assign to the role. You can select any of the listed access privileges. For information on access privilege options, see the definitions in Step 4.
9 Click OK to save your selections.
The Admin Role Properties dialog box closes. When the
Administrator Accounts dialog box becomes visible, it lists your new role entry below the default entries.
10 Repeat the previous process to create any other roles to incorporate the levels of access privilege you want to assign to your network administrators.
Central Policy Manager User Guide 55
CHAPTER 4: Creating CPM Administrator Accounts
Creating Administrator Accounts
This section describes how to create an administrator account (which you can include in one or more of the existing roles). To do so, you should first determine the following:
• Which people can administer the security appliances
• A login name for each administrator
• The full name of each administrator
• A password for each administrator account
• What role each administrator should undertake
To create a new administrator account, follow these steps:
1 If you have not already opened the Administrative
Access dialog box, click Account in the CPM Console.
The Administrator Accounts dialog box appears, listing the groups that have been previously created.
2 Click New User .
The Admin Account Properties dialog box appears.
56 Central Policy Manager 5.1
Creating Administrator Accounts
3 In the Login Name text field, type a login name for the administrator.
An administrator name should consist of numbers and letters, up to 24 characters in length. Use hyphens (-), underscores (_), or spaces as separators.
4 In the Full Name text field, type the full name of the first administrator.
Use only numbers and letters up to 24 characters in length, and use the space bar for spaces between names.
5 In the Contact Info field, type any relevant contact information (phone number or email address).
6 To add the role privileges that you want this administrator to have, click Add Role .
The Add Group dialog box appears displaying the login name for this account in the title bar.
7 Select the role privilege groups and click OK .
8 Repeat this process to add other groups, if needed.
9 Click Set Password .
The Set Password dialog box appears, displaying the login name for this account in the title bar.
Central Policy Manager User Guide 57
CHAPTER 4: Creating CPM Administrator Accounts
10 In the New Password text field, type a password for this user account.
Use only alphanumeric characters, between 6 and 16 characters in length.
11 In the Confirm Password text field, reenter the same password.
12 Click OK .
The Set Password dialog box closes and the Admin Account
Properties dialog box reappears.
13 Click OK to close the Admin Account Properties dialog box.
14 Repeat this process to enter all of the administrator access accounts and to assign them the appropriate role privileges.
Completing the Access Setup
Now that you have defined the access privileges and the administrator accounts, you can do the following:
• Contact each potential administrator
• Verify that they have installed the CPM Client onto their workstations
• Deliver to them an account login name and password
• Define their responsibilities and provide instructions for the performance of their tasks. (You can distribute the Acrobat file containing this user guide as a teaching aid to all network administrators or support staff.)
Reviewing the Current CPM Session
You can use CPM to view a snapshot of your current session:
1 Log onto CPM Client.
58 Central Policy Manager 5.1
Determining Which Other Administrators Are Online
2 Click Account .
A shortcut menu appears, as shown here.
3 Select Show My Session .
The My Session Info dialog box appears.
This dialog box summarizes your login information, along with your administrative group privileges.
4 Click OK to close this dialog box when you are finished.
Determining Which Other Administrators Are
Online
CPM provides a way to see which other administrators are online in active sessions, who has been locked out of particular windows, or who has locked a particular window.
1 Log onto the CPM Client.
2 Click Account .
A shortcut menu appears, as shown here.
Central Policy Manager User Guide 59
CHAPTER 4: Creating CPM Administrator Accounts
3 Select Show All Sessions .
The All Session Info dialog box appears.
This window lists the following:
- All currently active administrative sessions
- The initial session login time (From)
- The current time (Time)
- Whether any active administrator has locked a particular CPM window and naming the window if it has been locked
4 If you need to use a locked window and you have the proper privileges, you can contact the locking administrator and discuss access to that window.
Reserving a CPM Window
You can reserve the following CPM windows for your exclusive use:
• The Configuration Editor window
• The System Configuration dialog box (on a perappliance basis)
60 Central Policy Manager 5.1
Reserving a CPM Window
• The Alarm Definition dialog box (the Alarm Console is not lockable)
• The main Administrative Accounts window
If more than one CPM administrator logs into CPM Server, the Server allows the first one who opens one of these four windows to make it writable, and to reserve it for his or her own use for as long as needed. Other administrators can open these windows with view-only access.
The status of a window is indicated by the two icons below:
Click the icon to toggle the status and change the icon accordingly.
If the second administrator needs to have full access, he or she can use the All Session Info window to determine who locked that window, and then contact that administrator and ask him or her to change the access to view-only
(which releases the lock).
To lock a window for your own use, follow these steps:
1 Log into the CPM Server.
2 Open any one of these lockable windows:
- Configuration Editor window
System Configuration dialog box (on a perappliance basis)
- Alarm Definition dialog box (the Alarm Console is not lockable)
- Administrative Accounts window
3 Click the View Only icon at the bottom of the window to change it to the “writable” icon.
4 To make this window writable for another’s use, if requested by another administrator, click the
“Writable” icon to return it to “View Only”.
Central Policy Manager User Guide 61
CHAPTER 4: Creating CPM Administrator Accounts
At this point, you are (potentially) prevented from working in this window by any other administrator who chooses to make it writable.
If you can’t reserve a window
Another administrator may have reserved the window. If this occurs, you’ll see this dialog box when you try to change “View Only” to “Writable”.
This dialog box notes the user name and the IP address of the administrative workstation so that you can contact that user and request a release of the window.
N OTE
If you reserve a window as writable for your exclusive use, remember that CPM Client does not release that window until you manually return the window to “View only” or close the window.
62 Central Policy Manager 5.1
CHAPTER 5
Configuring
Appliances for
Network Use
The chapter describes how to use CPM to initialize, configure, and prepare new security appliances for your network. You complete the following steps when you configure a new appliance with CPM:
• Add appliances to CPM Client
• (Optional) Add certificates and licenses
• Configure system and policies
- Configure appliance hardware
- Run the Default Policy Wizard
- Create network addresses
- Create security policies
- Assemble policy components
• (Optional) Define alarms
• Compile and deploy appliance profile
• Relocate the appliance
Central Policy Manager User Guide 63
CHAPTER 5: Configuring Appliances for Network Use
Getting Started
To start the process of entering a new appliance record in
CPM, follow these steps:
1 Connect your factory default security appliances
(either a new WatchGuard Firebox Vclass appliance or a legacy RapidStream) to the subnet shared by CPM
Server.
2 Power up the new appliance. The process should take no longer than three minutes.
3 Log in to the CPM Client, using an account with full appliance-creation and management privileges.
For more information on administrator accounts, see “Creating
CPM Administrator Accounts” on page 51
.
Installing and Setting Up a Firebox Vclass
Appliance
If you plan to use the WatchGuard CPM system to configure “factory default” appliances, you must mount, connect, and power up the appliance before any initial configuration can occur. Use the WatchGuard Vclass Hardware Guide that came with your appliances to guide you through these tasks:
• Mounting the appliance in a network setting
• Connecting the network cabling to the appropriate data interfaces
• Powering up the security appliance
Be sure to mount any new Firebox Vclass appliance in the same subnet as the CPM Server host computer, so that you can proceed with the full CPM profile creation and deployment process.
64 Central Policy Manager 5.1
Adding Appliances to CPM
Adding Appliances to CPM
The first step to managing the security appliance with
CPM is to add the appliance to CPM. You can do this in two ways:
• Discover the device
• Add appliance records
You can configure and deploy policies using CPM Client after the security appliance is added.
Discovering devices
CPM Client can find security appliances connected to the same subnet shared by CPM Server using device discovery. Before using CPM to discover an uninstalled (“factory default”) appliance, you must have the following:
• A temporary IP address, for use in discovery and the initial deployment.
• Whether the appliance will be deployed in transparent or router mode. You can change this later.
• A unique password that CPM will use to gain access to this appliance. If a unique password is not specified, the default password is used.
• A basic appliance profile, ready for deployment.
To discover a device:
1 Log on to CPM Client.
2 Click Appliance Manager .
3 Click Discover in the Configuration Editor toolbar.
The Device Discovery dialog box appears.
Central Policy Manager User Guide 65
CHAPTER 5: Configuring Appliances for Network Use
4 Click Find .
If locally networked appliances were discovered, the Device
Discovery window appears.
66
This window lists any factory default appliances found on your local subnet.
5 If you want to deploy the appliance in Transparent
Mode, click the Transparent Mode checkbox.
6 Click the To Do cell. From the drop list, select Set IP .
Set IP appears in this cell.
7 Click the Temp IP cell, and then type a unique localsubnet IP address.
This IP address is used in the deployment process.
8 Click the Mask cell, and then type the subnet mask.
Central Policy Manager 5.1
Adding Appliances to CPM
9 Click the Associated Appliance cell and then select
Create New from the menu.
10 Click the CPM Password checkbox.
The Set Password dialog box appears.
11 In both Password fields, enter the CPM password.
This is for CPM appliance communication use; administrative use passwords serve a separate function and are not related to this password. For more information on CPM Administrator
Accounts, see “Creating CPM Administrator Accounts” on page 51.
12 Click OK to save the password.
13 Click Apply located at the bottom of the Device
Discovery window.
A confirmation dialog box appears, asking if you intend to apply all the settings made in this window.
14 Click OK to proceed.
A processing message appears in the Processing Status cell on the Device Discovery window.
15 When Device Discovery is complete, the string Temp
IP set to [IP specified] appears in the Processing Status cell on the Device Discovery window.
Central Policy Manager User Guide 67
CHAPTER 5: Configuring Appliances for Network Use
16 Click Cancel to close the Device Discover window.
The Profiles tab now lists the appliance profile. The Configuration Status column displays Incomplete, Last Compiled column displays Never Compiled, and Last
Deployed column displays Never Deployed. You need to configure the appliance hardware using the System Configuration tabs and create policies using the Policy tab before you can compile and deploy policies to this appliance. For more information on System Configuration, see
“Configuring the Appliance Hardware” on page 78. For
more information on creating policies, see “Running the
CPM Default Policy Wizard” on page 80 and “Assembling the CPM Policy Components” on page 87.
Adding a new appliance record
If you do not want to discover a device, you can add a new appliance record in the Configuration Editor.
1 Log on to CPM Client.
2 Click Configuration Editor .
The Configuration Editor window appears.
3 Right-click in the Appliance/Addresses tab, and select
New => New [type] Appliance from the drop list.
WatchGuard Vclass or RapidStream RSSA
RapidStream Secured by CheckPoint
68 Central Policy Manager 5.1
Adding Appliances to CPM
The Add [type] Appliance dialog box appears.
4 Type a Name for the appliance in the Name field.
5 Select one of the three options Blank , Copy From , or
On-line .
A new set of menu options appear below.
Blank
Use when you want to set up the system configuration from scratch or if this is a new
“factory default” appliance.
Copy From
Use when you want to copy the system configuration from an existing appliance record.
On-Line
Use when you want to copy the system configuration from an appliance that is currently running on-line.
6 If you selected Blank , select the model number and version of the WatchGuard operating software installed on the appliance from the drop list.
7 If you selected Copy From , select the appliance record you want to copy from the drop list.
Central Policy Manager User Guide 69
CHAPTER 5: Configuring Appliances for Network Use
8 If you selected On-line , enter the IP address of the appliance you want to contact on-line.
9 Click Open “System Configuration” after appliance is created if you want the System Configuration dialog box to open after the appliance is added.
For more information on the System Configuration dialog box,
see “Creating Network Addresses” on page 85.
10 Click OK to proceed.
Importing Licenses and Certificates (Optional)
If a factory-default security appliance needs an x.509 certificate (for use in IKE authentication), you must import the certificate contents before performing the full setup and configuration. Additionally, if you have certain extendedfeature licenses that you’ve purchased for use in this appliance, you should import the licenses at this time.
To import licenses and certificates into a factory default security appliance, you need to obtain x.509 certificates or licenses and then import them.
If you do not need to import a x.509 certificate or license,
proceed to “Configuring the Appliance Hardware” on page 78.
Obtaining the x.509 certificate
1 Log on to CPM Client.
2 Click Appliance Manager .
The Appliance Manager window appears.
3 Right-click the new appliance record and select
Certificate from the shortcut menu.
The Certificates dialog box appears with the Certificates tab visible.
4 Click Create Request .
The Certificate Request Wizard appears.
70 Central Policy Manager 5.1
Importing Licenses and Certificates (Optional)
5 Use the resulting four-stage wizard to prepare the x.509 request for the preferred Certificate Authority
(CA).
6 When you are finished with the request (and have copied the text to the Clipboard), open a Web browser window and connect to the Web site of the preferred
CA.
7 Open the CA site certificate request form and paste this text into the relevant field.
8 Fill in the other fields.
9 Provide the required payment information.
10 Submit the request, and then close the browser window.
You now wait for the certificate (in the form of a text file sent to you by the co-signing authority). When you receive it, import it into the Firebox.
Importing the new x.509 certificate
To import the newly received x.509 certificate:
1 Log into the CPM Client.
2 Click Appliance Manager .
The Appliance Manager window appears.
3 Right-click the row that represents the appliance that uses this new certificate. Select Certificate from the shortcut menu.
4 Click Import Certificate/CRL .
5 When the Import Certificate/CRL dialog box appears, you have two options:
- Use a text editor to open and copy the certificate data file, and then click Paste to insert the text contents into the text field in this dialog box.
- Click Load the certificate from a file and use the resulting dialog box to locate and import the certificate data file.
If the process is successful, the certificate data appears in the Import Certificate/CRL dialog box’s text field.
Central Policy Manager User Guide 71
CHAPTER 5: Configuring Appliances for Network Use
6 When the certificate text is present in the dialog box’s text field, click Import Certificate .
7 Click Cancel .
Importing licenses for extended features
1 Log into the CPM Client.
2 Click Appliance Manager .
The Appliance Manager window appears.
3 Right-click the record of the appliance that will use this feature and select Show License .
The [Appliance Name] License window appears.
72
4 Click Add .
The Import New License dialog box appears.
Central Policy Manager 5.1
Importing Licenses and Certificates (Optional)
5 You have several options:
- Open the license file in a text editor, copy the text onto the Clipboard, and then click Paste to insert the contents into the text area in this dialog box.
- Click Load the license from a file and use the resulting dialog box to locate and import the certificate data file.
- Manually transcribe the license text from some open source.
6 Click Import License to complete the import.
The newly applied license is listed in the License window.
Central Policy Manager User Guide 73
CHAPTER 5: Configuring Appliances for Network Use
74
7 Click OK to close the License window.
The extended-feature license has now been incorporated in the appliance.
Reviewing the current licenses
If you have already configured an active appliance and want to review the extended-feature licenses previously imported into the appliance, follow these steps:
1 Right-click an appliance record in the Appliance
Manager window and select Show Licenses.
The [Appliance Name] Licenses window appears, listing any licenses present in this appliance.
2 To review the complete set of active features, click
Show Active Features .
The Active Features dialog box appears.
Central Policy Manager 5.1
Importing Licenses and Certificates (Optional)
This dialog box shows the feature names, the capacity (dictated by the current license), and the expiration date.
3 When you are finished reviewing the contents, click
Close to close the dialog box.
4 To review the actual text of a license, double-click the license entry in the License window.
The License Detail dialog box appears, displaying the license text.
This text cannot be copied and applied to any other appliances, because it is linked to the serial number hard-coded into the appliance.
Central Policy Manager User Guide 75
CHAPTER 5: Configuring Appliances for Network Use
Deleting an out-of-date license
You can remove old or out-of-date licenses from this appliance by following these steps:
1 Open the License window.
2 Select an expired license and click Delete .
A confirmation dialog box appears.
3 Click OK to confirm.
The license entry is erased from the window.
N OTE
You are not required to delete expired licenses, and they will not cause any problems.
Installing multiple licenses
When you purchase licenses for multiple Vclass appliances, they are delivered in a License Package file. This is a gzipped tar (*.tgz) format file. Internally, the file includes license and serial number information, so when you install licenses from a License Package file, only the licenses that apply to the current appliance (determined by the serial number) are applied. You must install the License Package separately to each appliance to apply or update all of your licenses.
To install a License Package:
1 Open the Appliance Manager .
2 From the Appliance menu, select Install Bulk
Licenses.
76 Central Policy Manager 5.1
Importing Licenses and Certificates (Optional)
3 Select the License Package file and click Open .
The Bulk License window appears.
4 Select the licenses you want to install by clicking the checkboxes in the Install column. Click Select All to select all licenses. Click Clear All to clear all licenses.
5 Click Install to install the licenses you have selected.
The applicable licenses are applied to the appliances, based on the appliance serial numbers.
Central Policy Manager User Guide 77
CHAPTER 5: Configuring Appliances for Network Use
Restoring the Appliance to a Factory-Default
State
If you are configuring an appliance to be used as a backup or secondary appliance in a High Availability configuration, you must restore the appliance back to factory default settings after setting up the license and certificate. Note that the license and certificate are not removed during this restoration.
1 Log into the CPM Client.
2 Click Appliance Manager .
The Appliance Manager window appears.
3 Right-click the appliance record and select Operations
=> Restore Default .
A confirmation dialog box appears.
4 Click Yes to proceed.
After a short interval, the status of this appliance will be “out of contact.”
The appliance (and the initial CPM record) is now ready
existing appliance record, even though the appliance has been reverted to a blank state.
Configuring the Appliance Hardware
As an automatic extension of the new appliance entry process, the System Configuration window allows you to com-
78 Central Policy Manager 5.1
Configuring the Appliance Hardware plete the hardware configurations required by this appliance.
1 Open the Configuration Editor window.
2 Locate the new appliance record in the Appliance/
Address tab and right-click it.
3 Select Edit/View .
The System Configuration window opens.
4 Fill in the General tab text fields with appliancespecific information.
5 Open the Timezone menu and select the geographic setting for this appliance.
Central Policy Manager User Guide 79
CHAPTER 5: Configuring Appliances for Network Use
6 Click Apply .
You can now work through all of the remaining System
Configuration tabs and make the necessary entries. The tabs include the following, depending upon the security appliance model number.
All appliance models
General, Interfaces, Routing, DNS, SNMP, Log
Settings, Hacker Prevention, Blocked Sites
V60/V80/V100 models
High Availability, Tunnel Switch, VLAN Forward,
NTP, Advanced
For more information on completing the System
Configuration tabs, see “Completing the Appliance
Running the CPM Default Policy Wizard
After you’ve completed the initial appliance entry and configuration, you should run (or update) the Default Policy
Wizard, which establishes policies for secure administrative communications between the newly recorded appliance and CPM Server.
1 Open the Configuration Editor window.
2 Select the Policies tab.
3 From the Wizards menu, select Create CPM Default
Policies .
The CPM Default Policy Wizard appears.
80 Central Policy Manager 5.1
Running the CPM Default Policy Wizard
This initial wizard displays two topology drawings:
- The configuration on the left shows an extended network with the CPM system connected to a gateway appliance, through which it is connected to other appliances over the Internet ( outside the local firewall.)
- The configuration on the right shows a local network with the CPM system connected to a collection of appliances, all inside the local firewall.
4 Click either drawing, depending upon which topology your network matches. Click Next .
If you chose the extended network
If you clicked the extended network drawing, the following screen appears.
Central Policy Manager User Guide 81
CHAPTER 5: Configuring Appliances for Network Use
82
1 From the Appliance menu, select the appliance acting as your local firewall gateway.
2 In the IP Address field, type the IP address of your
CPM Server.
N OTE
If the host computer for the CPM Server software has more than one interface (usually when several NICs are in use), you should enter the IP address configured previously for the
CPM Server, which is recorded in the cpm_server.conf file in the installation directory.
3 If your external connection does not use dynamic NAT and your host computer has its own IP address, click the DNAT option No button. (Otherwise, the default connection state is that DNAT is active and does apply to your CPM host computer’s external connections.)
4 Click Next to proceed.
The next screen appears, summarizing what is about to be accomplished.
5 Review the information, and then click Next to finish the process.
When the policy wizard is finished, the wizard closes and the Policy window lists two global policies:
Central Policy Manager 5.1
Running the CPM Default Policy Wizard
- A “Heartbeat Tunnels” policy, for incoming IPSec traffic that directs the remote appliance’s heartbeats to the CPM Server.
- An “Allow CPM” policy that permits outgoing
CPM HTTPS traffic, for use in contacting all remote appliances.
If you chose the local network
If you clicked the network drawing on the right, the following screen appears.
1 Delete any text that might appear in the IP Address field, and type the IP address of CPM Server.
N
OTE
If the host computer for the CPM Server software has more than one interface (usually when several NICs are in use), you should enter the IP address configured previously for the
CPM Server, which is recorded in the cpm_server.conf file in the installation directory.
2 Click Next to proceed.
The final screen appears.
Central Policy Manager User Guide 83
CHAPTER 5: Configuring Appliances for Network Use
3 Click Next to finish.
When the wizard is finished, it closes and the Policy tab in the Configuration Editor lists a single new policy that permits SSL traffic exchanged between all sources, including the management port IP addresses of the local security appliances.
The Configuration Editor also adds a new address entry
(named “Mgmt Ports,” shown below), representing all management interfaces for all appliances.
84 Central Policy Manager 5.1
Creating Network Addresses
Creating Network Addresses
Note that this appliance has been automatically registered in the Configuration Editor window as new address entries for the appliance itself and for each of the data interfaces.
You now need to create address entries associated with this appliance that represent all network entities behind each of the interfaces.
To view the automatic entries:
1 Open the Configuration Editor window.
2 Look in the Appliances/Addresses tab for this new appliance record.
3 Click the toggle to the left of this entry, as shown here.
The record expands to show the automatically generated interface address entries.
N
OTE
These addresses represent the data interface, not the networks behind them.
4 Right-click the appliance entry to open the shortcut menu, and select New Address .
The Add Address dialog box appears, which you can use to enter the first of any required network-entity address records for later use in policies. For more information on adding addresses and
Central Policy Manager User Guide 85
CHAPTER 5: Configuring Appliances for Network Use
groups, see “Cataloging Addresses for Use in Policies” on page 144.
Entering the Security Policies
The Configuration Editor assists you in the creation of security policies by organizing many policy “building blocks” into convenient tabs or dialog boxes.
The tabs to the left in the Configuration Editor are Appliances/Addresses, Services, IPSec actions, Proxy Actions,
QoS actions, Schedules, and IKE proposals.
86
The Configuration Editor shortcut menu (which you open by right-clicking the Action cell in a policy row) provides access to other policy action options, as shown here.
Central Policy Manager 5.1
Assembling the CPM Policy Components
The tabs to the left of this window are catalogs of components that you can add to or customize before starting on the policy-creation process. Each tab contains a default selection of basic items, which you might find adequate for your use.
Assembling the CPM Policy Components
After entering the network addresses associated with this appliance, you should enter the following before compiling policies:
• Any additional, custom services or combined service groups. Note that when using the HTTP or SMTP proxies, you should remove the “Any” service and replace it with the correct service–HTTP or SMTP.
• Any custom IPSec actions including transforms and proposals
• Any additional, custom QoS actions
• Any pertinent custom schedules
Central Policy Manager User Guide 87
CHAPTER 5: Configuring Appliances for Network Use
N
OTE
For detailed information on defining security policies, see
Chapter 7, “Defining Security Policies in CPM.”
Assembling a policy from available components
1 Open the Configuration Editor window.
2 Select the Policies tab.
3 To create a new policy row in the Policies tab, click the Add a Policy icon, shown at right.
4 Double-click the Name cell and type a policy name.
5 Drag and drop (or click and select) the Traffic
Specification components:
Source
Drag one or more entries from the Appliance/
Address tab
Destination
Drag one or more entries from the Appliance/
Address tab
Service
Drag one or more entries from the Services tab
88 Central Policy Manager 5.1
Assembling the CPM Policy Components
6 Drag and drop (or click and select) the required Action components:
- Pass, Block, Reject, or Do Proxy (the firewall options)
- IPSec (manual key or automatic key VPN actions)
- Bidirectional IPSec/VPN (set after completing a new policy)
- Dynamic NAT (activates DNAT)
- Static NAT (with a menu for directional options)
- Load Balancing
- QoS
- TOS Marking
7 Repeat this process to create policies for other devices
Central Policy Manager User Guide 89
CHAPTER 5: Configuring Appliances for Network Use
Defining the Required Alarms
At this time you can open the CPM Alarm Console and review the default alarm definitions, and if needed, customize and add new definitions for use in this appliance.
For more information on the alarm definition process, see the CPM Applications Guide .
Deploying the Profile
After you have completed the tasks outlined in this chapter, you are ready to deploy the profiles to the newly recorded appliances. This makes the appliances active and enables the monitoring and maintenance of these appliances.
Compiling the profiles
1 Open the Configuration Editor. Click the Profiles tab.
2 Select any (or all) appliance entries.
3 Click the Compile button (in the tab’s top toolbar).
The profile-compilation process begins, and a status message appears in the Status column.
N OTE
If the Compile or Deploy buttons are not active, the most likely cause is a missing or wrong IP address in an appliance record. Review the System Configuration window Interface tab entries for each appliance until you find and change the error—at which time you will be able to compile and deploy the profiles.
After the profiles have been compiled from the database, the Status column reports one of the following states for each profile entry:
90 Central Policy Manager 5.1
Deploying the Profile
No Contact
The appliance is not in communication with CPM.
Use the Appliance Manager to assess the situation.
Needs Deployment
This profile has been changed since the last deployment, and you should redeploy the contents to the relevant appliance.
Up to date
The appliance profile has not been changed since the last deployment and you do not need to redeploy the contents.
If the profile for your new appliance displays "Needs
Deployment,” you can proceed with the deployment process.
Deploying the profiles
1 Select the new appliance/profile record.
2 If you want to verify the profile’s readiness, click the now-active Compile button in the tab’s top toolbar.
The Status column now displays "Compiling" (while the Details column displays "Profile compilation in progress..."). When profile generation is complete, the Status column displays
"Compilation done".
3 With this compiled profile still selected, click the
Deploy button. (Or, right-click the appliance record and select Deploy .)
N OTE
If the Deploy button is not active, the most likely cause is a missing or erroneous IP address in an appliance record.
Review the System Configuration window Interface tab entries for each appliance until you find and change the error—at which time you can deploy the profiles.
A confirmation dialog box appears, to alert you that the primary management IP address will be changed—and contact lost with this appliance—after deployment is complete.
Central Policy Manager User Guide 91
CHAPTER 5: Configuring Appliances for Network Use
4 Click OK to proceed.
CPM now deploys the new profile to this appliance, where it is immediately put into effect.
- The Status column notes “Deployment started.”
- The Details column notes "Deployment in progress..."
These status messages remain until replaced by the following combination of messages:
No Contact
As noted in the Status column.
Successful
As noted in the Last Deployed column, along with the date and time this profile was deployed. This is the key message.
Unable to connect...
As noted in the Details column.
Relocating the Appliance
At this time, you can power down the appliance and disconnect it, prior to shipping it to its service location.
After it is delivered to its location, the appliance should be connected to the appropriate networks and then powered up.
A few minutes after power-up is complete and the Ready
LED on the appliance is lit solidly (not blinking), you can use CPM to remotely establish contact with the device, for
92 Central Policy Manager 5.1
Relocating the Appliance all future monitoring and maintenance. To do so, follow these steps:
1 After logging into CPM (if you’ve not already done so), open the Appliance Manager window.
2 Locate the appliance record in the group folder and select it.
The appliance entry appears in the table to the right, shaded
Green (for "in contact with CPM"). The Status column should read "Normal".
N OTE
In certain circumstances, a minor alarm is triggered and the appliance row appears in yellow. You can open the Appliance
Detail dialog box to get an accurate reading of the appliance’s status, as noted in the remainder of this section.
3 Double-click the appliance row.
The Appliance Detail dialog box appears.
Central Policy Manager User Guide 93
CHAPTER 5: Configuring Appliances for Network Use
94
4 Review the Availability indicator, highlighted above. It should be green, and should display “Contacted.” The
Interface/Port indicators should list the proper IP addresses and be green.
You’ve successfully configured and deployed a working appliance.
Central Policy Manager 5.1
CHAPTER 6
Completing the
Appliance
Configuration
The System Configuration dialog box assists in the recording of a variety of appliance-specific options that optimize your appliance for your specific network environment. You can also use the System Configuration dialog box to revise existing system settings in operational appliances, as needed.
Although appliance configurations are immediately stored in the CPM Server database, they are not put into effect until you deploy a complete appliance profile to the actual device. Do this after completing the profile and adding policies, alarm definitions, and log file settings to the profile.
Configuring a New WatchGuard Appliance
1 Log on to CPM Client.
2 Click Configuration Editor .
The Configuration Editor window appears.
Central Policy Manager User Guide 95
CHAPTER 6: Completing the Appliance Configuration
3 Right-click an appliance record (in the Appliances/
Addresses list) and select Edit/View .
The System Configuration dialog box appears, displaying the
General tab.
Completing the General Entries
You can use the General tab to enter a basic set of appliance-informational entries. To do so, follow these steps:
1 In the Appliance Name field, type the name of the appliance.
96 Central Policy Manager 5.1
Completing the General Entries
2 In the Location field, type the location (current or intended) of this appliance.
The entry can be a city, state, or country name, a building and floor number, any combinations of these, or a simple identifier such as “my_office.”
3 In the Contact field, type the name of the person who will be locally responsible for administration of this appliance–if anyone has been assigned that responsibility.
4 Click Local Admin if you want to assign a password for use when logging in as admin (Vclass) or rsadmin
(RSSA) with CLI or Vcontroller.
N
OTE
This local password supersedes the existing “admin” or
“rsadmin” access password after the initial deployment of
CPM-generated configurations. If an administrator needs to use the WatchGuard Vcontroller, RapidStream Manager, or
CLI to administer that appliance, the new password applies.
The Local Admin Account dialog box appears.
5 In the Local Admin Password text field, type the new password, using 6—16 alphanumeric characters.
6 Click OK to save the new settings and close this dialog box.
7 Review the Configured Model and Configured
Version information. If you need to change this information, click Migrate , and enter the correct model number and version of the appliance operating system.
The generic model is used for appliances that are already online. It is replaced with the correct model/ version after CPM contacts it.
Central Policy Manager User Guide 97
CHAPTER 6: Completing the Appliance Configuration
8 Click Apply .
Completing the Interfaces Entries
In Router Mode , you must configure the IP addresses and network (or subnet) masks for all of the accelerated data interfaces incorporated into this appliance before you can compile and deploy the configuration.
In Transparent Mode , you must enter a single IP address and network mask, called the System IP and the System Mask .
In Transparent Mode, all of the appliance interfaces use the same IP address and network mask.
The choice of IP address for Interface 1 (Public) determines how the appliance should obtain the IP address for this interface, how CPM should compile IKE policies for this appliance, and how CPM should contact this appliance after the appliance uses this configuration.
If you choose static IP:
• The appliance does not perform DHCP or PPPoE when the interface is initialized. The IP address specified is used as the IP address of this interface.
• CPM creates IKE policies with this appliance as the peer when IKE with this appliance is required.
• If this interface is selected as the interface for CPM management, CPM will use its IP address to contact the appliance.
If you choose DHCP or PPPoE:
• The appliance performs DHCP or PPPoE to obtain the
IP address for this interface.
• Because CPM assumes that this IP address may change from time to time, it does not create IKE policies with this appliance as the IKE peer. Instead, it creates IKE policies that initiate IKE from this appliance and
98 Central Policy Manager 5.1
Completing the Interfaces Entries creates IKE policies for its peer to accept IKE from
ANY.
• If this interface is the interface for CPM management,
CPM relies on the heartbeat message from the appliance for the IP address to contact.
Users must make sure the IP address is specified correctly.
If the appliance obtains a different address, the policies that use this IP address will not work. This can also cause
CPM to use an incorrect IP address to contact this appliance. If this happens, you must correct the IP address in this tab and recompile to fix the profile. You must also correct the IP address in the management setting of this appliance so CPM can contact the appliance.
1 Click the Interfaces tab.
The Interfaces tab displays a set of interfaces with different options corresponding to the specifications of the appliance model number. In every case, you will see a different set of interface options.
2 For a Vclass appliance at software version 5.0 or higher,
Select Router Mode or Transparent Mode . For more
information on this choice, see“About Router Mode and Transparent Mode” on page 14.
Central Policy Manager User Guide 99
CHAPTER 6: Completing the Appliance Configuration
100
Figure 1:
Interfaces window in Router Mode
Central Policy Manager 5.1
Completing the Interfaces Entries
Figure 2:
Interfaces window in Transparent Mode
In Transparent mode
• Type the IP address for the System IP and the System
Mask . This is the only configuration information required for interfaces in Transparent Mode.
In Router Mode
• In each pair of interface-specific text fields, enter the IP
Address and Network Mask assigned to that data interface.
Central Policy Manager User Guide 101
CHAPTER 6: Completing the Appliance Configuration
3 Click Enable DHCP Server/DHCP Relay if you want to enable DHCP on Interface 0 (Private).
DHCP Server allows the Firebox Vclass to act as a DHCP server, leasing addresses to DHCP clients.
DHCP Relay allows the Vclass appliance to operate as a DHCP agent, relaying addresses from a separate DHCP server to DHCP clients.
N OTE
You can enable DHCP only on the following appliances:
Firebox V10, V60, V80, V100, V200 and RSSA 500, 2000,
4000, 6000, 8000. For RSSA 500, the maximum number of
DHCP client IP addresses is 20. For all other models, it is
253 (subject to license).
4 If you enabled DHCP Server or DHCP Relay, click
Detail.
The DHCP Server dialog box appears.
- To set up the appliance as a DHCP server, click
DHCP Server , and type the number of clients and leasing time.
- To set up the appliance to relay DHCP addresses from a separate DHCP server, click DHCP Relay , and type the IP address of the DHCP server.
OK
Click Cancel page.
5 If you want to use WAN Interface Failover, click
Backup Connection . WAN Interface Failover allows you to specify a backup ISP to provide Internet service to Interface 1, in the event of an ISP network outage.
102 Central Policy Manager 5.1
Completing the Interfaces Entries
6 Select the Enable WAN Interface Failover checkbox to enable failover to another ISP. Configure the interface as previously described, by clicking Static, DHCP, or
PPPoE and entering the required values.
N
OTE
If PPPoE is selected for the backup WAN, it must be configured as Always On available.
7 Establish Connection Failure Detection criteria.
This section of the window allows you to type up to three different
IP addresses that the appliance should be able to ping, to determine whether the WAN is up or down, and timing values to determine when the ISP has failed.
8 Type up to three IP addresses for public, well-known and robust internet sites that allow ping . Examples include Yahoo, Google, and local government sites. Do a DNS lookup for IP addresses for these sites, and remember that pingable addresses might change frequently for large sites.
9 In the Polling Interval field, type the polling interval in seconds to determine a failure. This value determines the amount of time between ping sessions to test the
Central Policy Manager User Guide 103
CHAPTER 6: Completing the Appliance Configuration servers listed in the previous step. The default is 30 seconds.
10 In the Polling Timeout field, type the polling timeout in seconds to determine a failure. The default is 5 seconds. If none of the listed servers respond to a ping request within the specified interval, the connection is considered failed, and a failover occurs.
11 In the last field on this dialog, type the number of minutes you want to elapse between successive failovers. The default is 10 minutes.
Since each failover requires a system restart, processing is interrupted for a brief period during failover. If both your
Primary and Backup WAN connections are subject to frequent failure, this can lead to a lot of processing interruptions. This setting allows you to minimize downtime for the Firebox, with the tradeoff that the WAN or internet might not be available for longer periods of time.
12 Click OK to return to the Interfaces configuration window.
13 Click one of the checkboxes to define how the IP address will be assigned for Interface 1 (Public). The choices are Static IP, DHCP, or PPPoE. The text entry fields change based on the checkbox you select. For example, IP Address and Netmask appear if you select
Static IP.
N
OTE
Only Static is supported for RSSA 1000, 2000, 4000, 6000, and 8000.
14 If the Public interface is not Internet routable, click the
If the Public IP is not Internet routable check box.
A Detail button appears.
The Routable IP dialog box allows you to specify a static IP address to use to contact the appliance, if it is behind a NAT device or if the public port address is using DHCP or PPPoE. You can also specify that a dynamic IP address be used, if the appliance is connected to the internet through an ISP, and the IP address is unknown. In these cases, the address is not internet routable, and must be contacted through an alternate method.
15 Click the Detail button.
The Routable IP dialog is displayed.
104 Central Policy Manager 5.1
Completing the Interfaces Entries
16 Select Dynamic or Static to select the Routable IP routing method.
Dynamic the internet through an ISP, and the IP address is unknown.
Static static DHCP or PPPoE. Type the IP address of the NAT device, or the IP address of the external network.
If HA/Active-Active is enabled, you must specify a routable IP address for the secondary appliance.
17 Click to select the Enable Port-Shaping checkbox if you want to activate system-wide port shaping for the available port interfaces.
A Detail button appears in the Interfaces tab.
Central Policy Manager User Guide 105
CHAPTER 6: Completing the Appliance Configuration
18 Click Detail to open the Specify Port Bandwidth dialog box.
106
This dialog box allows you to precisely adjust the output/ throughput of the available accelerated data interfaces. Values can be recorded in either Kbps or Mbps.
Central Policy Manager 5.1
Completing the Interfaces Entries
19 In each interface-specific field (as needed), type the appropriate number, according to your selections from the Increment menus.
In most cases, you will want to set bandwidth for the
Public port only, because that network connection will probably be the slowest.
20 From the Use port name drop-down list, select the interface to be used for CPM management connections
(after the new configuration is deployed to this appliance).
N OTE
By specifying this port, you are providing the necessary topology information for CPM to determine the policy needed for CPM traffic and how CPM should contact this appliance.
- CPM adds the port to the “Mgmt Ports” address object that is created by CPM Default Policy
Wizard (see “Running the CPM Default Policy
Wizard” on page 80). This creates the required
policy during policy compilation.
- If the port has a static IP address (including static routable IP) and the Change Management
Setting after Deployment checkbox is selected,
CPM automatically uses that IP address to contact the appliance after deploying the profile to the appliance. If the port has dynamic IP, CPM relies on the heartbeat.
Central Policy Manager User Guide 107
CHAPTER 6: Completing the Appliance Configuration
108
21 If you want CPM to automatically change the management settings for this appliance according to these interface entries after the configuration is deployed, click the Change Management Setting after deployment checkbox. This ensures that CPM can:
- Use a new IP address to contact the appliance if the management interface IP address changes
- Use the appliance’s serial number (embedded in the heartbeat) to manage the appliance if the designated management interface of the appliance is dynamically assigned by the ISP
Central Policy Manager 5.1
Completing the Routing Entries
N
OTE
You can change the management setting manually from
Appliance Manager at any time.
22 If you want to specify the MTU end link speed for each interface, click Advanced .
The Advanced dialog box appears.
23 Enter the MTU link speed, and select the Specification and Duplex settings from the drop list. Click OK to save and close the Advanced dialog box.
24 Click Apply to save the changes in the Interfaces tab.
If you need to change the IP address information for any of these interfaces at a later time, you can do so by reopening this dialog box tab and making the changes.
Completing the Routing Entries
You use the Routing tab to set up static or dynamic routes.
Firebox Vclass supports 3 dynamic routing protocols, which are built on GNU Zebra ( http://www.zebra.org
) routing software support:
• Routing Information Protocol (RIP) version 1 and 2
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
N
OTE
Dynamic routing currently does not support MIBs, SNMP, multicast, or IPv6 routing protocols.
N OTE
Dynamic Routing is not supported in Transparent Mode.
All routing configurations depend upon the following qualifications:
• The appliance listens on the Private interface, not the
Public or DMZ interface
Central Policy Manager User Guide 109
CHAPTER 6: Completing the Appliance Configuration
To enter the preferred routes, follow these steps:
1 Click the Routing tab.
110
2 To catalog the first of any static routes that will be used by network traffic passing through this appliance, click
Add .
The Add Route dialog box appears.
Central Policy Manager 5.1
Completing the DNS Entries
3 In the Destination , Network Mask , and Gateway fields, enter the information necessary for a route.
4 From the Interface/Port menu, select the port used for this route.
5 In the Metric field, type the number of hops in this route.
6 Click OK to close the dialog box and add this route to the tab contents.
7 Repeat this process to catalog all other static routes.
8 If you want to use the Dynamic Routing, click the
Enable Dynamic Routing checkbox.
9 Select the type of Dynamic Routing you want to use
(RIP, OSPF, or BGP), and click Enable protocol .
After you enable the protocol, you can type your configuration file contents into the text box, or paste the configuration file
Copy from file
10 When you have finished making changes to the
Routing tab, click Apply to save all the new entries.
Completing the DNS Entries
The Domain Name Server (DNS) tab allows you to catalog all local DNS servers that might be used by this security appliance.
1 Click the DNS tab.
Central Policy Manager User Guide 111
CHAPTER 6: Completing the Appliance Configuration
2 In the Domain Name field, type the domain name used for this security appliance.
3 To start cataloging the DNS servers, click Insert .
The DNS Server dialog box appears, as shown here.
112
4 In the blank numeric text field, type the IP address of a
DNS server.
Central Policy Manager 5.1
Completing the SNMP Entries
5 Click the Add button to save this entry in the DNS
Servers list.
6 Repeat this process to record the IP addresses of other
DNS servers.
7 If more than one server is listed in this tab, you can shuffle the search order by choosing a server entry and then clicking the Up or Down buttons until each server appears in the proper order.
8 When you are finished with the DNS tasks, click Apply to save your new entries.
Completing the SNMP Entries
The CPM software allows you to assign this security appliance to an SNMP community, so it can be monitored through SNMP management stations. You can also configure this appliance so that an SNMP trap is sent to management stations when certain alarms are triggered. This tab assists you in the following tasks:
• Adding required IP addresses of management stations
• Recording the SNMP community string
• Activating the SNMP trap
N OTE
For a complete list of supported MIBs in the CPM software, open and review the MIB files that are stored on the CPM
CD.
1 Click the SNMP tab.
The SNMP Management Stations area (currently empty) lists the
IP addresses (one or more) of all the network management stations that will receive SNMP traps when generated by this
WatchGuard appliance.
2 To add a specific management station to this list, click
Add .
The SNMP Management Station dialog box appears.
Central Policy Manager User Guide 113
CHAPTER 6: Completing the Appliance Configuration
3 Type the station’s IP address in the blank numeric text field.
4 Click the Add button to catalog this management station in the SNMP tab.
5 If necessary, repeat the SNMP Management Station dialog box process to record the IP addresses of all other management stations that will be monitoring this security appliance.
6 If you are going to enable the SNMP management, in the Community String field, type the password text that will identify the appliance to the management station.
7 If you want this security appliance to send any alarmtriggered traps to the listed management stations, click to select the Enable SNMP Trap checkbox.
Although no traps will be sent if you deactivate this option, any triggered alarms will still be logged in the appliance or emailed to the appropriate WatchGuard appliance administrator.
8 When you are finished with the SNMP tab, click Apply to save your new entries.
Completing the Log Settings Entries
1 Click the Log Settings tab.
114 Central Policy Manager 5.1
Completing the Log Settings Entries
2 The Log Settings workspace provides two sets of options pertaining to the two separate log types–
Traffic and Event :
- Click to select the Enable Traffic Logging checkbox to activate the WatchGuard logging function for all data traffic passed through this
WatchGuard appliance.
- Click to select the Enable Event Logging with
Log Level checkbox, and then click the slider below this checkbox and move it until it is level with the desired logging level.
Central Policy Manager User Guide 115
CHAPTER 6: Completing the Appliance Configuration
The slider allows you to include fewer events or more events in your event log file–depending upon which selection you make. The “Critical Events only” selection creates a basic log file including only major events, while the remaining selections below add increasing amounts of information and detail to the log file.
N
OTE
Because the system purges the contents of the log files when a certain size is reached (usually a maximum of 200 Kb), the more events you include, the more often the logs are purged.
See the CPM Applications Guide appliance logging.
for more information about
3 If you want to enable remote logging, select the
Remote Logging to checkbox, and type the IP address of the syslog server where you want the remote logs saved.
The Detail button is enabled.
4 Click Detail if you want to define the facility and priority settings of remote logs.
The Remote Log Detail dialog box appears.
116
N OTE
The Remote Log Detail dialog box is supported only on the following appliances: Firebox V10, V60, V80, V100, V200 and RSSA 500, 2000, 4000, 6000, 8000.
Central Policy Manager 5.1
Completing the Hacker Prevention Entries
5 Use the drop list to define Facility and Priority of
Alarms, Events, Traffic, P1Sa, and Ras for remote logs.
Click OK to save and close the dialog box.
6 When you have finished with the Log Settings tab, click Apply to save your new entries.
For more information about configuring a syslog server to accurately store all log files from a range of Firebox Vclass appliances, review the tech notes available in the Watch-
Guard support Web site.
Completing the Hacker Prevention Entries
1 Click the Hacker Prevention tab.
Central Policy Manager User Guide 117
CHAPTER 6: Completing the Appliance Configuration
118
The Hacker Prevention tab appears, displaying the default values.
2 Select and configure the Denial-of-Service Prevention options.
The following anti-hacker attack options safeguard your servers from denial-of-service attacks. All such attacks flood your network with “requests” for information, clogging your servers and possibly shutting down your site. After you activate these options and set threshold numbers for this Firebox
Vclass appliance, it will prevent such attacks. If there are more than the specified number of requests (per second), the security appliance drops the excess number of requests within the same second while
Central Policy Manager 5.1
Completing the Hacker Prevention Entries permitting the acceptable number of requests to pass through. This protects your servers from becoming overwhelmed by too many requests within a short period of time.
ICMP Flood Attack
Allows you to safeguard your network from a sustained flood of ICMP pings. You can change the threshold number in the accompanying text field to a value that will trigger the denial-of-service protection.
SYN Flood Attack
Allows you to safeguard your network from a sustained flood of TCP SYN requests without the corresponding ACK response. You can change the threshold number in the accompanying text field to a value that will trigger the denial-of-service protection.
UDP Flood Attack
Allows you to safeguard your network from a sustained flood of UDP packets. You can change the threshold number in the accompanying text field to a value that will trigger the denial-ofservice protection.
Ping of Death
Safeguards your network from user-defined large data-packet pings.
IP Source Route
Safeguards your network from a flood of false client IP addresses, designed to bypass firewall security.
3 Select the Distributed Denial-of-Service Prevention options.
As a subset of denial-of-service attacks, distributed
DoS attacks occur when hackers coordinate a number of “borrowed” computers for malicious purposes and program them to simultaneously assault a network
Central Policy Manager User Guide 119
CHAPTER 6: Completing the Appliance Configuration with information requests. If allowed to pass through, they can overwhelm and crash your Web servers.
Per Server Quota
Allows you to safeguard your servers from coordinated denial-of-service attacks against any single server. You can change the threshold number in the accompanying text field to a value that represents the maximum request capacity (per second) of that server. If there are more than the specified number of connection requests within a second, the Firebox Vclass appliance drops the excess requests within that same second. This protects your server from being overwhelmed by too many connection requests in a short period of time.
Per Client Quota
Restricts the number of connection requests from a single client within a second. You can change the threshold number in the accompanying text field to a value that represents the maximum number of requests (per second) from a single client. If there are more than the specified number of connection requests within a second, the Firebox Vclass appliance drops the excess requests within that same second.
4 When you have finished with the Hacker Prevention tab, click Apply to save your new entries.
Completing the High Availability Tab
The High Availability tab appears only if the model of Firebox Vclass appliance being configured incorporates one or more HA interfaces. High Availability (HA) allows you to set up a system that activates an almost instantaneous replacement of a primary appliance with a secondary appliance in the event of system failure. This identically
120 Central Policy Manager 5.1
Completing the High Availability Tab profiled secondary appliance takes over all traffic control in place of the failed primary appliance.
There are two High Availability modes: Active/Standby and Active/Active. Active/Standby is available for all models that have an HA interface. Active/Active is available for V80 and V100 models, and requires the purchase of a software upgrade license. Please refer to the WatchGuard
Web site for information on purchasing software upgrade licenses:
https://www.watchguard.com/upgrade
Active/Standby
In Active/Standby mode, when a primary appliance fails, the passive appliance comes online with a full copy of the state table and VPN tunnels, to provide maximum uptime and network availability. Active/Standby is available for all models that have an HA interface. In this mode, both appliances are configured with the same system name, IP address, and configuration information.
Active/Active
In Active/Active mode, the paired appliances process traffic in parallel, and use transparent state failover. In the case of a failure, all processing and traffic transitions seamlessly to the appliance that is still working. System configuration, security policies, active connections, and VPN tunnels are shared between the two active appliances. Both appliances are sending and receiving packets, so processing throughput is potentially doubled. If one appliance fails, the other is fully aware of the state of all connections and can continue carrying the load without dropping any packets. Active/
Active mode requires the purchase of an upgraded software license.
Central Policy Manager User Guide 121
CHAPTER 6: Completing the Appliance Configuration
Configuration comparison between Active/
Standby and Active/Active mode
Parameter Active/Standby Mode
Host Name
IP addresses
Same for primary and secondary appliances.
Same for primary and secondary appliances.
MAC address Same for primary and secondary appliances. Uses
VRRP defined MAC addresses.
Sending/
Receiving
Packets
Only the Active appliance can send and receive packets.
Active/Active Mode
Different for primary and secondary appliances.
Different for primary and secondary appliances.
Different for primary and secondary appliances. Use the devices’ factory MAC addresses.
Both Active appliances can send and receive packets, potentially doubling system throughput.
To learn how to set up an HA Active/Active connection, see the High Availability Guide .
To set up CPM Client to manage an HA Active/Standby connection:
1 Connect two Firebox Vclass appliances through the
HA port.
- Connect the Private interface (0) of the Active
(primary) device to the hub or switch
- Connect the Private interface (0) of the Standby device to the same hub or switch
- Connect the HA interfaces with crossover cables
- Connect the management station to the hub
1 Click the High Availability tab.
122 Central Policy Manager 5.1
Completing the High Availability Tab
2 Click to select the checkbox marked Enable High
Availability if you want to enable this feature.
The Active/Standby and Advanced buttons become available.
3 Select Active/Standby to enable High Availability in
Active/Standby mode.
4 If desired, click Extra HA traffic protection , and type and confirm a Shared Secret .
This feature is optional, and can be left blank if you do not need to encrypt information sent between these appliances during normal operation. Encryption is not necessary if the HA1 interfaces are connected directly with a crossover cable.
Central Policy Manager User Guide 123
CHAPTER 6: Completing the Appliance Configuration
N
OTE
HA secret shared secret is used to encrypt HA state-sync information.
VPN tunnel information is always encrypted even if this encryption is disabled.
5 Click Advanced
The Advanced HA Settings dialog box appears.
124
6 Click the checkbox of each port you want the backup appliance to monitor.
7 Enter an HA Group ID, if you want to use a different one than the default.
HA Group IDs are used to identify High Availability Active/
Standby pairs on your network. Each HA Active/Standby pair should have a separate Group ID.
8 Click the checkbox to select the HA interface you want to enable and send HA heartbeats over.
9 Enter the Primary IP address, Secondary IP address, and Netmask of the HA interface you enabled.
Central Policy Manager 5.1
Completing the Tunnel Switch Entries
10 Click OK .
Completing the Tunnel Switch Entries
If this model of security appliance incorporates Tunnel
Switch hardware functionality, the Tunnel Switch tab appears in the System Configuration dialog box. You can use this tab to enable the hardware features. After that, you must then set up the policies required to enact tunnel switching with qualifying data streams.
N OTE
Tunnel switching is supported only on the following appliances: Firebox V60, V80, V100, V200 and RSSA
2000, 4000, 6000, 8000.
1 Click the Tunnel Switch tab.
Central Policy Manager User Guide 125
CHAPTER 6: Completing the Appliance Configuration
126
2 Click to select the checkbox marked Enable Tunnel
Switch if you want to enable this feature.
3 Click Apply to save this change to the configuration.
For more information about tunnel switching configura-
tion and setup, see “Establishing Tunnel Switching” on page 251.
Central Policy Manager 5.1
Completing the VLAN Forwarding Tab
Completing the VLAN Forwarding Tab
Your network may include a number of VLANs (either classic VLAN or multi-tenant domains). As a result, you may need to create security policies to route traffic between two separate domains that use the same VLAN switch. In such a situation, which is known as “VLAN forwarding,” you can enter such inter-VLAN policies in CPM, but you must activate VLAN forwarding, as described in this section.
VLAN forwarding is a feature built into certain Firebox
Vclass models. This function is inactive by default.
N OTE
VLAN forwarding is supported only on the following appliances: Firebox V60, V80, V100, V200 and RSSA
2000, 4000, 6000, 8000.
Central Policy Manager User Guide 127
CHAPTER 6: Completing the Appliance Configuration
128
To activate the VLAN forwarding components of a Firebox appliance, follow these steps:
1 Open the System Configuration window for the designated appliance.
2 Click the VLAN Forwarding tab.
If this tab is not visible, the selected Firebox model does not incorporate VLAN-forwarding capabilities.
3 Click to select the checkbox marked Enable inter-
VLAN forwarding .
4 Click Apply . Click OK to close the window.
After you deploy this revised profile, the appliance will be ready for inter-VLAN communications.
Central Policy Manager 5.1
Completing the NTP Tab
Completing the NTP Tab
This tab allows you to specify whether you want to enable a connection between the Firebox Vclass appliance and the
NTP servers. The NTP server synchronizes the time settings on the Firebox Vclass appliance. Vclass appliances can use any of three NTP servers to synchronize the time setting.
N OTE
Connecting to NTP servers is supported only on the following appliances: Firebox V10, V60, V80, V100, V200 and RSSA
500, 2000, 4000, 6000, 8000.
1 Click the NTP tab.
Central Policy Manager User Guide 129
CHAPTER 6: Completing the Appliance Configuration
2 Click the Enabled checkbox to establish a connection between the NTP server and Firebox Vclass appliance.
3 Enter the IP address of the NTP server you want the
Firebox Vclass appliance to connect to when enabled.
4 Click Apply .
Completing the Blocked Sites tab
The System Configuration Blocked Sites List allows you to create a permanent list of blocked IP addresses, and a per-
130 Central Policy Manager 5.1
Completing the Blocked Sites tab manent list of Exceptions, which are never blocked. When packets from a Blocked IP address reach the Vclass through the Public port, they are dropped. The Blocked Sites List also includes an Exception List, for IP addresses that are allowed.
You can also specify a global list of blocked sites and exceptions, and import them into any appliance.
N
OTE
The System Configuration Blocked Sites List is static, and changes only when an administrator makes changes to it.
Central Policy Manager User Guide 131
CHAPTER 6: Completing the Appliance Configuration
To Block an IP address:
1 Click the Blocked Sites tab.
The System Configuration Blocked Sites window appears.
2 To add a blocked site, click the Add button under the
Permanent Blocked Site IP List. To edit a blocked site entry, select the entry and click Edit .
The Add or Edit Site dialog appears.
3 In the Site field, type the IP address to block, then click
OK .
The new or edited site address is listed in the Blocked IP List.
To add an IP address to the exception list:
1 Click the Blocked Sites tab.
The System Configuration Blocked Sites window appears.
2 To add an exception, click the Add button under the exceptions list. To edit an exception list entry, select the entry and click Edit .
The Add or Edit Site dialog appears.
132
3 In the Site (IP) field, type the IP address exception, then click OK .
The new or edited site address is listed in the Exception List.
To delete a blocked site or exception list entry:
1 Click the Blocked sites tab.
The System Configuration Blocked Sites window appears.
Central Policy Manager 5.1
Completing the Blocked Sites tab
2 Select an entry from the Blocked Sites List or the
Exceptions List, and click Delete .
You can select multiple IP addresses by holding the Shift key to select multiple contiguous IP addresses, or by clicking the
Control key and selecting multiple discontinuous IP addresses.
Global Blocked Sites
The global blocked sites list includes the list of globally defined blocked sites in the configuration for this appliance. The global blocked sites list is stored locally to the
CPM server, and can be used as a central repository for blocked sites and exceptions that can be applied to any appliance.
To define global blocked sites:
1 Click the Blocked Sites tab.
The System Configuration Blocked Sites window appears.
2 Click Edit Global Blocked Sites .
The Global Blocked Sites window appears.
3 Add, Edit, and delete blocked sites and exceptions as with the System Configuration blocked sites list.
4 Click OK .
Central Policy Manager User Guide 133
CHAPTER 6: Completing the Appliance Configuration
There are two ways you can include the contents of the
Global Blocked Sites list:
1 In the System Configuration Blocked Sites window, click Include Global Blocked Sites .
The global blocked sites list is included when the system is running.
2 Click Fill with the Global Blocked Sites to populate the System Configuration Blocked Sites lists with the contents of the Global Blocked Sites list.
The Blocked Sites list is filled with the contents of the Global
Blocked and Exceptions lists.
Completing the Advanced tab
N OTE
The Advanced tab is supported only on the following appliances: Firebox V10, V60, V80, V100, V200 and RSSA
500, 2000, 4000, 6000, 8000.
1 Click the Advanced tab.
134 Central Policy Manager 5.1
Completing the Advanced tab
2 Click Enable Syn Checking to establish syn checking on all TCP/IP packets.
3 Click Ignore DF for IPSec to enable fragmentation of large packets through the VPN tunnel.
4 Cick IPSec/NAT Pass Through to enable IPSec/NAT
Pass Through.
5 Click Allow all ICMP errors or Allow Specified ICMP errors .
If you chose Allow Specified ICMP errors, select the checkboxes of the ICMP errors you want to allow.
6 Adjust the TCP Maximum Segment Size, if required.
Central Policy Manager User Guide 135
CHAPTER 6: Completing the Appliance Configuration
This feature works in conjunction with the MTU settings to limit the size of packets, if configured. This feature overcomes the following problems:
- Oversized packets can result in fragmentation, degrading VPN performance.
- Proxies may require MSS adjustment to prevent fragmentation.
- Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU.
The following settings are available:
Auto Adjustment
Auto adjustment calculates the MSS automatically, using the following calculations:
- Determining the lesser value of the input port
MTU and the output port MTU.
- Subtracting packet overhead, including IP and
TCP addressing, VLAN, ESP, PPPoE, AH, and
UDP encapsulation.
- The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet transmission.
The results of this calculation are used as the MSS for the connection.
Limit to N Bytes (40-1460)
This limits MSS to the specified size in bytes.
No Adjustment
This specifies that no change be made to the TCP header. If you select this option, packets may fragment.
136 Central Policy Manager 5.1
Completing the System Configuration Setup
Completing the System Configuration Setup
After you have completed the settings in the System Configuration dialog box for this appliance, click OK . This saves all the entries and closes the dialog box.
Reviewing the current licenses
If you have already configured an active appliance and want to review the extended-feature licenses previously imported into the appliance, follow these steps:
1 Right-click an appliance record in the Appliance
Manager window and select Show Licenses.
The [Appliance Name] Licenses window appears, listing any licenses present in this appliance.
2 To review the complete set of active features, click
Show Active Features .
The Active Features dialog box appears.
This dialog box shows the feature names, the capacity (dictated by the current license) and the expiration date.
3 When you are finished reviewing the contents, click
Close to close the dialog box.
4 To review the actual text of a license, double-click the license entry in the License window.
The License Detail dialog box appears, displaying the license text.
Central Policy Manager User Guide 137
CHAPTER 6: Completing the Appliance Configuration
This text cannot be copied and applied to any other appliances, because it is linked to the serial number hard-coded into the appliance.
138 Central Policy Manager 5.1
CHAPTER 7
Defining Security
Policies in CPM
A primary function of CPM is to protect your network from unwanted traffic while allowing valid data streams to enter. The mechanisms by which traffic is evaluated and managed are called security policies .
For example, you might apply one global policy over all devices in your network to block intrusive service requests such as FTP or Telnet. A separate policy might allow email, FTP, and HTTP traffic for a group of servers connected to DMZ interfaces. Still another policy for certain devices might block access to the
Internet to most users while granting it to a special group of users.
Security Policy Components
Every security policy has two basic components: a traffic specification and an action .
Central Policy Manager User Guide 139
CHAPTER 7: Defining Security Policies in CPM
Traffic specifications
The first component of a security policy qualifies every data stream received. Traffic specifications incorporate the following components:
Source
Where the data packets come from: from outside your network or from within a specific region of your network.
Destination
Where the data packets will be sent: to external networks or to another region of your network.
Service
What type of traffic is in these data streams; for example, HTTP, mail, FTP, or Telnet.
Policy actions
A policy action determines what procedure an appliance follows when it detects a data stream that matches a particular traffic specification. An appliance can take one or more of the following actions:
• Pass, block, reject, or proxy filter qualifying traffic
• Apply one of three general NAT actions: dynamic NAT, static NAT, or load balancing
• Apply Quality of Service (QoS) and Type of Service
(TOS) marking
• Initiate and maintain a VPN connection with another device. This includes several types of corporate site connections and remote-access service connections between external users and a corporate network.
For more information on policy actions, see Chapter 8,
“Using Policy Actions.”
140 Central Policy Manager 5.1
Security Policies in CPM
Security Policies in CPM
When you use CPM to create security policies, you can designate a wide range of possibilities as traffic sources or destinations: whole networks, whole subnets, specific ranges of IP addresses, or single IP addresses. You can also choose the services, the actions, and a specific schedule of operations for each policy.
Using CPM, you first create a policy, and then you prompt
CPM to determine which appliances it applies to. Any given policy can be applied to a number of security appliances. You also create all policies off-line, which keeps you from tying up an operational appliance while you work.
Scope of policies in CPM
Because you use WatchGuard CPM to manage all of your security appliances, you can create policies that apply to a single appliance or to several. For example, you may want to apply a VPN policy that permits branch offices to communicate back and forth between corporate headquarters.
The required policy would define all gateway security appliances as both source and destination, and then apply the required IPSec action to protect communications.
Addresses and address groups
Using CPM, every private/trusted network resource is linked to a “private” data interface, a “DMZ” interface, or, if available, a “DMZ2” interface on an appliance, while all others are linked to the external, “public” data interface, or to the Internet. As a result, addresses are recorded as both an address specification and an interface of a particular appliance. If you create a number of internal 10.10.0.0-type address entries per specific site, there is no conflict in CPM because each 10.10.0.0 entry is specifically assigned to a data interface on a specific appliance. All resources not within the protective coverage of an appliance are assigned to the Internet.
Central Policy Manager User Guide 141
CHAPTER 7: Defining Security Policies in CPM
Using CPM, you first create address objects or groups, and then you create policies using those objects or groups.
Based on the location of each address object (which port of which appliance this address object is attached to), CPM can determine which policies should be created and applied to each appliance. The act of determining which policies are applied to a given appliance is called policy compilation. The output of policy compilation is combined with system configuration and alarm definitions to form a configuration profile. You then deploy the profile to the appliance. Like system configuration, policy configuration occurs offline. It does not take effect until you deploy the new profile into the appliance.
You can use this group to make a single bi-directional VPN policy to permit access to the corporate network, with your gateway appliance (and the private network) as the destination and this one address group as the source.
142 Central Policy Manager 5.1
Security Policies in CPM
V80
You can then easily add new V10 private clients (6, 7, and 8) to this one address group–or remove out-of-date client
V10s as they are taken out of service. As a result, you need only a single policy to cover all the relevant VPN clients associated with a single site gateway.
For more information on cataloging network addresses and defining address groups, see the next section.
Central Policy Manager User Guide 143
CHAPTER 7: Defining Security Policies in CPM
Cataloging Addresses for Use in Policies
1 After opening the Configuration Editor window, make the Appliance/Address tab visible, if it is not already open.
2 Right-click the relevant appliance record and select
New => New Address from the pop-up menu.
The Address dialog box appears.
144
3 In the Name field, type a name for this address entry.
4 Click the button by the port used by this address:
Private (external), DMZ (mixed access), or Public
(trusted).
5 From the IP Type menu, select the appropriate type of address.
Any
Select this option if you want to permit any addresses to be the source or destination. For example, you would choose Any if you were creating an address entry that represents all external users who might want access to your Web servers.
You can also select Any if this new address entry represents all of the network assets that
Central Policy Manager 5.1
Cataloging Addresses for Use in Policies communicate through the Private interface of a specific appliance.
IP Address
Select this option if this address represents a single
IP address. This could be the IP address of a server or other host.
IP Subnet
Select this option to create an address entry for a subnet that incorporates devices that would be the source or destination for specific traffic, such as a work group or a collection of common-purpose servers.
IP Address Range
Select this option to create an address entry that includes all of the network assets represented by a specific range of addresses.
Private Port
Select this option to create an address entry that represents the Private interface of a specific Firebox
Vclass appliance. If you select this option, you do not have to enter the actual IP address.
6 Specify the IP address or range according to the selection you made in the previous step.
7 When you are finished, click OK to save your new address entry.
Entering a new address group
After you have catalogued a number of individual addresses, you can combine related address entries into a group that you can then designate as the source or destination for a particular policy. For example, after entering the addresses of all your security appliances, you can then collect them into a group for use in applying actions that would be performed by all the appliances.
1 Make sure the Appliance/Address tab is visible.
Central Policy Manager User Guide 145
CHAPTER 7: Defining Security Policies in CPM
2 Right-click the relevant appliance record and select
New => New Address Group from the pop-up menu.
The Addresses dialog box appears, displaying the Group Entry features.
3 In the Name field, type a name for the new group.
4 (Optional) In the Description field, type a description of this group and its addresses.
5 Click OK to save this new group.
6 Add addresses to the group by dragging and dropping from the Appliance/Address list.
You can add ports from appliances, addresses you have defined, and address groups. You can not add entire appliances or toplevel objects (for example, the Address Groups object).
Entering a new RAS address
If you are anticipating a number of “remote access” users
(clients, vendors, and contractors) who will be establishing
VPN connections to your extended network, you can use the RAS Addresses features to register one or more pools of internal-use IP addresses to be temporarily assigned to those connections. These addresses can be recorded as a range of IP addresses or as a single subnet (IP address) and subnet mask (representing the actual pool of IP addresses.)
You have one option: create location-specific address pools to be deployed to each security appliance. Individual users who initiate connections with a particular appliance will be assigned an IP address from that appliance’s address pool when the connection has been established.
Make sure the IP addresses recorded in this group are dedicated to RAS connection use, and have not been assigned to any other purpose in the network.
1 Right-click the gateway appliance entry (in the
Appliance/Addresses tab) and select New => New
RAS Address from the pop-up menu.
The Addresses dialog box appears, displaying a set of RAS
Address entry features.
146 Central Policy Manager 5.1
Creating a New Policy
2 In the Name field, type a name for the new address entry.
3 (Optional) In the Description field, type a description of this entry.
4 Click the button by either IP Subnet or IP Range , depending upon the number and organization of the internal-use IP addresses.
5 Enter the subnet and netmask. Click OK .
Creating a New Policy
1 Connect to CPM Client.
2 From the CPM Console window, click Configuration
Editor .
The Configuration Editor appears, as shown in the following figure.
Central Policy Manager User Guide 147
CHAPTER 7: Defining Security Policies in CPM
3 Select Policy => Add Policy => Add Top . Or, select the Add a Policy at Top button, shown at right.
If you are adding a new policy to a list of several policies, from the Policy =>
Add Policy menu, select Insert Before or Insert After . Or, select the Add a
Policy Before or Add a Policy After buttons, shown at left.
A new policy appears in the table, as shown in the following figure.
148 Central Policy Manager 5.1
Creating a New Policy
4 Define the source of the traffic: From the Appliance/
Addresses tab at the left of the window, drag an address entry into the Source cell.
5 If the traffic for this policy will come from more than one source, drag those other sources into the Source cell.
6 Define the destination of the traffic: From the
Appliance/Address portion of the window, drag an address entry into the Destination cell.
7 Specify the services to be permitted: Click the Services tab on the left portion of the window and drag the service you want into the Service cell. (For information on adding or combining services, see the next section.)
8 Specify the action or actions for the policy: Depending upon which type of action you want, click either the
IPSec Action tab or the QoS tab on the left portion of the window and drag the action you want. You can also right-click the Action cell and select one of the choices. For more information on policy actions, see
Chapter 8, “Using Policy Actions.”
Central Policy Manager User Guide 149
CHAPTER 7: Defining Security Policies in CPM
9 If you want to define more than one action for the policy, specify the additional actions using the procedures described in the previous step.
Cataloging Services for Use in Policies
Although the list of services in the Configuration Editor may be sufficient, you can add services or sets of services to this listing.
Adding a new service
1 From the Configuration Editor, click the Service tab (in the left portion of the window).
The Services tab appears, as shown in the following figure.
150 Central Policy Manager 5.1
Cataloging Services for Use in Policies
2 In the Services tab header, click the Create a
New Object button (shown at right) and select
New Service . Or right-click anywhere in the list of services and select New Service .
The Service-Object Details dialog box appears.
3 In the Name field, type a name to represent the service.
4 From the Protocol menu, select a protocol.
5 If your protocol selection requires that you specify a port, from the Port menu, select Any , Specific Port , or
Range .
If you chose Specific Port , enter the port number. If you chose Range , type the starting and ending port numbers in the fields to the right.
6 (Optional) In the Description field, type a description of the service.
7 Click OK .
The Service tab now displays the name of your new entry.
Adding a new protocol
1 From the Configuration Editor, click the Service tab (in the left portion of the window).
The Services tab appears, as shown in the following figure.
Central Policy Manager User Guide 151
CHAPTER 7: Defining Security Policies in CPM
2 In the Services tab header, click the Create a
New Object button (shown at right) and select
New Service . Or right-click anywhere in the list of services and select New Service .
The Service-Object Details dialog box appears.
152
3 Type a name for the Service.
Central Policy Manager 5.1
Cataloging Services for Use in Policies
4 From the Protocol pull-down menu, select User-
Specified .
The dialog changes to display Protocol Number fields.
5 Type a protocol number in the Protocol field.
6 (optional) Type a description for the protocol in the
Description field.
7 Click OK .
Combining services in a group
1 From the Configuration Editor, click the Service tab (in the left margin).
2 In the Services tab header, click the Create a
New Object button (shown at right) and select
New Combined Service . Or right-click anywhere in the list of services and select New
Combined Service .
The Services - Object Details dialog box appears as shown in the following figure.
3 In the Name field, type a name to represent the service group.
4 Click Add .
The Protocol/Port dialog box appears.
5 From the Protocol menu, select a protocol.
6 If your protocol selection requires that you specify a port, from the Port menu, select Any , Specific Port , or
Range .
Central Policy Manager User Guide 153
CHAPTER 7: Defining Security Policies in CPM
If you chose Specific Port , enter the port number. If you chose Range , type the starting and ending port numbers.
7 (Optional) In the Description field, type a description of the service group.
8 Click OK .
9 Repeat steps 4 - 6 to add new protocols to the group.
When you are finished, click OK to close the New
Service Group dialog box.
Creating Policy Schedules
You define policy schedules if you want appliances to perform policy actions at specific dates and times. You can either create the schedules in advance and drag-and-drop the schedule into policies, or you can create the required schedule along with the policy.
Creating a new schedule
1 From the Configuration Editor, click the Schedules tab.
2 Click the Create a New Object button, shown at right.
The Schedule dialog box appears, as shown in the following figure.
154 Central Policy Manager 5.1
Creating Policy Schedules
3 In the Name field, type a name for the schedule.
4 (Optional) In the Description field, type a description of the schedule.
5 Click the cells in the table to designate the days and hours in which you want the policy action applied.
Note that any schedule created in CPM is adapted to the local time zone of any appliance it is applied to.
6 Specify either CPM Server time or Appliance time .
7 Click OK .
Applying an existing schedule to a policy
1 Make the policy row active.
2 Add the Schedule cell to the policy row: select View =>
Show Columns => Schedule .
3 Click the Schedule tab.
4 Drag the schedule you want to apply from the
Schedule tab onto the Schedule cell in the policy row.
Central Policy Manager User Guide 155
CHAPTER 7: Defining Security Policies in CPM
156 Central Policy Manager 5.1
CHAPTER 8
Using Policy Actions
Every security policy is composed of two basic components: a traffic specification and an action. A policy action determines what procedure an appliance will follow when it detects a data stream that matches a particular traffic specification.
This chapter covers the following Action menu options: Block/Reject , Do Dynamic NAT , Do Static
NAT , Do Load Balancing , Do QoS , and Do TOS
Marking . For more information on the Do Proxy
action and proxies, see “Defining Proxies in CPM” on page 169. For information on the
Do IPSec option, see the CPM Applications Guide. For information on the
Bi-directional
option, see “Making a VPN Policy Bidirectional” on page 232.
Combining Policy Actions
You can also combine one or more actions in a policy.
For example, suppose you created a VPN policy that permits two server-farm sites to share data with one
Central Policy Manager User Guide 157
CHAPTER 8: Using Policy Actions another. You might also want to implement load balancing, so that the data is distributed equally among several servers. The required policy would focus on the two gateway appliances as source and destination and then apply both the VPN/IPSec action and a load-balancing action.
Not all actions can be combined. The following table shows the combinations of actions that can be applied in a single policy.
Firewall
IPSec
Virtual IP/
NAT a
Dynamic
NAT
YES
Static NAT YES
QoS YES
Firewall IPSec Virtual IP/
NAT na
YES
YES
YES na
YES
YES
YES na
YES
YES
YES
NO
NO
YES a.
Dynamic
NAT
YES
YES
NO na
NO
YES
Static
NAT
YES
YES
NO
NO na
YES
QoS
YES
YES
YES
YES
YES na
Blocking and Rejecting Traffic
To pass, block, or reject traffic, right-click the Action cell and select one of the following:
Pass
The appliance passes all qualifying traffic.
Block
The appliance blocks all qualifying traffic from gaining access to your network.
Reject
The appliance drops the traffic stream after the sender initiates three subsequent connection attempts and sends a TCP reset message back to
158 Central Policy Manager 5.1
About Network Address Translation (NAT) the sender. (Note, however, that this option reveals to the sender that the appliance’s IP address is valid.)
Do Proxy
The appliance content-filters the traffic according
to the rules specified in the Proxy you select. See
“Defining Proxies in CPM” on page 169.
About Network Address Translation (NAT)
Through policy actions, CPM supports the following types of NAT:
Dynamic NAT
If you have a number of employees or other private network users whose client computers have been assigned IP addresses for internal use, you can grant all of them full access to the Internet using this type of NAT.
Static NAT
If you want to keep the IP address of a subnet, a server, or a group of users hidden from the public, you can put a different IP address in public view that is replaced with the real IP address when traffic passes through this appliance.
Activating Dynamic NAT
Dynamic NAT action applies to appliances whose address objects are in the source field of the policy. This causes all traffic from internal sources routed from the Private to
Public interfaces to be assigned the Public interface IP address:
1 After creating a policy row, drag-and-drop an address representing the appliance’s private or DMZ network into the Source cell.
Central Policy Manager User Guide 159
CHAPTER 8: Using Policy Actions
2 Drag-and-drop “Internet” into the Destination cell.
3 Right-click the Action cell, select Pass , and then select
Do Dynamic NAT .
A dynamic NAT label and icon appears in the Action cell.
Activating Static NAT
There are two types of Static NAT: outbound and inbound.
Outbound Static NAT hides the real IP address of the source. It changes the source IP field of outbound packets
(packets that go out from a public port) from an “internal
IP” located behind private, DMZ, or DMZ2 ports to a publicly routable “external IP”. It is applied to the appliances whose address objects are in the source field of the policy.
To configure outbound Static NAT:
1 Create an address to represent the internal IP. This address is created at a private, DMZ, or DMZ2 port on the appliance that will perform Static NAT.
2 Enter this address in the source field of the policy.
3 Right-click the Action cell, select Pass , and then select
Do Static NAT-Outbound .
160
4 Enter the external IP as the “translated to” IP address.
You can also enter a subnet to SNAT, by clicking the Subnet
SNATing the subnet.
Inbound Static NAT hides the real IP address of the destination. It changes the destination IP field of inbound packets (packets that come in from a public port) from a
Central Policy Manager 5.1
About Load Balancing publicly routable “external IP” to an “internal IP” located behind a private, DMZ, or DMZ2 port. It is applied to the appliances whose address objects are in the destination field of the policy.
To configure inbound Static NAT:
1 Create an address to represent the external IP. This address is created at a private port on the appliance that will perform Static NAT.
2 Enter this address in the destination field of the policy.
3 Right-click the Action cell, select Pass , and then select
Do Static NAT- Inbound .
4 Enter the internal IP as the “translated to” IP.
You can also enter a subnet to SNAT, by clicking the Subnet
SNATing the subnet.
About Load Balancing
Using load balancing, you can distribute a high volume of incoming requests to an array of network assets, such as
Web servers, according to the capacity of those servers. For example, you can add a load balancing action to a policy that lists each server, assigns a percentage of requests to that server, and distributes new requests to unused servers when previous servers are being fully utilized.
Central Policy Manager User Guide 161
CHAPTER 8: Using Policy Actions
If, as shown in the following illustration, you assigned each
Web server a unique private IP address, you can set up the
Firebox Vclass appliance (“WG”) to recognize the public
URL that external users access, and then distribute the external requests to those servers. Up to 16 servers can be incorporated in each load-balancing cluster.
You can apply load-balancing policies only to an internal network destination where the specific servers are connected.
Make sure that any firewall policies listed above any loadbalancing policies in the Policies window do not block load balancing. You can apply load balancing to data traffic incorporating these services: HTTP, HTTPS, Telnet, FTP,
L2TP, PPTP. Load balancing actions are applied to appliances that have addresses in the destination field of the policy.
162 Central Policy Manager 5.1
About Load Balancing
Use the following procedure to create a load-balancing action:
1 Right-click the policy’s Action cell and select Do Load
Balancing .
The Load Balancing dialog box appears.
2 From the Algorithm menu, select the appropriate loadbalancing option:
Round Robin
Each server is treated with equal priority.
Weighted Round Robin
Each server is given priority based on its ability to deliver specific applications.
Random
Traffic is randomly distributed to a series of servers.
Weighted Random
Algorithm weights are assigned to servers based on server capacity limitations.
Least Connection
When new traffic is sent to the servers, an algorithm determines which server has the least number of connections.
Weighted Least Connection
When new traffic is sent to the servers, an algorithm determines the least number of connection and weights that can be assigned.
3 In the IP Address field of the Server dialog box, type the IP address of the server that will be included in the load-balancing array.
Central Policy Manager User Guide 163
CHAPTER 8: Using Policy Actions
4 In the Port field, type the number of the port that the server listens to:
If HTTP
Type “80” in the Port field.
If HTTPS
Type “443” in the Port field.
If PPTP
Type “1723” in the Port field.
If L2TP
Type “1701” in the Port field.
5 If you chose Weighted Round Robin , Weighted
Random , or Weighted Least Connection from the
Algorithm menu, the Server dialog box contains a
Weight slider, as shown in the following figure. Use the slider to assign a weight to this server.
6 Click OK .
About QoS Actions
In an extensive network with a large number of host computers, the volume of data traffic moving through the
Internet can be immense. When the traffic is more than the network can sustain, data packets are dropped as a result of congestion.
164 Central Policy Manager 5.1
About QoS Actions
When severe network congestion occurs, all traffic is affected equally. Mission-critical traffic (such as data exchanges made between the corporate center and the branch offices) slows down to an unacceptable speed while other, less important traffic (such as Web content sent to the Internet) takes up a disproportionate amount of network capacity.
All Firebox Vclass security appliances offer two Quality-of-
Service (QoS) features that enable you to assign higher bandwidth to your most valuable traffic. As a result, some traffic entering a Firebox Vclass appliance receives more network capacity, while other data streams are accordingly reduced.
The QoS features implemented in Firebox Vclass appliances include Weighted Fair Queuing (WFQ), TOS marking, and port shaping.
• The WFQ algorithm, a data queueing technique, allows you to assign a relative bandwidth ratio for specific types of traffic with different weights. For example, data exchanges between the corporate center and branch offices can be allotted a weight of 20 while
Internet traffic is given a weight of 4. During periods of extreme network congestion, the traffic between HQ and branch offices benefit from five times more bandwidth than that allowed to outbound Internet data streams.
• TOS marking allows you to overwrite the TOS byte value in the IP header of qualified packets. These TOS values can be used by routers that recognize TOS precedence/DTR bits or by routers that implement
Differentiate Services Code Point (DCP) so that they can prioritize packets during routing.
• Port shaping allows you to restrict the bandwidth of outgoing traffic directed through interface 0 or interface 1. Typically, interface 0 is connected to the private network with higher capacity connections than interface 1, which is usually connected to the Internet through a lower-capacity T1 line. In such a case,
Central Policy Manager User Guide 165
CHAPTER 8: Using Policy Actions packets in outgoing traffic are dropped due to the physical limitations of the internal-to-external connection. With port shaping, you can restrict the overall capacity of interface 1 to match the actual bandwidth of the physical connection. If a huge volume of traffic comes from the private network to interface 1, packets are transmitted according to the weight defined in a QoS policy action–with no unnecessary loss of packets.
Activating port shaping
Port shaping is a system-wide configuration. You must set it up using the Interface tab of the System Configuration
dialog box, as described in “Completing the Interfaces
Applying a QoS action
1 Create a new policy row and define traffic components.
2 Click the QoS Action tab.
3 Drag the action you want from the tab to the Action cell of the policy.
QoS actions are applied to all appliances whose address objects are in either the source or destination field of the policy.
Customizing a QoS action
1 From the QoS Action tab, select New => New QoS
Action .
The QoS Action dialog box appears, as shown in the following figure.
166 Central Policy Manager 5.1
About QoS Actions
2 In the Name field, type a name for the new action.
3 In the Weight field, enter the relative WFQ weight.
You can type a value ranging from 1 to 100. For example, when network traffic becomes congested, traffic with the weight of 20 is given five times more bandwidth than traffic with a weight of
4.
4 (Optional) In the Description field, type a description of the action.
5 Click OK .
Activating TOS marking
Type of Service (TOS) marking makes this policy able to overwrite the TOS byte in the IP header of qualified incoming packets:
1 Right-click the policy’s Action cell and select Do TOS
Marking .
The TOS Marking dialog box appears, as shown in the following figure.
2 Select one of the TOS marking options: TOS-
Precedence , TOS-Precedence and DTR , or DiffServ
CodePoint .
Central Policy Manager User Guide 167
CHAPTER 8: Using Policy Actions
3 Select either Incoming Traffic , Outgoing Traffic , or both:
Incoming Traffic
If you select this option, the policy marks packets that are transmitted through the Public interface to either Private or DMZ interfaces.
Outgoing Traffic
If you select this option, the policy marks packets sent through the Private or DMZ interfaces to the
Public interface.
4 Depending on your TOS choice, a number of bit fields to the right appear, as shown in the following figure.
The bit 0 (zero) is the leftmost field and the bit 7 is the rightmost field. To toggle any field to 1 (ON), click the field.
168 Central Policy Manager 5.1
CHAPTER 9
Defining Proxies in
CPM
Proxy filtering goes a step beyond packet filtering to examine a packet’s content, not just the packet’s header. Consequently, the proxy determines whether a forbidden content type is hidden or embedded in the data payload. For example, an SMTP Incoming proxy examines all incoming SMTP packets (email) to determine whether they contain forbidden content types, such as executable programs or items written in scripting languages. Such items are common methods of transmitting computer viruses. The SMTP proxy knows these content types are not allowed, while a packet filter would not detect the unauthorized content in the packet’s data payload.
Proxies work at the application level, while other policies work at the network and transport protocol level.
In other words, each packet processed by a proxy is stripped of all network wrapping, analyzed, rewrapped, and forwarded to the intended destination. This adds several layers of complexity and processing beyond the packet filtering process. What this means, of course, is that proxies use more processing bandwidth than packet filters. On the other hand, they
Central Policy Manager User Guide 169
CHAPTER 9: Defining Proxies in CPM catch dangerous content types in ways that packet filters cannot.
In This Chapter
This chapter includes the following topics:
•
“Proxy Description” on page 170
•
“General Proxy Configuration” on page 173
•
“Proxy Parameters Reference” on page 182
•
“Reference Sources” on page 219
Proxy Description
The Firebox Vclass supports two proxy types:
• HTTP Client Proxy
• SMTP Proxy (Outbound and Inbound)
HTTP Client proxy
The HTTP Client proxy is a versatile, high-performance content-filtering method that you can use to selectively filter and protect your web clients from potentially hostile entities on the Internet.
The HTTP proxy offers the following features:
• Can be used to force strict RFC compliance for the web server and clients
• Allows MIME content-type filtering
• Allows configurable screening for Java, ActiveX, and other code types
• Performs HTTP header checking
170 Central Policy Manager 5.1
Proxy Description
The HTTP proxy sits between the sending Web server and your receiving Web client, much like a standard proxy server. It processes the HTTP line-by-line for any potentially harmful content before passing it to the internal Web client. It also acts as a buffer between your Web server and potentially harmful Web clients, enforcing HTTP RFC compliance for GET and POST operations.
SMTP proxy
The SMTP proxy can be used to limit or prevent potentially harmful email content. The proxy scans SMTP messages for a number of filtered parameters, and compares them against the configuration and rulesets specified in the proxy action. Email messages containing suspect attachments can be stripped of their attachments and then sent to the intended recipient, denied entirely, or Blocked (denied, with the Sender IP added to the Blocked Sites List).
The Outbound SMTP proxy can be used to prevent malicious SMTP messages that originate within your network from passing through the Vclass appliance, and out to the internet or WAN. The Inbound SMTP proxy is used to prevent malicious messages or code from reaching destinations within your network.
Rules and rulesets
Proxy actions are configured using a set of general parameters, and several sets of rules.
Rules
• Rules specify a type of content, pattern, or expression that the proxy action should identify.
• Rules specify actions (allow, strip or strip, drop, or
Block) that are taken when content matches a rule.
• Rules allow for independent alarm notification.
• Rules allow for independent logging.
Central Policy Manager User Guide 171
CHAPTER 9: Defining Proxies in CPM
Rulesets
Every rule is part of a ruleset. A ruleset can include factory-configured rules and user-defined rules. Every ruleset also includes a default rule. Figure 10, “Ruleset description,” on page 172, illustrates the different parts of a rule.
172
Figure 10:
Ruleset description
Rule processing occurs as follows:
• Rules are processed in order from the top to the bottom of the window.
• Rules can be ordered using the rule ordering arrows.
• Once a filtered item matches a rule, it is processed according to the rule’s action.
• Content within a packet can match multiple listed rules or the default rule. However, only the first rule matched is used.
Central Policy Manager 5.1
General Proxy Configuration
• All content within a packet of the filter type that does not match a listed rule is processed according to the default rule.
• The default rule is always the last step for packet content filtering. The action in the default rule is applied to all content in a rule Category that does not match a listed rule.
See “Proxy action rule ordering example” on page 181 for an example of how rule ordering works.
General Proxy Configuration
Proxies are configured using the Proxy Actions tab in the
Configuration Editor. CPM includes default proxy actions, preconfigured for the available proxy types. In addition to these preconfigured proxies, you can create your own customized proxies, or copy and edit the defaults.
Using a proxy action in the configuration editor
Proxy actions are implemented and ordered in the Policy
Manager in the same way as other policies. See “Defining
Security Policies in CPM” on page 139 and “Using Policy
Actions” on page 157 for more information.
Remember to remove “Any” Service, and
• add HTTP as the Service for the HTTP Client proxy
• add SMTP as the Service for the SMTP Incoming or
Outgoing proxy
Creating a proxy action
To create a new proxy action:
1 Launch CPM, and log in.
2 Click Configuration Editor .
Central Policy Manager User Guide 173
CHAPTER 9: Defining Proxies in CPM
3 Click the Proxy Actions tab on the left.
The Proxy Actions tab appears.
4 Click the Add button.
The Add Proxy Action dialog appears.
174
5 Select an existing proxy action to use as the base for the new proxy action from the Based On drop-down list.
Click OK . The proxy action Details window appears.
This window is different for each type of proxy. The following figure shows the initial window for a new proxy action based on the Default HTTP-Outgoing proxy action.
Central Policy Manager 5.1
General Proxy Configuration
6 Adjust the values and rulesets using the tabs, according to your preference.
A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See
“Proxy Parameters Reference” on page 182 for more
information.
Editing an existing proxy action
To edit an existing proxy action:
1 Launch CPM, and log in.
2 Click Configuration Editor .
3 Click the Proxy Actions tab on the left.
The Proxy Actions tab appears.
Central Policy Manager User Guide 175
CHAPTER 9: Defining Proxies in CPM
4 Select a proxy action from the list, and click Edit .
N
OTE
Note that you cannot save changes to the three default proxy actions.
The Proxy Action Details dialog appears.
176 Central Policy Manager 5.1
General Proxy Configuration
5 Adjust the values and rulesets using the tabs, according to your preference.
A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See
“Proxy Parameters Reference” on page 182 for more
information.
6 When you have finished configuring the proxy action, click OK to save your changes, or click Cancel to close the proxy action without saving your changes.
Configuring proxy rules
To create and configure proxy rules:
1 Create or edit a proxy action.
2 Navigate to the tab where you are creating the rule.
In this example, a proxy rule is created in the HTTP Client
Request Headers dialog. The Header Fields
3 Edit or Add a rule.
Central Policy Manager User Guide 177
CHAPTER 9: Defining Proxies in CPM
• To edit a rule, double-click the rule, or select the rule and click Edit .
The Edit Rule dialog box appears.
• To add a new rule, click Add to Top or Insert After .
The New Rule dialog box appears.
4 In the Name field, type a name for the rule.
5 Select the type of matching to use with this rule from the pull-down menu.
Rule matching options are:
Exact Match
Select this to match an exact (case-insensitive) string. For example, you can use this to match the exact e-mail address “[email protected]” or the hexadecimal representation for a Java file,
“%0xCAFEBABE%”.
178 Central Policy Manager 5.1
General Proxy Configuration
Pattern Match
Select this to match a “glob” style pattern. This field is case-insensitive.
Character Usage
*
?
a wildcard used to match 0 to many characters a wildcard used to match any single character
Example
*.vbs
will match any filename that includes the extension “.vbs” www.example.???
This will match the domains
“www.example.com,”
“www.example.net,”
“www.example.org,” and
“www.example.biz.”
It will not match “www.example.tv” or
“www.example.net.org.”
Regular Expression
Select this to match a pattern employing full regular expression syntax. This field is case sensitive. Substring is the default; explicit anchoring is required otherwise, using
“^(regexp)$”. For example, “(\.bat|\.exe)$” will match anything ending in “.bat” or “.exe”.
For more information consult a reference book, such as O’Reilly’s Mastering Regular Expressions .
6 From the Action drop-down list, select the action the the proxy takes when a match occurs.
Central Policy Manager User Guide 179
CHAPTER 9: Defining Proxies in CPM
Action options are:
Action
Block
Description
Allow This option allows the connection to proceed as normal.
Deny or Strip This option denies or strips a specific request, but maintains the connection, if possible. When this option is deny, the content is dropped and replaced with the deny message. When this option is strip, all applicable filtered content is removed and dropped, but the rest of the message is allowed through, subject to further proxy filtering.
Drop This action denies the specific request and drops the connection.
This action denies the specific request, drops the connection, and adds the originating host to the Runtime
Blocked Sites list.
7 Use the Alarm drop-down list to select whether to trigger an alarm for this event.
8 Use the Log drop-down list to select whether to write this event to the event log.
9 Click OK to complete the rule.
Ordering listed rules in a proxy action
Rules are processed in order from top to bottom of the window. The default rule is always the last step for filtered content in a proxy action.
To order listed rules:
1
Edit a proxy action. See “Editing an existing proxy action” on page 175 for this procedure.
2 Locate the ruleset you want to order.
3 Select the rule you want to move, and use the up or down arrows to change its position in the list.
Repeat this process for each rule that needs to be re-ordered.
180 Central Policy Manager 5.1
General Proxy Configuration
Proxy action rule ordering example
This example describes how you can use proxy action rule ordering to strip a specific MIME subtype, while still allowing the rest of the master MIME type. This example uses the SMTP-Inbound proxy action, with the default settings.
In this example, the strip rule for the MIME subtype
(image/tiff) is ordered so it is above the allow rule for the all image types (image/*).
The strip TIFF images rule is an exact match rule for the
MIME type “image/tiff,” and the All image types rule is a pattern match rule for the master type “image/*.” At runtime, the proxy processes the strip TIFF images rule first, so images of type image/tiff are identified and stripped.
However, all other “image” subtypes do not match the strip TIFF images rule, so they pass on to subsequent rules. When they reach the next rule, which allows the master type (image/*), they are identified and allowed.
Central Policy Manager User Guide 181
CHAPTER 9: Defining Proxies in CPM
Proxy Parameters Reference
This parameter reference describes the fields you can configure for proxy actions. Settings for the three factory default proxy actions are also described.
The following default proxy actions are described:
•
“HTTP Client proxy” on page 182
•
HTTP Client proxy
Info tab
This tab allows you to type a name and description for the
HTTP proxy action.
182 Central Policy Manager 5.1
Proxy Parameters Reference
Name
A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than
30 characters, the name is truncated to 30 characters.
Description
A description of the proxy, for your reference.
The proxy action should be used with the following services
The default services for the HTTP proxy are TCP
Ports 80, 8000, and 8080. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.
If another service is used, report policy as
This describes how HTTP traffic is reported when it uses a TCP port other than 80, 8000, or 8080. You can select Warning or Error for the reporting level.
This proxy action is supported on
This section lists the appliances and software versions that support this proxy action.
Central Policy Manager User Guide 183
CHAPTER 9: Defining Proxies in CPM
Request General tab
This tab allows you to configure content filtering for clientside general HTTP Request parameters.
184
Client Connection Idle Timeout
Specifies the time in seconds the proxy waits before dropping an idle connection. Default is 110 seconds.
Maximum Allowed URL Length
Specifies the maximum length in bytes of an allowed outbound HTTP URL. Default is 1024 bytes. Some sites may use longer URLs than this; however, the longer the URL, the greater the chance that some systems may be vulnerable to certain attacks.
Log Connections / Maximum Log URL Length
Enables or disables logging of HTTP outbound connections. When enabled, you can specify a
Central Policy Manager 5.1
Proxy Parameters Reference maximum Log URL length in bytes. The default is
1024 bytes.
Category
Specifies the category of HTTP request rules.
Request Methods
The Request Methods ruleset specifies HTTP request methods that the proxy allows. Note that the ruleset is configured to allow the listed rules, and deny all other methods.
The most commonly used HTTP request methods are Get, Head, Post, and Put. Some of the less frequently used Request Methods may be vulnerable to certain exploits and hacks.
Options
The OPTIONS method requests information about the communication options available on the request/response chain identified by the Request-
URI. This method allows the client to determine the options or requirements associated with a resource, or the capabilities of a server, without implying a resource action or retrieving a resource
(
RFC 2616
).
Head
The HEAD method is identical to GET except that the server must not return a message-body in the response. The metainformation contained in the
HTTP headers in response to a HEAD request is identical to the information sent in response to a
GET request. This method can be used for obtaining metainformation about an entity without transferring the body. This method is often used for link testing (
RFC 2616
).
Get
The GET method retrieves the information entity identified by the Request-URI. This is the most frequently used request method ( RFC 2616 ).
Central Policy Manager User Guide 185
CHAPTER 9: Defining Proxies in CPM
Post
The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the
Request-URI in the Request-Line. POST allows a uniform method for:
- Annotation of existing resources
- Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles
- Providing a block of data, such as the result of submitting a form, to a data-handling process
- Extending a database through an append operation
The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI ( RFC 2616 ).
Put
The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the
Request-URI refers to an already existing resource, the enclosed entity should be considered as a modified version of the existing resource. If the
Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI
( RFC 2616 ).
Delete
The DELETE method requests that the origin server delete the resource identified by the
Request-URI (
RFC 2616
).
Trace
The TRACE method is used to invoke a remote, application-layer loop-back of the request message.
The final recipient of the request reflects the message received back to the client as the body of a
186 Central Policy Manager 5.1
Proxy Parameters Reference
200 (OK) response. A TRACE request must not include an entity (
RFC 2616
).
Link
The LINK entity-header field provides a means for describing a relationship between two resources, generally between the requested resource and another resource. An entity may include multiple
LINK values. LINKS at the metainformation level typically indicate relationships like hierarchical structure and navigation paths (
RFC 2068 section
19.6.2.4
).
Unlink
The UNLINK method removes one or more LINK relationships from the existing resource identified by the Request-URI. These relationships may have been established using the LINK method or by any other method supporting the Link header. The removal of a link to a resource does not imply that the resource ceases to exist or becomes inaccessible for future references ( RFC 2068 section 19.6.1.3
).
Checkin
A CHECKIN request can be applied to a checkedout, version-controlled resource, to produce a new version whose content and dead properties are copied from the checked-out resource. If a
CHECKIN request fails, the server state preceding the request is restored (
RFC 3253 section 4.4
).
Checkout
A CHECKOUT request can be applied to a checked-in version-controlled resource, to allow modifications to the content and dead properties of that version-controlled resource. If a CHECKOUT request fails, the server state preceding the request is restored (
RFC 3253 section 4.3
).
Patch
The PATCH method is similar to PUT except that the entity contains a list of differences between the
Central Policy Manager User Guide 187
CHAPTER 9: Defining Proxies in CPM original version of the resource identified by the
Request-URI and the desired content of the resource after the PATCH action has been applied.
The list of differences is in a format defined by the media type of the entity (for example,
“application/diff”), and must include sufficient information to allow the server to recreate the changes necessary to convert the original version of the resource to the desired version ( RFC 2068 section 19.6.1.1
).
188
URL Paths
The URL Paths ruleset allows you to filter the content of an HTTP path. The path is everything after the initial slash. For example, in www.server.com/cgi/index.html, the path content is “cgi/index.html.”
The current ruleset implementation is set to catch and strip common executable program file extensions for Windows (*.exe and *.dll). By default this ruleset allows all URL path information except for the listed rules.
N OTE
One possible use for a URL Paths rule is to create pattern match rules to match the content *ad/* and *ads/*. Though not guaranteed to work, this can function as a simple, effective screening tool to reduce the amount of online advertising users see. Check the URLs of popup windows or banner ads you or your users find on the Web for other ideas.
Windows EXE
A pattern match rule that denies URL path content with the extension “.exe.” This effectively prevents
Central Policy Manager 5.1
Proxy Parameters Reference users from accessing common Windows applications using HTTP. Installable programs are often EXE files, so in some scenarios this rule can cause problems.
Blocking *.exe files in URLs prevents Windows users on your network from downloading executable software over HTTP. This might inconvenience users who need access to software downloads or updates.
Windows DLL
A pattern match rule that denies URL path content with the extension “.dll.” This effectively prevents users from accessing some Windows applications across HTTP. DLLs are sometimes use for web applications such as banners or tickers. Some legitimate sites, such as the Internet auction site eBay , use DLLs as integral components of their functionality. However, DLLs can pose a threat to your systems and network. Exercise caution when changing this rule.
N OTE
Blocking *.exe files in URLs prevents Windows users on your network from downloading executables over HTTP. This might inconvenience users who need access to software downloads. In addition, blocking *.dll files in URLs prevents some web applications and sites from working.
Central Policy Manager User Guide 189
CHAPTER 9: Defining Proxies in CPM
Request Headers tab
This tab allows you to configure content filtering for clientside HTTP Request Headers.
190
Maximum Total Length
The maximum total length of the HTTP Request
Header. Some systems may be vulnerable to overflow attacks if the header field is too large. The default value is 0, which means there is no maximum.
Maximum Line Length
The maximum length of each line of characters in the HTTP Request Header. Some systems may be vulnerable to exploits that use very long lines. The default value is 2048 bytes.
Category
This specifies the ruleset category–Header Fields or Authorization.
Central Policy Manager 5.1
Proxy Parameters Reference
Header Fields
This ruleset provides content filtering for HTTP
Header fields. The ruleset uses exact matching rules to strip From , Via , and Referer headers, and allows all other headers by default.
From
The From request-header field, if provided, contains an Internet e-mail address for the human user who controls the requesting user agent
( RFC 2616 ).
Via
The Via general-header field must be used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses. It is intended to be used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of all senders along the request/ response chain. (
RFC 2616
)
Referer
The Referer request-header field allows the client to specify the address (URI) of the resource from which the Request-URI was obtained, for the benefit of the server (
RFC 2616
).
Authorization
This ruleset provides content filtering for HTTP
Request Header authorization fields. A user agent that wishes to authenticate itself with a server does
Central Policy Manager User Guide 191
CHAPTER 9: Defining Proxies in CPM so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.
This ruleset is designed to allow NTLM , Digest , and
Basic authorization, and to strip all other authorization by default.
Basic
The Basic authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm. The realm value is an opaque string that can only be compared for equality with other realms on that server. The server services the request only if it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters (
RFC 2617
).
Digest
Like Basic Access Authentication, the Digest scheme is based on a simple challenge-response paradigm. The Digest scheme challenges using a nonce value. A valid response contains a checksum
(by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI. The password is never sent in the clear (
RFC 2617
).
NTLM
Windows NT LAN Manager (NTLM), also known as Windows NT Challenge/Response, is the authentication protocol used on networks that include systems running the Windows NT operating system, and on stand-alone systems.
NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password. NTLM uses an encrypted
192 Central Policy Manager 5.1
Proxy Parameters Reference challenge/response protocol to authenticate a user without sending the user’s password over the wire.
Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials ( Microsoft ).
.NET Passport 1.4
This authentication type is used by Microsoft’s
.NET Passport service. For more information, see http://www.passport.net
.
Central Policy Manager User Guide 193
CHAPTER 9: Defining Proxies in CPM
Response General tab
This tab allows you to configure general content filtering for server-side HTTP Response parameters.
194
Server Connection Idle Timeout
Specifies the amount of time, in seconds, that the connection to the server is allowed to idle before the connection is dropped. Default is 110 seconds.
Body Content Type
This ruleset specifies rules for filtering content in an HTTP Response. The ruleset is configured to strip Windows OCX , Windows CAB , and Java applets .
The default rule allows all other response body content types.
Java applet
Java applets are widely used in many safe applications on the Web. However, Java applets can be used to maliciously attack or exploit a client.
Central Policy Manager 5.1
Proxy Parameters Reference
This rule specifies a pattern match for the Java applet signature: %0xcafebabe%*.
Windows CAB
A cabinet (.cab) file is a library of compressed files stored as a single file. Cabinet files are used to organize installation files. A CAB file can contain malicious code that can be executed on a client system. This rule specifies a pattern match for the
Windows CAB signature:
%0x4d53434600000000%*.
ActiveX
ActiveX controls (OCX) can be used to execute code on client machines. This rule specifies a pattern match for the OCX signature:
%0x5a4d00900003000000040000ffff0000%*.
Central Policy Manager User Guide 195
CHAPTER 9: Defining Proxies in CPM
Response Headers tab
This tab allows you to configure content filtering for server-side HTTP Response Headers.
196
Maximum Total Length
Specifies the maximum total length of the HTTP
Response Headers, in bytes. Set this to 0 to specify no limit. Some systems might be vulnerable to overflow exploits that use very large headers. If the total header size exceeds this limit, the entire HTTP
Response is denied. The default value is 0 (no limit).
Maximum Line Length
This specifies the maximum allowed length of a line of characters in the HTTP Response Headers.
Some systems might be vulnerable to buffer overflows with very long lines, so you can adjust
Central Policy Manager 5.1
Proxy Parameters Reference this setting according to the capabilities of your systems. The default value is 2048 bytes.
Category
This specifies the ruleset category–Header Fields,
Content-Type, or Cookies.
Header Fields
This ruleset specifies rules for filtering content in
HTTP Response Header Fields. The ruleset is configured to allow a number of typical Header
Fields. The default rule strip all other Response
Header Fields.
The allowed Header Fields are:
- Accept ( RFC 2616 )
- Accept-Charset ( RFC 2616 )
- Accept-Encoding (
RFC 2616
)
- Accept-Language (
RFC 2616
)
- Accept-Ranges ( RFC 2616 )
- Age ( RFC 2616 )
- Allow (
RFC 2616
)
- Alternates (
RFC 2068 19.6.2.1
)
- Authorization ( RFC 2616 )
- Cache-Control ( RFC 2616 )
- Connection (
RFC 2616
)
- Content-Base (
RFC 2068 14.11
)
- Content-Disposition (RFC 1806)
- Content-Encoding (
RFC 2616
)
- Content-Language (
RFC 2616
)
- Content-Length (
RFC 2616
)
- Content-Location ( RFC 2616 )
- Content-MD5 ( RFC 2616 )
- Content-Range (
RFC 2616
)
- Content-Type (
RFC 2616
)
- Content-Version ( RFC 2068 19.6.2.2
)
Central Policy Manager User Guide 197
CHAPTER 9: Defining Proxies in CPM
- Cookie ( RFC 2965 )
- Date ( RFC 2616 )
- Derived-From (
RFC 2068 19.6.2.3
)
- ETag (
RFC 2616
)
- Expires ( RFC 2616 )
- From ( RFC 2616 )
- Host (
RFC 2616
)
- If-Match (
RFC 2616
)
- If-Modified-Since ( RFC 2616 )
- If-None-Match ( RFC 2616 )
- If-Range (
RFC 2616
)
- If-Unmodified-Since (
RFC 2616
)
- Keep-Alive ( RFC 2068 19.7.1.1
)
- Last-Modified ( RFC 2616 )
- Link (
RFC 1945 D.2.6
)
- Location (
RFC 2616
)
- Mime-Version ( RFC 1945 D.2.7
)
- Max-Forwards ( RFC 2616 )
- Pragma (
RFC 2616
)
- Proxy-Authenticate (
RFC 2616
)
- Proxy-Authorization ( RFC 2616 )
- Proxy-Connection ( undocumented – Functionality is same as Connection, but applies only to proxies. This can cause problems with proxies that do not support it.)
- Public (
HTTP [1992]
)
- Range ( RFC 2616 )
- Referer ( RFC 2616 )
- Retry-After (
RFC 2616
)
- Server (
RFC 2616
)
- Set-Cookie ( RFC 2109 )
- Transfer-Encoding (
RFC 2616
)
198 Central Policy Manager 5.1
Proxy Parameters Reference
- UA-CPU (non-standard header sent by Internet
Explorer to specify CPU type)
- UA-Color (non-standard header sent by Internet
Explorer to specify color depth)
- UA-OS (non-standard header sent by Internet
Explorer to specify operating system)
- UA-Pixels (non-standard header sent by Internet
Explorer to specify screen pixel size)
- URI ( RFC 1945 D.2.10
)
- Upgrade ( RFC 2616 )
- User-Agent (
RFC 2616
)
- Vary (
RFC 2616
)
- Via ( RFC 2616 )
- Warning ( RFC 2616 )
- WWW-Authenticate (
RFC 2616
)
Content-Types
This ruleset specifies rules for filtering Content-
Type (MIME type) content in HTTP Response
Headers. The ruleset is configured to allow some
“safe” Content-Types, and strip MIME content that has no specified Content-Type. The default rule strips all Content-Types that do not match the listed rules.
N
OTE
You might want to allow JavaScript content, depending on your organization’s needs. JavaScript is not allowed by the default rule. To allow JavaScript, create a new rule in this
Central Policy Manager User Guide 199
CHAPTER 9: Defining Proxies in CPM category, and specify an exact match for application/xjavascript. Set the rule to allow content.
WebLogic Server
This rule allows Web Logic Server content, by identifying the MIME Content-Type “application/ x-WebLogic.” The rule uses an exact match for application/x-WebLogic.
Video
This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*.
Text-based
This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*.
No Content-Type present
This rule strips all MIME data that has no specified
Content-Type, by identifying empty MIME types.
The rule uses an exact match for no text.
Images
This rule allows all MIME text types, by identifying the MIME Content-Type “image.” The rule uses a pattern match for image/*.
Audio
This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*.
200 Central Policy Manager 5.1
Proxy Parameters Reference
Cookies
This ruleset specifies rules for filtering Cookies in
HTTP Responses. One rule is included,
“DoubleClick.net.” This rule strips cookies from doubleclick.net, using a pattern match for
“*.doubleclick.net.” The ruleset can be configured to strip other cookies, based on your network needs. The default rule allows all other cookies.
When you configure a rule to strip a Cookie, use pattern matching, then type * cookiedomain.com
* as the pattern to match.
Deny Message tab
This tab allows you to customize a Deny Message. The
Deny Message replaces content that is denied.
You can customize the Deny Message with standard
HTML. The first line of the Deny message is part of the
Central Policy Manager User Guide 201
CHAPTER 9: Defining Proxies in CPM
HTTP header. There must be a blank line between the first line and the body of the message.
You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.
The following values can be called from the proxy action:
%(method)%
This inserts the proxy rule that identified the content to strip.
%(reason)%
This inserts a plain text reason that the content was stripped.
%(transaction)%
This inserts transaction information for the stripped content.
%(url-host)%
This inserts the server address from which the stripped content originated.
%(url-path)%
This inserts the URL of the stripped content.
202 Central Policy Manager 5.1
Proxy Parameters Reference
SMTP Proxy
The SMTP incoming and outgoing proxies allow the same configuration options. However, outgoing proxy rulesets, with the exception of the ESMTP ruleset, contain no preconfigured Rules, and incoming and outgoing proxies provide different defaults.
N
OTE
Most screens in this section show the SMTP Incoming Proxy action. The SMTP Outgoing Proxy action appears identical, except that the outgoing proxy windows are named
“outgoing” instead of “incoming,” and outbound proxy rulesets contain no rules, except as noted.
Info tab
This tab allows you to type a name and description for the
SMTP proxy action.
Central Policy Manager User Guide 203
CHAPTER 9: Defining Proxies in CPM
Name
A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than
30 characters, the name is truncated to 30 characters.
Description
A description of the proxy, for your reference.
The proxy action should be used with the following services
The default service for the SMTP proxy is TCP
Ports 25. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.
If another service is used, report policy as
This describes how SMTP traffic is reported when it uses a TCP port other than 25. You can select
Warning or Error for the reporting level.
This proxy action is supported on
This section lists the appliances and software versions that support this proxy action.
General tab
This tab allows you to specify general values for SMTP content filtering.
204 Central Policy Manager 5.1
Proxy Parameters Reference
Maximum Recipients
Specifies the maximum number of email recipients to which a message can be sent. This acts as a counter, and allows the specified number of messages through, then drops the remaining addresses. For example, if the default setting of 50 is used, and a message is addressed to 52 recipients, the first 50 addressees receive the email message, and the last two addressees are dropped.
Distribution lists that appear as a single SMTP email address (for example, [email protected]
) are counted as a single address.
Maximum Message Size
Specifies the maximum size of an incoming SMTP message. Note that most email is sent as 7-bit
ASCII text, with the exceptions of Binary MIME and 8bit MIME. 8-bit content (for example, MIME attachments) are encoded using standard
Central Policy Manager User Guide 205
CHAPTER 9: Defining Proxies in CPM algorithms (Base64 or quote-printable encoding) to enable them to be sent over 7-bit email systems.
These types of encoding causes an increase in size of approximately 1/3 for encoded files. Therefore, if you want to allow messages of up to 1000 bytes, you should set this field to a minimum of 1334 bytes to ensure that all mail gets through.
The default is 2929 kilobytes (approximately 3 million bytes).
Maximum Address Length
Specifies a maximum length for email addresses.
Restricting email address size can prevent some buffer overflow exploits from being used. The default is 50 bytes.
Maximum Line Length
Specifies the maximum line length for lines in an
SMTP message. Very long line lengths can cause overflow conditions on some mail systems. Most email clients and systems send relatively short line lengths, but some web-based email services send very long lines. The default is 1000 bytes.
Connection Idle Timeout
Specifies the amount of time an incoming SMTP connection can idle before the connection is timed out. The default is 600 seconds (10 minutes).
Address Validation (RFC-822 Compliance)
Allowable Characters : Allows you to specify all of the characters that are allowed in incoming email addresses. If there are particular characters that you do not allow, remove them from this field. All allowed 7-bit ASCII characters are listed by default.
The percentage sign (%) is listed twice (%%) to represent itself. The percentage sign is used as an escape character in the Proxy windows, to enclose hex code and high ASCII characters, but the Proxy windows read two percentage signs in a row as a single percentage sign character. The “commercial
206 Central Policy Manager 5.1
Proxy Parameters Reference at” character (@) is not included, because this list specifies only the characters on separated by the @, as email addresses cannot be specified without it.
Allow Source-Routed Addresses : Allows sourcerouted addresses. This is an old UUCP convention that is not used much today, except in the proliferation of spam email. This field is disabled by default. It is recommended that you do not enable this field.
HELO/EHLO Greeting Hostname
These commands are used to identify the SMTP receiver to the SMTP server. The argument field contains the fully-qualified domain name of the
SMTP host, if it is available. A Host is a computer attached to the Internet that supports the SMTP protocol.
Allowable Characters : Allows you to specify the characters that can be used in the HELO/EHLO greeting hostname. By default, this includes the 26 letters of the alphabet in upper and lower case, the numbers 0—9, the period (.) and the dash (-).
Central Policy Manager User Guide 207
CHAPTER 9: Defining Proxies in CPM
Content Checking tab
This tab allows you to specify values for SMTP content filtering.
208
Category
This specifies the ruleset category–Content Types or Address Patterns.
Content Types
The outgoing SMTP ruleset contains no rules.
The incoming SMTP ruleset allows six common
MIME types, and all of their subtypes. The default rule strips all other MIME types.
This ruleset does not, by default, allow any
“application” or “model” MIME types. Depending on your network needs, you might want to allow certain application MIME types. To find MIME types that you might want to allow or strip, refer to
Central Policy Manager 5.1
Proxy Parameters Reference the current master list of MIME types, located at http://www.iana.org/assignments/media-types/
.
All audio types
This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*.
All image types
This rule allows all MIME image types, by identifying the MIME Content-Type “image.” The rule uses a pattern match for image/*.
message/*
This rule allows all MIME message types, by identifying the MIME Content-Type “message.”
The rule uses a pattern match for message/*.
All multi-part MIME types
This rule allows all MIME multipart types, by identifying the MIME Content-Type “multipart.”
The rule uses a pattern match for multipart/*.
Note that if you do not allow multipart MIME, your users might lose a lot of messages and attachments. Multipart is used frequently to create messages that include attachments.
All text types
This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*.
All video types
This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*.
Central Policy Manager User Guide 209
CHAPTER 9: Defining Proxies in CPM
Attachment Filenames
The outgoing SMTP proxy action contains no rules for attachment filenames.
The incoming SMTP proxy ruleset allows three common attachment filename extensions. The default rule strips all other filename content.
Word document
This rule allows attachments with the standard
Microsoft Word .doc file extension. The rule uses a pattern match for *.doc.
Text file
This rule allows standard text attachments with the
.txt file extension. The rule uses a pattern match for
*.txt.
Excel spreadsheet
This rule allows attachments with the standard
Microsoft Excel spreadsheet .xls file extension. The rule uses a pattern match for *.xls.
210 Central Policy Manager 5.1
Proxy Parameters Reference
Address Patterns tab
This tab allows you to specify values for SMTP Address
Pattern filtering.
Category
This specifies the ruleset category–Mail From or
Mail To.
Mail From
This ruleset contains no listed rules from the factory. The default rule is allow. With the SMTP
Incoming proxy, this configuration allows mail from all senders into your network. With the SMTP
Outgoing proxy, this configuration allows all users on the network to send email.
Mail To
This ruleset contains no listed rules from the factory. The default rule is allow. With the SMTP
Incoming proxy, this configuration allows mail
Central Policy Manager User Guide 211
CHAPTER 9: Defining Proxies in CPM addressed to any email address into your network.
With the SMTP Outgoing proxy, this configuration allows users on your network to send email to any recipient.
Headers tab
This tab allows you to specify values for SMTP Header filtering.
212
Header Rules
The SMTP Outgoing proxy contains no rules for
SMTP Headers.
The SMTP Incoming proxy action ruleset allows a number of SMTP Headers. The default rule strips all other SMTP headers. As there are hundreds of possible SMTP headers, it might be useful or
Central Policy Manager 5.1
Proxy Parameters Reference necessary to allow other SMTP headers in your system.
The Headers that are allowed include:
- Approved-By
- Bcc
- Cc
- Comments
- Content-Description
- Content-Disposition
- Content-ID
- Content-Language
- Content-Length
- Content-MD5
- Content-Transfer-Encoding
- Content-Type
- Date
- Encoding
- Encrypted
- From
- In-Reply-To
- Keywords
- MIME-Version
- Message-ID
- Precedence
- References
- Reply-To
- Resent-Bcc
- Resent-Cc
- Resent-Date
- Resent-From
- Resent-Message-ID
- Resent-Reply-To
Central Policy Manager User Guide 213
CHAPTER 9: Defining Proxies in CPM
- Resent-To
- Status
- Subject
- To
214 Central Policy Manager 5.1
Proxy Parameters Reference
ESMTP tab
The ESMTP tab allows you to specify the filtering for
ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality.
ESMTP provides a means for functional extensions to
SMTP, and for clients who support extended features to recognize each other. For RFC documentation sources on
extensions to SMTP, see “Reference Sources” on page 219.
Allow BDAT/CHUNKING
Allows BDAT and CHUNKING, if enabled on the
SMTP host and client. BDAT and CHUNKING enable large messages to be sent more easily over
SMTP connections (
RFC 3030
).
Allow Remote Message Queue Starting
Allows Remote Message Queue Starting, if enabled on the SMTP host and client. This is an extension to the SMTP service that allows an SMTP client and
Central Policy Manager User Guide 215
CHAPTER 9: Defining Proxies in CPM server to interact to start the processing of message queues for a given host (
RFC 1985
).
Allow 8bit-MIME
Allows 8bit-MIME, if the client and host support the extension. The 8bit-MIME extension allows a client and host to exchange messages made up of text containing octets outside of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) using SMTP
( RFC 1652 ).
Allow Binary MIME
Allows the Binary MIME extension, if the sender and receiver support it. Binary MIME avoids the overhead of base64 and quoted-printable encoding of binary objects sent using the MIME message format over SMTP (
RFC 3030
).
N
OTE
BDAT/CHUNKING must be allowed for Binary MIME to work.
Authentication Rules
Both the incoming and outgoing SMTP proxy actions contain the same Authentication rules. The
Authorization ruleset allows a number of ESMTP
Authentication types. The default rule denies all other Authentication types.
Allowed Authentication types include:
- CRAM-MD5
- DIGEST-MD5
- GSSAPI
- LOGIN
- LOGIN (old style)
- NTLM
- PLAIN
The SMTP service extension for Authentication is described in RFC 2554 .
216 Central Policy Manager 5.1
Proxy Parameters Reference
Masquerading tab
This tab allows you to masquerade domain names and message-IDs for incoming or outgoing SMTP messages.
Masquerading domains allows you to present all email as if it originates from a single domain. Masquerading message-IDs allows you to replace the message-ID SMTP
Header with new IDs.
Masquerading is generally only useful for outgoing SMTP.
Domain Name
Type a domain name here to replace the domain names for incoming or outgoing messages with the specified domain. For example, if you type
“watchguard.com,” on the Incoming SMTP Proxy, then to your users it will appear that all incoming email is from senders at watchguard.com.
Central Policy Manager User Guide 217
CHAPTER 9: Defining Proxies in CPM
Masquerade Message IDs
Select this checkbox to replace the Message-ID
Header field in all incoming messages. Note that this may disrupt message threading.
Deny Message tab
This tab allows you to customize a Deny Message. The
Deny Message replaces inline content that is stripped.
218
You can customize the Deny Message with standard text.
You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.
The following values can be called from the proxy action:
%(type)%
This inserts the Content-Type for the content that is stripped.
Central Policy Manager 5.1
Reference Sources
%(filename)%
This inserts the filename of the stripped content.
%(rulename)%
This inserts the name of the rule that stripped the content.
Reference Sources
Throughout this Reference, material is adapted from–and linked to–information from Internet standards bodies, relevant corporations and groups.
In all possible cases, the most recent available definition for a parameter is used.
Reference sources include:
• HTTP: a Protocol for Networked Information [1992] http://www.w3.org/Protocols/HTTP/HTTP2.html
• RFC 822, Standard for the Format of ARPA Internet Text
Messages http://www.ietf.org/rfc/rfc0822.txt
.
• RFC 1652, SMTP Service Extension for 8bit-MIME transport http://www.ietf.org/rfc/rfc1652.txt
• RFC 1806, Communicating Presentation Information in
Internet Messages: The Content-Disposition Header http://www.ietf.org/rfc/rfc1806.txt
• RFC 1869, SMTP Service Extensions http://www.ietf.org/rfc/rfc1869.txt
• RFC 1945, Hypertext Transfer Protocol -- HTTP/1.0
http://www.w3.org/Protocols/rfc1945/rfc1945.txt
• RFC_1985, SMTP Service Extension for Remote Message
Queue Starting http://www.ietf.org/rfc/rfc1985.txt
Central Policy Manager User Guide 219
CHAPTER 9: Defining Proxies in CPM
• RFC 2068, Hypertext Transfer Protocol -- HTTP/1.1
[January 1997] http://www.w3.org/Protocols/rfc2068/rfc2068.txt
• RFC 2518, HTTP Extensions for Distributed Authoring --
WEBDAV http://www.ietf.org/rfc/rfc2518.txt
• RFC 2554, SMTP Service Extension for Authentication http://www.ietf.org/rfc/rfc2554.txt
• RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1 [June
1999] http://www.w3.org/Protocols/rfc2616/rfc2616.html
• RFC 2821, Simple Mail Transfer Protocol [April 2001] http://www.ietf.org/rfc/rfc2821.txt
• RFC 2965, HTTP State Management Mechanism http://www.ietf.org/rfc/rfc2965.txt
(also RFC 2109 )
• RFC 3030, SMTP Service Extensions for Transmission of
Large and Binary MIME Messages http://www.ietf.org/rfc/rfc3030.txt
• RFC 3253, Versioning Extensions to WebDAV (Web
Distributed Authoring and Versioning) http://www.ietf.org/rfc/rfc3253.txt
• MIME Media Types http://www.iana.org/assignments/media-types/
220 Central Policy Manager 5.1
CHAPTER 10
About Virtual Private
Networks
The Internet is a technical and social development that puts a multitude of information at your fingertips. On this worldwide system of networks, a user at one computer can get information from numerous other computers. The benefits of using the Internet to exchange information and conduct business are enormous.
Unfortunately, so are the risks. Because data packets traveling the Internet are transported in plain text, potentially anyone can read them and place the security of your network in jeopardy.
Central Policy Manager User Guide 221
CHAPTER 10: About Virtual Private Networks
Virtual private networking technology counters this threat by using the Internet’s vast capabilities while reducing its security risk. A virtual private network (VPN) allows communication to flow across the Internet between two networks or between a host and a network in a secure manner.
Typical networks and hosts using a VPN might include a corporate headquarters, branch offices, remote users, telecommuters, and traveling employees. User authentication verifies the identity of both the sender and the receiver.
Data sent over the Internet is encrypted so that only the sender and the receiver of the message can see it in a clearly readable state.
About VPN Policies
To establish VPN connections between your present site and other remote sites, you must create and apply VPN policies in security appliances on each end. These policies specify the required levels of authentication and encryption to protect the data streams. In addition, you can also create VPN policies for Vclass appliances that permit
222 Central Policy Manager 5.1
About VPN Policies secure communications between a site and authorized clients.
The first step in creating a VPN policy is determining the way in which keys are selected. Key selection can occur in two ways:
Manual
Manual key mode requires that the administrator of each security appliance manually enter the text of a key on each system that exactly matches the other system’s key. The drawbacks to manual keys are
- potential errors in key entry
- keys must be manually replaced on a regular basis
- a fixed key is more prone to hacking attempts
Automatic
Automatic key mode requires use of the IKE protocol to generate new keys when they are needed. Keys and encryption/authentication algorithms are first negotiated, and then chosen and used by the two participating security appliances.
An additional level of protection can be applied through third-party authorities, who provide verification that a security appliance (and the source behind it) is exactly what it represents itself to be.
In either key management mode, the user can choose different encryption and authentication algorithms to protect the data streams sent through a VPN connection.
Central Policy Manager User Guide 223
CHAPTER 10: About Virtual Private Networks
VPN Policies and IPSec Actions
A VPN security policy always includes an IPSec action , regardless of whether you are creating a manual key or automatic key policy. The IPSec action determines what type of authentication and encryption will be used to protect traffic governed by this policy. VPN policies can incorporate different kinds of keys (manual or automatic) and different types of encryption and authentication algorithms, and apply them to the data stream. If a VPN policy has no IPSec action, the data is sent as clear text.
Three major qualifications are established in an IPSec action: mode , key management , and encryption/authentication .
Mode
Tunnel mode is used when appliances act as security gateways on both ends or when a remote
VPN client connects to an appliance. Data packets are encrypted and tunnelled from one appliance to the other, where decryption takes place and the data is forwarded to its final destination. The IP address of each tunnel peer must be specified.
Transport mode is usually applied in end-to-end secured communications.
Key Management
This specifies whether the key is automatically or manually created. Automatic key management is done in accordance with IKE, an IETF standard protocol. Using IKE, encryption keys are automatically negotiated and selected by two connected security appliances. This provides the easiest, most efficient key management.
Encryption/authentication
Two principal types of security protocols exist to protect data packets in Internet communications.
AH (Authentication Header) protocol is applied to
IP packets for authentication, while ESP
224 Central Policy Manager 5.1
About Encryption
(Encapsulating Security Payload) can be applied to
IP packets for both encryption and authentication.
About Encryption
The Firebox Vclass security appliance supports the following algorithms:
AH
Authentication algorithm MD5, SHA
Encryption algorithm not applicable
ESP
MD5, SHA
DES, 3DES
When a manual key is configured in an IPSec action, security protocols (AH, ESP, or both) must be selected. The related keys are created by the administrator. Using an automatic key provides more flexibility regarding which security protocols and algorithms are used.
This flexibility is expressed in the form of proposals incorporated into the IPSec action. For example, one proposal may use ESP with 3DES for encryption and SHA for authentication. A second proposal uses ESP with DES for encryption and AH with MD5 for authentication. When a
Firebox Vclass appliance negotiates with another appliance to select an automatic key, the initiating appliance sends a list of proposals to the other, starting a negotiation process at the end of which a protocol and algorithm are chosen and used.
Overview of Creating a VPN
In a typical site-to-site VPN connection, a Firebox Vclass security appliance is placed at each end of the connection–where the site network interfaces with the external
Internet.
Central Policy Manager User Guide 225
CHAPTER 10: About Virtual Private Networks
It is especially important to remember that a VPN setup that connects two components over any kind of network requires two security appliances, one on each end of the connection. One of the ends of the VPN connection could also be a Firebox V10 appliance acting as a VPN client.
Each Vclass appliance is then configured with a single bidirectional VPN policy that manages both incoming and outgoing traffic exchanged with the other appliance.
226
The general process of creating a VPN policy includes:
• Choosing between automatic (IKE) and manual (PSK) key management.
• Determining whether to use a shared key or certificates for authentication. If you are using certificates, you must request a certificate and import it into the appliance.
• Determining the specifications that qualifying traffic must match.
• Specifying an IPSec action to protect this stream.
If you are planning automatic key management, you must create a separate IKE policy to restrict the peers that are allowed to participate in the exchange, as well as protect-
Central Policy Manager 5.1
Overview of Creating a VPN ing the key selection process negotiated between two security appliances.
The following chapter will guide you in creating and applying a VPN policy that uses automatic keys. For information on creating manual key VPN policies, see the CPM
Applications Guide .
Central Policy Manager User Guide 227
CHAPTER 10: About Virtual Private Networks
228 Central Policy Manager 5.1
CHAPTER 11
Creating an
Automatic Key IPSec
Action
You can use CPM to create and deploy IPSec/VPN security policies that use IKE automatic key creation and management. The process is greatly simplified in
CPM because the peers involved in such policies are automatically assigned a default PSK-based IKE proposal by CPM. You can then open and edit it (and the associated transforms) to reflect your IKE/authentication preferences.
This chapter describes how to compile and apply automatic key VPN policies with the attending actions
(proposals and transforms) to specific appliances.
An Overview of VPN Policies
The following outlines the general process of defining and deploying an automatic key VPN policy:
1 Import all required certificates for all registered
appliances, as described in “Importing Licenses and Certificates (Optional)” on page 70. (This is
Central Policy Manager User Guide 229
CHAPTER 11: Creating an Automatic Key IPSec Action optional if you are not using third-party authentication.)
2 Create the IPSec/VPN policy, as described in this chapter.
3 Fine-tune any applicable IKE proposals, using the IKE
Proposals window, as described in the CPM
Applications Guide .
4 Fine-tune the IKE authentication, using one or both of the following:
- A default pre-shared key
- An x.509 certificate (per appliance)
5 Deploy the policy to the pair of appliances.
Creating a New Automatic Key VPN Policy
You have two options in creating VPN policies that use automatic keys:
• Create a policy using one of the default IPSec actions, which use a range of proposals. This simplifies your work while providing sufficient protection for your traffic.
• Create a policy that uses a custom action (with proposals), if you choose. CPM provides all the required resources for this process.
To select an existing automatic key IPSec action for use in a policy, follow these steps:
1 Open the Configuration Editor window.
2 Insert a new policy row in the Policy tab.
3 Drag-and-drop the appropriate internal-network address (one or more) into the Source cell.
4 Drag-and-drop the appropriate internal-network addresses (one or more) into the Destination cell.
230 Central Policy Manager 5.1
Creating a New Automatic Key VPN Policy
5 Drag-and-drop the service or combined services that this policy will permit.
6 Click the IPSec Action tab in the left margin.
7 Drag-and-drop any of the listed IKE actions from the
IPSec Action tab onto the Action cell in the appropriate policy row.
Maximum Security is the recommended action for all confidential traffic. If you want to customize your own IPSec
action for use in this policy, see “Customizing an IPSec Action” on page 235.
8 If needed, open the Schedule tab and drag a schedule into the Schedule cell.
9 Select a logging option.
.
The three default IPSec actions offer the following levels of protection:
Minimum
Security
High
Security
Maximum
Security
Mode
PFS
PFS Key Group
SA Life
ESP
AH
Replay Detection?
Window Size
Tunnel
Enabled
D-H Group 2
480 min/50MB
DES
-N/A-
Yes
32
Tunnel
Enabled
D-H Group 2
480 min/50MB
3DES
-N/A-
Yes
32
Tunnel
Enabled
D-H Group 2
480 min/50MB
3DES/SHA-1
-N/A-
Yes
32
Central Policy Manager User Guide 231
CHAPTER 11: Creating an Automatic Key IPSec Action
Making a VPN Policy Bi-directional
Each new automatic-key VPN policy is bidirectional by default, and depends upon Source and Destination entries to establish the direction of traffic. You can, however, change this state to “unidirectional” by following these steps after the action has been added to a policy. In doing so, you do not have to further revise the Source or Destination entries.
To make a bi-directional policy unidirectional, based on the source and destination settings, right-click the policy row’s
Action cell and deselect Bi-directional .
Assessing the IKE settings
After you create the policy, CPM automatically registers the two appliances as an IKE pair . You can now review the
IKE proposal and fine-tune the IKE authentication, which involves replacing the default pre-shared key text if you choose or selecting an x.509 certificate, if available.
1 Click the IKE Pairs tab.
2 Look for the new pair entry, which lists the two appliances you just combined in your new policy.
3 Right-click the pair entry and select Set IKE Proposal .
4 When the IKE Proposal dialog box appears, you can replace the current proposal with any custom proposals, if any are listed in this dialog box.
232 Central Policy Manager 5.1
Making a VPN Policy Bi-directional
5 Click OK to close this dialog box, whether or not you select a replacement proposal.
6 Right-click the same pair entry and select Edit/View
IKE Authentication Rules .
One of two versions of the Authentication dialog box appears.
If an appliance has an x.509 certificate
1 If the wrong appliance or certificate is listed in the menu, open the Cert to be used by menu and select another certificate.
2 If the Certificate is matched by entries will be symmetrical (applied equally to both appliances), make your entries in the single tab below the Use
Symmetrical checkbox.
3 If the Certificate is matched by entries are unique to each appliance, click to clear the checkbox marked Use
Symmetrical .
4 Click each of the two appliance-specific tabs and make the appropriate certificate-matching entries.
5 Click OK .
6 Repeat this IKE-authentication review process for all possible pairs that were automatically created from your new policy (as a result of using more than one appliance as source and destination) .
Central Policy Manager User Guide 233
CHAPTER 11: Creating an Automatic Key IPSec Action
234
If neither appliance has an x.509 certificate
1 Click Edit Key .
The Pre-Shared Key dialog box appears.
2 If you want to replace the automatically generated key text, click the button by your entry preference, and then type new text in the Key field.
3 Click OK to save this entry.
4 Click OK to close the Authentication dialog box.
Central Policy Manager 5.1
Customizing an IPSec Action
Customizing an IPSec Action
Normally, one of the three default IPSec actions will be sufficient. However, if your network has unique needs, you can create a custom action:
1 With the IPSec Action tab selected, click the
Create a New Object button (shown at right) and select New Auto IPSec from the pop-up menu.
The IPSec Action dialog box appears.
2 Click the General tab. In the Name field, type a name for this action.
The name should include only numbers, letters, hyphen (-), and underscore (_) characters.
3 From the Mode menu, select either Tunnel or
Transport .
Tunnel
This policy prompts the Firebox Vclass appliance to hide any information about the original sender of data, representing the Firebox Vclass appliance as the original sender. This option is preferred for
Central Policy Manager User Guide 235
CHAPTER 11: Creating an Automatic Key IPSec Action site-to-site connections, in which the traffic goes through the Firebox Vclass appliance.
Transport
No additional identity masking will be applied.
This option is ideal for use in secured communication directed to this Firebox Vclass appliance, such as SNMP traffic.
4 If you want to activate PFS, click the checkbox marked
Enable Perfect Forward Secrecy .
If you do not activate this option, key replacement (when a key expires) takes place using the source key material that generated previous keys. (If this option is left active, this policy uses new key material every time it generates a replacement key.)
5 (If you enabled Perfect Forward Secrecy) From the PFS
Key Group menu, select one of the two available
Diffie-Hellman group options to be applied to PFS.
Diffie-Hellman groups enable two peer systems who have no prior knowledge of one another to publicly exchange and agree on a shared secret key.
Customizing an IPSec proposal using a single transform
You can add a new proposal to this action that incorporates a single transform, either ESP or AH, as described in this section:
1 Click the Proposal tab.
236 Central Policy Manager 5.1
Customizing an IPSec Action
2 In the SA Life fields (minutes and Kbytes), enter the appropriate values.
3 If this proposal will use ESP transforms (the default), from each of the two Algorithm menus ( Encrypt Alg and Hash Alg ), select the appropriate options.
4 If you want to apply AH transforms, select the checkbox marked Authentication Protocol . From the
Hash Alg menu, select the appropriate option.
5 If you want replay detection to be active, select the checkbox marked Enable Reply Detection and select the value you want from the Window Size menu.
6 Click OK to save this IPSec action.
You can now use this action in security policies.
Customizing an IPSec proposal with more than one transform
You can add an all-new proposal to this action that incorporates two or more transforms that apply both ESP and
AH algorithms:
1 Click the Proposal tab.
Central Policy Manager User Guide 237
CHAPTER 11: Creating an Automatic Key IPSec Action
2 Change the values in the SA Life fields (minutes and
Kbytes) to values of your preference.
3 To enter two or more transforms (using a combination of ESP and AH algorithms), click to select the checkbox marked Use Multiple Transforms .
The transform options are replaced by a new set of features, as shown here. The Transform table lists a single default transform:
ESP, using DES/SHA-1 and with an SA life of 480 minutes (or
50,000 kilobytes).
238
4 To add a second transform, click Add .
The Transform dialog box appears, as shown here.
Central Policy Manager 5.1
Customizing an IPSec Action
5 If this proposal will use ESP transforms (the default), from each of the two Algorithm menus ( Encrypt Alg and Hash Alg ), select the appropriate options.
6 If you want to apply AH transforms, click to select the checkbox marked Authentication Protocol . From the
Hash Alg menu, select the appropriate option.
7 (Optional) Enter appropriate values in the SA Life fields (Minutes and Kbytes).
8 Click OK to close this dialog box.
When the Proposal tab reappears, the new transform appears.
9 Repeat this process to enter more transforms if you choose.
10 When you are finished, use the Up/Down arrow buttons to the right to move selected transforms into the correct sort order in the Transforms table.
11 If you want replay detection to be active, select the checkbox marked Enable Reply Detection and select the value you want from the Window Size menu.
12 Click OK to save this IPSec action.
You can now use this action in security policies.
Central Policy Manager User Guide 239
CHAPTER 11: Creating an Automatic Key IPSec Action
Customizing multiple IPSec proposals with one or more transforms
1 Click the Proposal tab.
2 (Optional) Enter new values in the SA Life fields
(Minutes and Kbytes).
3 Make the required transform entries, using either ESP or AH .
If you prefer, click the checkbox marked Use Multiple
Transforms and use the resulting features to enter and sort a number of transforms for future use by this proposal.
4 If you want replay detection to be active, you can open the Window Size menu and choose the preferred value. If you don’t want replay detection to be active, click to clear the Enable Replay Detection checkbox.
5 To add a second proposal, from the Actions menu, select Add a Proposal .
240 Central Policy Manager 5.1
Customizing an IPSec Action
6 Fill in this proposal’s settings (using multiple transforms, if you prefer). You can add more proposals to the action after completing this one, if you choose.
7 When you are finished, click OK to save this IPSec action.
The action appears in the IPSec Action tab. You can now use this action in security policies.
Central Policy Manager User Guide 241
CHAPTER 11: Creating an Automatic Key IPSec Action
242 Central Policy Manager 5.1
CHAPTER 12
Creating Remote
Access VPN Policies
Telecommuters working from home and traveling employees who need corporate network access are common fixtures in today’s business environment.
Using CPM, you can create an IPSec tunnel between an unsecured remote host and your trusted and optional networks using a standard Internet dial-up or broadband connection without compromising security.
Creating a Policy for a Firebox V10
This section describes how to set up RAS connections in which the client is a Firebox 10 security appliance.
Creating the Addresses entries
1 Make sure you have created appliance entries for each client appliance.
2 Create a new address group (such as
V10_RAS_use ) with no entries. For more
Central Policy Manager User Guide 243
CHAPTER 12: Creating Remote Access VPN Policies information on creating address groups, see Chapter 7,
“Defining Security Policies in CPM.”
3 From the Configuration Editor, right-click the target gateway appliance, select New => New Address, and create a new address entry (such as pvt_net ) to represent the internal/trusted network behind interface 0 (private).
4 Right-click each V10 entry and create a new address entry representing the subnet behind interface 0
(private).
5 Drag the V10-specific entries you created in step 3 onto the address group you created in step 2.
Creating the RAS security policy
1 From the Configuration Editor, create a new policy row and rename the policy (for example, V10_RAS ).
2 Drag the V10_RAS_use address entry into the Source cell.
3 Drag the Corporate_Network address entry into the
Destination cell.
4 Drag ANY or your own service preferences into the
Service cell.
5 Drag the IPSec Action tab’s Maximum Security entry into the Action cell.
6 Make this policy bidirectional.
Confirming the IKE settings
1 Click the IKE Pairs tab.
2 Select each of the new entries automatically generated by the new “V10-RAS” policy.
3 Open the Authentication dialog box to make sure the authentication protocols are set properly.
4 If you want your external users to enter user-specific authentication when they log in, change Default to
Default with Xauth .
244 Central Policy Manager 5.1
Creating a Policy for MUVPN Client Software
Generating and deploying profiles
1 From the Profiles tab, generate or update the profiles.
2 Deploy the profiles to the relevant appliances (client and gateway).
3 Power down and disconnect the appliances.
4 Distribute the appliances to their assigned locations.
5 Have the remote users power up and connect the appliances. You can then use CPM to establish contact with each appliance.
Creating a Policy for MUVPN Client Software
The following procedure shows how to set up RAS connections through a gateway appliance in which the client is an
MUVPN application. The process requires that you enter the required address entries, complete the policy, and verify the related IKE pair and Remote Access entries.
Creating the RAS address group
This procedure results in an appliance-specific pool of IP addresses to be temporarily assigned to incoming RAS user connections:
1 From the Configuration Editor window, click the
Appliance/Address tab.
2 Locate the specific gateway Firebox Vclass appliance that will be used to manage connections from a group of local RAS client users. Right-click that appliance entry and select New => New RAS Address from the popup menu.
CPM alerts you if the selected appliance doesn’t have RAS management features.
3 In the Name field, type a name for the address entry.
4 Next to IP Type , click either IP Subnet or IP Range .
Central Policy Manager User Guide 245
CHAPTER 12: Creating Remote Access VPN Policies
5 If you selected IP Subnet , type the IP address representing the subnet in which the IP addresses are located. This must be a subnet that is not already in use within your network.
If you selected IP Range , type the first and last numbers in the range.
6 In the Netmask field, type the mask of this subnet.
7 Click OK .
Creating the security policy
1 From the Policies tab, create a new policy row.
2 Rename the policy (such as IRE_RAS).
3 Drag the IRE-RAS—pool address entry into the Source cell.
4 Drag the Corporate_Network address entry for the relevant appliance into the Destination cell.
5 Drag ANY or your individual service preferences into the Service cell.
6 Drag the IPSec Action tab’s “Maximum Security” option into the Action cell.
7 Make this policy bi-directional.
Confirming the IKE pair settings
1 Click the IKE Pair tab.
2 Verify the accuracy of the new entries generated by the
“RAS_clients-RAS_8000” policy.
3 Select the new IKE rows and click Edit/View IKE
Auth .
The Edit/View IKE Authentication dialog box appears.
4 In the Edit Authentication dialog box, verify the default authentication protocols.
Confirming the authentication method
1 Click the Remote Access tab.
246 Central Policy Manager 5.1
Creating a Policy for MUVPN Client Software
2 Click New (in the tab header).
The Add Remote Access dialog box appears, listing any existing
RAS address groups.
3 Select the appropriate address group from those listed below the menu. Click OK .
A new entry appears in the Remote Access tab.
4 Select the new listing and click Edit/View User Group in the tab header.
The Edit User Group dialog box appears.
Central Policy Manager User Guide 247
CHAPTER 12: Creating Remote Access VPN Policies
248
5 From the Address Management menu, select either
None or Appliance . If you want the gateway appliance to assign the IP address for the clients, select
Appliance . This will prompt the gateway appliance to use the address pool you designated earlier.
6 From the Session Time Limit menu, select Hours or
Minutes . Enter the proper increment in the associated text field.
7 From the Idle Timeout menu, select either Hours or
Minutes . Enter the proper increment in the associated text field.
8 If you want to permit the users in this group more than one concurrent RAS connection to the network, change the Max Concurrent Logins number (currently “1” by default).
9 Leave the Enable DNS checkbox selected if you want this appliance to use DNS.
If you don’t want this appliance to use DNS, click to clear the checkbox.
Central Policy Manager 5.1
Creating a Policy for MUVPN Client Software
10 (If you are using DNS) Specify whether you want to use DNS settings or specify a local DNS server by IP address or domain name.
11 Click OK .
The Remote Access table reappears.
12 Select the listing. Click Edit/View User Auth in the tab header.
The Remote User Authentication dialog box appears.
Though two options are listed, only the RADIUS Server supported by CPM.
13 From the RADIUS server authentication method menu, select SecurID .
Central Policy Manager User Guide 249
CHAPTER 12: Creating Remote Access VPN Policies
250
14 In thePrimary Server IP Address field, type the IP address of the local RADIUS server (local to the gateway appliance).
15 If you need to enter a different port number for the
RADIUS server, type the correct port number.
16 In the Secret and Confirm Secret text fields, type the password used to establish secure connections between the appliance and the RADIUS server.
17 If you have a secondary (backup) RADIUS server, click the Enabled checkbox next to Secondary Server, and type the values for the secondary server.
18 Click OK to save the entries and close this dialog box.
19 Deploy this profile (from the Profiles tab) to the relevant appliances (client and gateway).
The profile is now ready for use.
If you have not already done so, you should use your IRE client administrative software to prepare the individual clients for use, reflecting the settings and entries already made in CPM. Be careful to coordinate the data in both policies–appliance and client software.
Central Policy Manager 5.1
CHAPTER 13
Establishing Tunnel
Switching
Maintaining and managing VPN tunnels established between a main corporate office and one or more branch offices can become an overwhelming task.
CPM provides tunnel switching to centralize all intersite communication, which preserves network performance and simplifies maintenance.
To see a case study on tunnel switching between remote sites, see the CPM Applications Guide .
About Tunnel Switching
In a fully meshed topology, all servers are interconnected to form a web, or mesh, with only one hop to any VPN member. Because every device in the network must communicate with every other device, the number of tunnels required quickly becomes immense.
In a hub-and-spoke configuration, all VPN tunnels terminate at one end of a centrally located and managed
Central Policy Manager User Guide 251
CHAPTER 13: Establishing Tunnel Switching security appliance. The master server is the central hub of this topology, with all communications radiating outward to other servers and returning to the master server. Huband-spoke is far more scalable than meshed with a much more manageable number of tunnels.
Tunnel switching allows branch offices in a hub-and-spoke configuration to communicate with each other by way of the central site. For example, Branch Office A can communicate with Branch Office B by sending traffic to the central office, which switches this traffic from one tunnel (Branch
Office A to central office) to another (Branch Office B to central office).
Activating Tunnel Switching on the Central
Appliance
1 Open the Configuration Editor window.
2 Click the Appliance/Address tab.
3 Right-click the appliance on which you want to enable tunnel switching and select Edit/View .
The System Configuration dialog box appears.
4 Click the Tunnel Switch tab.
5 Click the Enable Tunnel Switch checkbox. Click
Apply . Click OK .
Activating Tunnel Switching Between Sites
To enable data exchange between two sites by way of the central site:
1 If you have not already done so, open the Appliance
Manager window and add each remote device.
252 Central Policy Manager 5.1
Activating Tunnel Switching Between Sites
2 Open the Configuration Editor window. Click the
Appliance/Address tab.
3 In the Appliances/Addresses list, select the central site.
Create a new address entry for this appliance for tunnel-switching use only. For more information on creating address entries, see Chapter 7, “Defining
Security Policies in CPM.”
4 Create address entries for the network at each remote site.
5 Click the Policies tab and create a single new policy that includes all the tunneling appliances.
6 Save this policy and move it such that it is the last policy in the Policy table.
7 Deploy the policy.
Central Policy Manager User Guide 253
CHAPTER 13: Establishing Tunnel Switching
254 Central Policy Manager 5.1
CHAPTER 14
Monitoring
Appliances
An important part of an effective network security policy is the monitoring of network events. Monitoring enables you to recognize patterns, identify potential attacks, and take appropriate action. If an attack occurs, the records kept by CPM can help you reconstruct what happened.
How CPM Monitors Appliances
CPM reports the status of registered appliances using two processes:
• Periodic network polling of all appliances
• Responding to event notifications from appliances
About network polling
Network polling queries, also known as handshaking , are automatically transmitted every 10 minutes from
CPM Server to every registered appliance (this value can be changed in the cpm_server.conf configuration
Central Policy Manager User Guide 255
CHAPTER 14: Monitoring Appliances file). The responses reflect the appliance’s state. You can also prompt a handshake from CPM Server to any appliance from either the Appliance Manager window or the
Appliance Detail dialog box.
About event notification
Appliances must send frequent event notifications to the
CPM Server to keep it up-to-date between handshakes.
Two types of notifications are sent to the CPM server:
Status/Event notifications
These notifications are sent to CPM Server when the appliance changes its state or status; for example, an interface failure or restoration.
Periodic pulses
Heartbeats are automatically sent by the appliance to CPM Server once every minute. After one missed heartbeat, the appliance goes into
“heartbeat missed” status. After 3 consecutive missed heartbeats, CPM Server attempts a handshake with the appliance. If the handshake is succesful, the appliance returns to “initial contact” status. If the handshake is unsuccessful, the appliance switches to “out of contact” status.
In addition to the periodic and on-demand handshakes, the following conditions also trigger CPM Server to send handshakes to an appliance:
• Indications of a system reboot
• Out-of-sequence notification numbers indicating some notifications have been lost in the network
• Three heartbeats missed in a row
• CPM Server receives a heartbeat from an unregistered security appliance not in contact with CPM server
256 Central Policy Manager 5.1
Indicators Monitored by CPM
Indicators Monitored by CPM
CPM Server monitors the following general indicators of a security appliance’s status:
Appliance Availability
This general indicator is determined using outgoing handshakes and incoming heartbeats.
Interface/Port Status
Records the IP address of an interface and uses color to indicate the status: red means the interface is down and green means it is up. If an interface is not present, no number is displayed and the color is gray.
HA Status
Notes the status (on or off) of High Availability, which is available on certain RapidStream and
Firebox Vclass appliance models. This indicator checks for operating software and a physical interface dedicated to High Availability use.
Alarm Status
Lists all open alarms and notes the alarms’ severity as well as triggering conditions.
Configuration Mismatch
Compares information obtained from the appliance in real time to the initial appliance configuration stored in CPM Server. You can assess whether or not a mismatch exists in the appliance model, operating software versions, or profile version.
About Appliance Availability
The successful handshake and reception of heartbeat pulses by CPM Server indicates the immediate availability of each appliance. Appliance availability is represented by one of the following six values.
Central Policy Manager User Guide 257
CHAPTER 14: Monitoring Appliances
Never Contacted
CPM Server has never successfully sent any requests to the appliance. The appliance may not exist, or may not be in a network that is reachable from CPM.
Not CPM-ready
CPM Server has successfully sent requests to the appliance but has failed to establish handshaking.
The password to the appliance may not be correct, or the appliance may be running a version of software that does not support CPM.
Initial contact
CPM Server has successfully completed a handshake with the appliance but has not yet received any heartbeats from the appliance. If the appliance stays in this state for more than one minute, the appliance might not be configured to send heartbeats to this CPM server. Network problems can also prevent the appliance from sending heartbeats and notification.
Contacted
CPM Server has successfully completed a handshake with the appliance and received a heartbeat from the appliance in the last minute.
Heartbeat Missed
CPM Server has successfully completed a handshake with the appliance and received heartbeats initially but has recently not received the expected heartbeat for more than one minute.
Out-of-Contact
CPM Server successfully completed a handshake with the appliance and received heartbeats initially, but has since failed to communicate with the appliance.
If CPM Server misses three heartbeats in a row from an appliance, then the server sends a handshake to the appliance in an attempt to contact
258 Central Policy Manager 5.1
Reorganizing Appliance Manager Window Columns the appliance. If this handshake fails to generate a response from the appliance, the appliance is considered Out-of-Contact.
About Interface Status
The data interface status of an appliance is obtained by handshaking or as a status notification. The three ports are considered individual component statuses: interfaces 0
(private), 1 (public), 2 and 3 (DMZ). Each of these can have three possible values.
blank
CPM does not know the status (usually the appliance is not in contact) or the appliance does not have this port.
Green
The port is up.
Red
The port is down.
Reorganizing Appliance Manager Window
Columns
CPM allows you to view or hide columns in the Appliance
Manager depending on your preferences:
1 Open the Appliance Manager window.
2 From the View menu, select Table Columns .
The Appliance Columns dialog box appears. This dialog box lists all of the possible columns you might want to view in the
Appliance Manager window. All items under Basic Information are initially selected.
Central Policy Manager User Guide 259
CHAPTER 14: Monitoring Appliances
260
3 You can hide any Basic Information columns by clicking the checkboxes to clear the selections.
4 If you want to display more information in an appliance row, click the checkbox by Configuration
Information or Detailed Information .
5 If you don’t want a particular column heading under
Configuration Information or Detailed Information to appear, click the checkbox to clear the selection.
6 Click Close .
When the Appliance Manager reappears, it displays your reorganized columns.
Central Policy Manager 5.1
Working with Appliance Groups Folders
Working with Appliance Groups Folders
You can perform a number of operations on the Appliance
Groups folders on the left side of the Appliance Manager window:
• Select the folder to view appliances in the folder.
• Drag and drop folders or appliances from one folder to another.
• Press the Show Appliances button (shown at right) to view all appliances in the selected folder and its subfolders.
The number of appliances in a folder and all its subfolders appears in parentheses after the name of the folder. Also, the color indicating the most severe status out of all appliances in a folder and its subfolder is displayed in the small circle depicted on the folder, as shown in the top folder in the figure below.
Reorganizing the Appliance Manager window
You can reorganize the listing of appliances in the Appliance Manager window:
1 Click any appliance.
2 Click any of the column headers.
The appliances are listed according to the column selected.
In some instances, you can click the same column header again to reverse the order.
Central Policy Manager User Guide 261
CHAPTER 14: Monitoring Appliances
Filtering Appliance Manager Window Entries
The Appliance Manager window provides a filtering option. You can view only the appliances that match a characteristic that you define using the CPM Table Filter dialog box. This dialog box supports the following wildcards:
*
0 or more wildcard characters. For example, if you enter rs* , the window displays the alarms rs , rs1 , rs12 , and rsxxx .
?
1 or more wildcard characters. For example, if you enter rs?
, the window displays the alarms rs1 , rs12, and rsxxx .
Characters within square brackets represent exact single characters the filter should match. For example, if you enter rs[123], the window displays the alarms rs1 , rs2 , and rs3 , but not rs12 or rs23 .
1 Right-click the header of the column you want to filter.
Select Filter .
The Filter Rows dialog box appears, as shown in the following figure.
2 Type the text you want to match in the Filter by field. Click
OK .
The column turns blue to indicate that filtering is enabled.
3 To disable filtering, right-click the column header. Click to clear the checkbox marked Filter .
262 Central Policy Manager 5.1
Color-Coding in the Appliance Manager
Color-Coding in the Appliance Manager
Both the Appliance Manager and the Appliance Detail dialog box display rows and fields in different colors to help you quickly determine the status of an appliance:
Gray: The appliance is out-of-contact or has an invalid management IP address.
Green: The appliance is operating normally.
Pink: The appliance is in contact with CPM Server but some information is mismatched.
Yellow: The appliance is working, but a component needs investigation. This color would also appear if a low-level alarm condition was triggered.
Orange: The appliance is working but a component has a problem. This color also appears if a medium-level alarm condition is triggered.
Red: The appliance or one of its components is not working correctly. This color indicates a situation requiring immediate attention and may have been triggered by a highlevel alarm condition.
White: An administrator changes the report status for the appliance to Ignore .
Changing Appliance Manager Row Colors
If you want to change the colors used for appliance status reporting, CPM provides an easy way to replace one color with another. These changes apply only to your CPM Client application, and not to the CPM Server database:
1 If you have not already done so, open the Appliance
Manager window.
Central Policy Manager User Guide 263
CHAPTER 14: Monitoring Appliances
2 From the View menu, select Customize Colors .
The Customize Colors dialog box appears with the default colors set, as shown below.
264
3 Click the severity level you want to change. Select a color from the palette in the lower portion of the screen.
The color appears in the Sample Text field next to the severity level you selected.
4 To save any color changes you make, click Apply . To return to the color selections in effect before you started this session, click Defaults .
The HSB and RGB tabs offer complex color management options. You can use them in the same way you use the
Swatches tab.
Central Policy Manager 5.1
Ignoring an Appliance’s Status Reports
Ignoring an Appliance’s Status Reports
When your network has a large number of appliances to monitor, you may want to prompt CPM to ignore all lowlevel problems. You can either ignore a specific component or an entire appliance. You may want to ignore a specific appliance if, for example, you know that one of the appliance’s data interfaces is out of commission but is not in use in that network.
Ignoring a specific component
To ignore a component, right-click the appropriate field in the Appliance Manager window and select Ignore
“NAME .“Note that the menu appears only on Basic Configuration table cells.
As a result, the component status report is disabled or noted as “NA” (not available) in all the appropriate tabs of the appliance’s System Configuration dialog box.
Note that you cannot ignore the components Appliance
Availability and Alarm Status.
Ignoring an entire appliance
You can prompt CPM to ignore all status reports for a specific appliance, which masks it from all reporting. This is useful if you already know an appliance is not available.
When an appliance is being ignored by CPM, the ignored appliance row and all its component status reports appear white.
To prompt CPM to ignore an appliance:
1 Right-click the appliance row in the Appliance
Manager window and select Ignore Appliance from the menu.
2 Open the Appliance Detail dialog box. From the
Action menu, select Ignore Appliance Status .
Central Policy Manager User Guide 265
CHAPTER 14: Monitoring Appliances
Using the Appliance Detail Dialog Box
The Appliance Detail dialog box contains a considerable amount of information about a specific appliance and its status. To open the Appliance Detail dialog box, from the
Appliance Manager, double-click the icon or row for the appliance you want to monitor.
266
The information in the Appliance Detail dialog box is organized into the following tabs:
• Basic info: Includes contact name, model, operating system version, serial number, and profile revision date.
Central Policy Manager 5.1
Using the Performance Graph
• Contact log: Dynamically records the most recent handshake attempts and the result.
• Interfaces: Lists all available accelerated data interfaces, along with their status, IP address, subnet address, and MAC address.
• VPN Peers: Summarizes all currently active VPN peers, including the appliance’s peer ip address, the number of tunnels, and a basic summary of the traffic, both in and out.
• Policies: Catalogs all the appliance’s security policies, notes the number of tunnels per policy, and provides a snapshot of the traffic in bytes and packets.
• Client Grade (V10 appliances only) Notes the type of network addressing used by this appliance: static IP,
DHCP, or PPPoE. This tab also notes the use of this appliance as a server for local Internet access, plus the current users.
• Routing Table: Duplicates the Route table set up for this appliance.
• ARP Table: Displays an ARP table, including hardware address and associated appliance interface.
• Diagnostics: Enables you to ping an IP address to help you determine the source of network connectivity problems. This ping originates at the appliance, not at the CPM server.
• System Statistics: Provides a snapshot view of network traffic managed by this appliance.
The Appliance Detail dialog box uses the same color-cod-
ing as the Appliance Manager, as described in “Color-Coding in the Appliance Manager” on page 263.
Using the Performance Graph
Using CPM, you can view the real-time activity of a Firebox Vclass appliance by way of the Performance Graph.
Central Policy Manager User Guide 267
CHAPTER 14: Monitoring Appliances
Opening the Performance Graph
1 Open the CPM Appliance Manager window.
2 Right-click any Firebox Vclass appliance record in the
Appliances table, and select Performance Console from the shortcut menu. Or, click the Performance
Console button in the toolbar at the bottom of the window.
The Performance Console window appears.
268
Setting up the Performance Graph
Whether you selected an active appliance or simply opened the Console window, you can set up an appliance
Central Policy Manager 5.1
Using the Performance Graph and the dynamic counters for real-time viewing by following these steps.
1 Open the Current Appliances menu and make sure the correct appliance has been chosen.
2 In the Available Counters area (listing a variety of default counters), click the toggles by the various levels of folders to view their specific counter contents. You can activate one or more counters, in any combination.
Central Policy Manager User Guide 269
CHAPTER 14: Monitoring Appliances
3 Click any listed counter. The Counter Configuration area to the right becomes active.
4 If you want, you can change the polling interval.
270
5 You can choose the type of polling results.
Central Policy Manager 5.1
Using the Performance Graph
6 After you make your configuration changes, click Add
Chart .
The newly configured counter appears in the Active Counters list below.
7 You can review all your active counters in this list, and do the following in this space:
- Change the polling interval.
- Start the actual graph.
- Remove the counter from current use.
8 To start the graphing of this counter, click Apply in the
Active Counters area.
A Performance Graph window appears, displaying the counter.
After a short interval, you can see the activity as shown in this example (depending upon your polling interval selection).
Central Policy Manager User Guide 271
CHAPTER 14: Monitoring Appliances
272
9 To stop this counter and close the window, click Stop
Monitoring . Click Close .
A Confirmation dialog box appears.
10 Click Yes to proceed.
Viewing several counters at once
If you want, you can open two or more counters in a single window (or in separate windows), including counters from different appliances:
1 Assuming you have at least one graph window already on-screen, make your next series of counter choices:
- The same appliance? Or another appliance?
- The counter?
- The counter configuration?
- The same window as the currently active counter? Or in a separate window?
2 With one graph window already open, from the
Available Appliances menu, select a new appliance.
3 Select and configure a counter.
4 Select the target window; either a new one or an existing one.
Central Policy Manager 5.1
Using the Performance Graph
5 Apply the counter to start the graphing.
This example is from the same probe applied to two different appliances—in the same graph window.
Central Policy Manager User Guide 273
CHAPTER 14: Monitoring Appliances
274 Central Policy Manager 5.1
CHAPTER 15
Responding to
Alarms
An alarm is a mechanism for alerting you when a predefined condition or a given threshold has been exceeded. For example, CPM might be configured to trigger an alarm when memory utilitization exceeds
90 percent.
This chapter describes how to view and respond to alarms. For information on defining alarms, see the
CPM Applications Guide .
Viewing new alarms
You can be notified of new alarms in several ways:
• Appliance Manager window
• Illuminated Alarm LED on an appliance
• Email message
• SNMP trap
When a new alarm has been triggered, you can investigate the alarm using the following procedure:
1 Open the Appliance Manager window.
Central Policy Manager User Guide 275
CHAPTER 15: Responding to Alarms
2 Review the listing of WatchGuard appliances and look for a row or cell color change that indicates a triggering condition. Right-click the appliance record and select
Show Alarms . The Alarm Console window appears, as described in the next section.
Using the Alarm Console window
The Alarm Console window shows information about new alarms.
The Status level and row color provide these indicators of an alarm’s level:
Status
Informational
Low
Medium
High
Row Color
Purple
Yellow
Orange
Red
Level
None, informational only
Warning—check the conditions now
Error—data traffic may be affected
Critical—an appliance, or the entire network is in danger
The Alarm Console window shows the following information on each alarm:
CPM Time
The time and date that the alarm was recorded by
CPM Server.
From
Security appliance name
Severity
Severity level or validation of the alarm condition:
Low, Medium, or High
Alarm Name
Name of the alarm
276 Central Policy Manager 5.1
Description
Description of the alarm
State
Alarm state: Opened, Acked (Acknowledged), or
Cleared
Viewing details on alarms
To view details about an alarm, click the Alarm Detail button (fifth from left). Or, double-click an alarm entry. The
Alarm Details dialog box appears, as shown below.
Acknowledging alarms
1 In the Alarm Console window, select the alarm you want to acknowledge.
2 Click the Acknowledge button (sixth from left).
The alarm row changes to white and the string “Acked” appears in the State column.
Reopening acknowledged alarms
If you have questions about an acknowledged alarm or find that the problem indicated by the alarm has not been resolved, you can change the alarm back to an Open state:
1 In the Alarm Console window, select the alarm you want to reopen.
Central Policy Manager User Guide 277
CHAPTER 15: Responding to Alarms
2 Click the Reopen button (second from right).
The alarm row changes to the color reflecting the original severity level and the string “Opened” appears in the State column.
Clearing alarms
When you clear an acknowledged alarm, it moves from the
Opened Alarms tab to the Cleared Alarms tab:
1 In the Alarm Console window, select the alarm you want to clear.
2 Click the Clear button (third from right).
The alarm row changes to the color reflecting the original severity level and the string “Opened” appears in the State column.
Reopening cleared alarms
To move an alarm from the Cleared Alarms tab back to the
Opened Alarms tab:
1 On the Cleared Alarms tab, select the alarm you want to reopen.
2 Click the Reopen button (second from right).
The alarm row changes to the color reflecting the original severity level and the string “Opened” appears in the State column.
Purging cleared alarms
Purging an alarm completely removes it from the CPM
Server database:
1 Click the Cleared Alarms tab.
2 To remove a single alarm, select it and click the Purge
All Cleared Alarms button (far right).
To remove all alarms, click the Purge All Cleared
Alarms button without selecting any alarms.
Purging an alarm is irreversible; you cannot undo it. If you want to keep a record of cleared alarms, you can archive the Alarm log file on a regular basis, as described in the
CPM Applications Guide .
278 Central Policy Manager 5.1
Reorganizing the list of alarms
You can reorganize the listing of alarms in either the
Opened Alarms or Cleared Alarms tabs:
1 Click any alarm.
2 Click any of the column headers.
The alarms are listed according to the column selected. You can click the same column header again to reverse the order. For example, if you click the Time header, the more recent alarm is listed at the top. If you click Time again, the order is reversed with the oldest alarm at the top.
Filtering alarms
You can filter the Opened Alarms tab and Cleared Alarms tabs such that only qualifying alarms appear on the display. You use the CPM Table Filter dialog box to enter alphanumeric strings you want to search for. This dialog box supports the following wildcards:
*
0 or more wildcard characters. For example, if you enter ind* , the window displays the alarms ind , ind1 , ind12 , and indxxx .
?
1 or more wildcard characters. For example, if you enter ind?
, the window displays the alarms ind1 , ind12, and indxxx .
Characters within square brackets represent the exact characters the filter should match. For example, if you enter ind[12] , the window displays the alarms ind1 and ind12 .
1 On either the Opened Alarms or Cleared Alarms tab, right-click the header of the column you want to filter.
Select Set Filter .
The Filter Rows dialog box appears, as shown in the following figure.
Central Policy Manager User Guide 279
CHAPTER 15: Responding to Alarms
2 Type the text you want to match in the Filter by field.
Click OK .
The column turns blue to indicate that filtering is enabled.
Disabling alarm filtering
To disable filtering, right-click the column header. Click to clear the checkbox marked Filtered .
280 Central Policy Manager 5.1
Index
Symbols
.NET Passport 1.4
A access-privilege roles
accounts, administrator
51, 56 actions. See policy actions
Active/Active
Active/Standby
Add Address dialog box
Add Group dialog box
Add Remote Access dialog box
Add Route dialog box
Address dialog box
address groups described
addresses
cataloging for use in policies 144
creating required
entering new RAS
Addresses dialog box
Admin Account Properties dialog box
Admin Role Properties dialog box
Administrative Access dialog box 56
administrator accounts
described
Administrator Accounts dialog box
administrators, seeing which are online
Advanced HA Settings dialog box
AH
Alarm Console window
described
Alarm Details dialog box
alarms acknowledging
clearing
defining
filtering
purging cleared
reopening previously acknowledged
reorganizing list of
responding to
viewing details on
All Session Info dialog box
Allow
Allow Specified ICMP errors
Appliance Columns dialog boxes
Appliance Detail dialog box, colors
Appliance Manager window changing colors in
colors used in
filtering entries in
appliances activating tunnel switching hardware
activating tunnel switching on
configuring for network use
configuring hardware for
configuring local DNS server connections
configuring local SNMP
configuring new
creating records for
discovering
enabling connection to NTP
entering records for
ignoring a specific component
ignoring an entire appliance
ignoring status reports of
installing
Central Policy Manager User Guide 281
restoring to factory default
specifying contact for
specifying location of
specifying name of
types managed by CPM
Authentication dialog box
Authentication Header
automatic key mode
automatic key VPN policies
B backing up CPM
Backup Connection enabling
polling interval
Backup/Restore dialog box
bandwidth, setting for ports 107
Basic
Block
blocked sites
global
C
Central Policy Manager. See CPM
Certificate Request Wizard
certificates
colors changing in Appliance
Manager
263 used in Appliance Manager 263
CPM adding appliances to
appliances managed by
backing up
described
installation requirements for
network scope of
obtaining site license for
upgrading from previous
CPM Client changing your CPM Client login password
installing
installing on a workstation 19
starting
uninstalling
CPM login dialog box
CPM Server
installing on a workstation 19
starting
uninstalling
upgrading the license
CPM Server Information dialog
CPM sessions, viewing snapshot of current
CPM Table Filter dialog box
CPM windows, locking
Customize Colors dialog box
D
Default Policy Wizard
Denial-of-Service Prevention options
Deny
Device Discovery dialog box
DHCP
dialog boxes
Active Features
Add Address
282 Central Policy Manager 5.1
Admin Account Properties
Admin Role Properties
Advanced HA Settings
Alarm Details
Appliance Columns
Authentication
Backup/Restore
CPM Server Information
CPM Server Information (General
Customize Colors
Device Discovery
DNS Server
Edit/View IKE Authentication
Filter Rows
Import Certificate
Import New License
IPSec Action
Load Balancing
My Session Info
Pre-Shared Key
Protocol/Port
QoS Action
Remote Access Authentication
Remote Log Detail
Schedule
TOS Marking
Upgrade License
Digest
Distributed Denial-of-Service
DNS Server dialog box
DNS servers cataloging
configuring local network connections
Drop
E
Edit User Group dialog box
Edit/View IKE Authentication dialog
editing a Proxy Action
Encapsulating Security Payload
encryption
ESP
events, monitoring
F
Filter Rows dialog box
Firebox V10, creating a RAS policy for
fully meshed topology
G
H handshaking
High Availability
HTTP Proxy
hub-and-spoke configuration
Central Policy Manager User Guide 283
I
ICMP flood attacks
IKE pairs
Import Certificate dialog box
Import Certificate/CRL dialog box 71
Import New License dialog box
install multiple licenses
installation requirements
interface promiscuous
Interface 0, enabling DHCP on 102
Interface 1 behind a firewall
Interface 1, IP addressing on
IP source routes
IPSec Action dialog box
IPSec actions, customizing
IPSec pass through
J
Java 2, version required for CPM 23
Local Admin Password dialog box 97
locked windows
logging
enabling remote
M manual key mode
maximum segment size
monitoring appliance availability
event notification
general indicators
network polling queries
using the performance graph 267
MTU end link speed, specifying
MUVPN creating policy for
K key management
key selection modes
L
Least Connection
license
licenses
importing for extended features 72
upgrading the CPM Server license
Load Balancing dialog box
N
NAT
dynamic
activating
described
NAT pass through
Network Address Translation. See
network addresses, creating 85
network polling queries
network topology fully meshed
hub-and-spoke
NTLM
NTP servers, enabling connection to
284 Central Policy Manager 5.1
P passwords changing the Client login password
for administrator accounts
for local administrator
Per Client Quota
Per Server Quota
Perfect Forward Secrecy
performance graph described
opening
viewing multiple counters
Ping of Death
policies. See security policies
policy actions defining
described
policy schedules
port shaping activating
described
enabling
PPPoE, enabling on Interface 1 104
Pre-Shared Key dialog box
profiles
deploying
described
promiscuous interface
protocol
Protocol/Port dialog box
proxies configuration
173 creating a Proxy Action 173
editing a Proxy Action
proxy
Proxy Action add a rule
configuring
configuring Rules
creating
Q
Deny
Drop
edit a rule
editing
QoS action
customizing
Quality-of-Service policies. See QoS policies
R
Random (load-balancing option) 163
RAS addresses, entering new
RAS policies for Firebox V10 243
Regular Expression
Remote Access Authentication dialog
Remote Log Detail dialog box 116
roles
routable IP
Router Mode
routes, setting up
Rule
edit
Exact Match 178 matching options 178
Pattern Match
Regular Expression
Rule sets
Rules
Central Policy Manager User Guide 285
S
Schedule dialog box
schedules
security policies actions
and address groups
assembling from components
cataloging services for use in
components of
creating
described
schedules. See policy schedules
scope of
traffic specifications. See also traffic specifications
Service-Object Details dialog box
services
adding new 150 cataloging for use in policies 150
session, viewing snapshot of current
SMTP Proxy
SNMP Management Station dialog box
Specify Port Bandwidth dialog box
SSL connection
Strip
syn checking on TCP/IP packets 135
System Configuration dialog box 95–
Advanced tab
DNS tab
General tab,
Hacker Prevention tab
Interfaces tab
Routing tab
SNMP tab
using
VLAN Forwarding tab
System Modes
Router Mode
T
TCP MSS
TOS marking
TOS Marking dialog box
traffic specifications, components
traffic, blocking or rejecting 158
Transform dialog box
Transparent Mode
tunnel switching activating between sites
activating on central appliance
Type of Service marking
U
UDP flood attacks
unidirectional VPN policies creating
Upgrade License dialog box
upgrading CPM
V
VLAN forwarding
VPN policies
automatic key management restrictions
286 Central Policy Manager 5.1
key management
overview of
transport mode
VPNs creating
described
W
WAN Interface Failover enabling
polling interval
weighted fair queuing
Weighted Least Connection
Weighted Random
windows, locked
Central Policy Manager User Guide 287
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Key Features
- Powerful firewall protection
- Intrusion prevention
- Web filtering
- VPN support
- Load balancing
- High availability
- Centralized management
Related manuals
Frequently Answers and Questions
What is the difference between Firebox Vclass and other network security appliances?
How easy is it to use Firebox Vclass?
What are the benefits of using Firebox Vclass?
advertisement
Table of contents
- 9 Contents
- 17 CHAPTER 1 About WatchGuard CPM
- 17 Why Use WatchGuard CPM?
- 18 Components of CPM
- 18 CPM Server
- 19 CPM Client
- 19 Network Security Basics
- 20 Offline and Online Configuration
- 21 Address Objects in CPM Security Policies
- 22 CPM Policy Examples
- 26 CPM and Network Configuration
- 28 Types of Appliances Administered with CPM
- 28 CPM and WatchGuard Vclass/RapidStream security appliances
- 28 CPM and RapidStream "Secured by Check Point" security appliances
- 29 Remote appliances running MUVPN
- 29 CPM and third-party security appliances
- 30 About Router Mode and Transparent Mode
- 30 Router Mode
- 32 Transparent Mode
- 33 More information
- 35 CHAPTER 2 Installing or Upgrading CPM Software
- 35 Where You Can Install CPM Server and Client
- 36 Installation requirements
- 37 System Requirements for CPM Server
- 38 System Requirements for CPM Client
- 39 Java 2 runtime environment (JRE)
- 40 Obtaining the Site License for CPM
- 41 Installing the CPM Server Software
- 45 Installing the CPM Client Software
- 50 Upgrading from a Previous Versions of CPM
- 51 Backing Up CPM Server
- 52 Uninstalling CPM Server or Client
- 53 CHAPTER 3 Starting the CPM Client and Server
- 53 Starting the CPM Client for the First Time
- 57 Changing Your CPM Client Login Password
- 57 If CPM prompts a password change
- 58 If you want to replace an existing password
- 60 Starting the CPM Client After Initial Log In
- 60 Upgrading your CPM License
- 62 Stopping the CPM Server
- 62 Stopping CPM Server at the host computer
- 64 Shutting down CPM Server at the CPM Client workstation
- 65 Starting or Restarting CPM Server
- 67 CHAPTER 4 Creating CPM Administrator Accounts
- 68 CPM Default Roles
- 68 Creating New Roles (Optional)
- 72 Creating Administrator Accounts
- 74 Completing the Access Setup
- 74 Reviewing the Current CPM Session
- 75 Determining Which Other Administrators Are Online
- 76 Reserving a CPM Window
- 78 If you can’t reserve a window
- 79 CHAPTER 5 Configuring Appliances for Network Use
- 80 Getting Started
- 80 Installing and Setting Up a Firebox Vclass Appliance
- 81 Adding Appliances to CPM
- 81 Discovering devices
- 84 Adding a new appliance record
- 86 Importing Licenses and Certificates (Optional)
- 86 Obtaining the x.509 certificate
- 87 Importing the new x.509 certificate
- 88 Importing licenses for extended features
- 90 Reviewing the current licenses
- 92 Deleting an out-of-date license
- 92 Installing multiple licenses
- 94 Restoring the Appliance to a Factory-Default State
- 94 Configuring the Appliance Hardware
- 96 Running the CPM Default Policy Wizard
- 97 If you chose the extended network
- 99 If you chose the local network
- 101 Creating Network Addresses
- 102 Entering the Security Policies
- 103 Assembling the CPM Policy Components
- 104 Assembling a policy from available components
- 106 Defining the Required Alarms
- 106 Deploying the Profile
- 106 Compiling the profiles
- 107 Deploying the profiles
- 108 Relocating the Appliance
- 111 CHAPTER 6 Completing the Appliance Configuration
- 111 Configuring a New WatchGuard Appliance
- 112 Completing the General Entries
- 114 Completing the Interfaces Entries
- 125 Completing the Routing Entries
- 127 Completing the DNS Entries
- 129 Completing the SNMP Entries
- 130 Completing the Log Settings Entries
- 133 Completing the Hacker Prevention Entries
- 136 Completing the High Availability Tab
- 138 Configuration comparison between Active/ Standby and Active/Active mode
- 141 Completing the Tunnel Switch Entries
- 143 Completing the VLAN Forwarding Tab
- 145 Completing the NTP Tab
- 146 Completing the Blocked Sites tab
- 149 Global Blocked Sites
- 150 Completing the Advanced tab
- 153 Completing the System Configuration Setup
- 153 Reviewing the current licenses
- 155 CHAPTER 7 Defining Security Policies in CPM
- 155 Security Policy Components
- 156 Traffic specifications
- 156 Policy actions
- 157 Security Policies in CPM
- 157 Scope of policies in CPM
- 157 Addresses and address groups
- 160 Cataloging Addresses for Use in Policies
- 161 Entering a new address group
- 162 Entering a new RAS address
- 163 Creating a New Policy
- 166 Cataloging Services for Use in Policies
- 166 Adding a new service
- 167 Adding a new protocol
- 169 Combining services in a group
- 170 Creating Policy Schedules
- 170 Creating a new schedule
- 171 Applying an existing schedule to a policy
- 173 CHAPTER 8 Using Policy Actions
- 173 Combining Policy Actions
- 174 Blocking and Rejecting Traffic
- 175 About Network Address Translation (NAT)
- 175 Activating Dynamic NAT
- 176 Activating Static NAT
- 177 About Load Balancing
- 180 About QoS Actions
- 182 Activating port shaping
- 182 Applying a QoS action
- 182 Customizing a QoS action
- 183 Activating TOS marking
- 185 CHAPTER 9 Defining Proxies in CPM
- 186 In This Chapter
- 186 Proxy Description
- 186 HTTP Client proxy
- 187 SMTP proxy
- 187 Rules and rulesets
- 189 General Proxy Configuration
- 189 Using a proxy action in the configuration editor
- 189 Creating a proxy action
- 191 Editing an existing proxy action
- 193 Configuring proxy rules
- 196 Ordering listed rules in a proxy action
- 198 Proxy Parameters Reference
- 198 HTTP Client proxy
- 219 SMTP Proxy
- 235 Reference Sources
- 237 CHAPTER 10 About Virtual Private Networks
- 238 About VPN Policies
- 240 VPN Policies and IPSec Actions
- 241 About Encryption
- 241 Overview of Creating a VPN
- 245 CHAPTER 11 Creating an Automatic Key IPSec Action
- 245 An Overview of VPN Policies
- 246 Creating a New Automatic Key VPN Policy
- 248 Making a VPN Policy Bi-directional
- 248 Assessing the IKE settings
- 251 Customizing an IPSec Action
- 252 Customizing an IPSec proposal using a single transform
- 253 Customizing an IPSec proposal with more than one transform
- 256 Customizing multiple IPSec proposals with one or more transforms
- 259 CHAPTER 12 Creating Remote Access VPN Policies
- 259 Creating a Policy for a Firebox V10
- 259 Creating the Addresses entries
- 260 Creating the RAS security policy
- 260 Confirming the IKE settings
- 261 Generating and deploying profiles
- 261 Creating a Policy for MUVPN Client Software
- 261 Creating the RAS address group
- 262 Creating the security policy
- 262 Confirming the IKE pair settings
- 262 Confirming the authentication method
- 267 CHAPTER 13 Establishing Tunnel Switching
- 267 About Tunnel Switching
- 268 Activating Tunnel Switching on the Central Appliance
- 268 Activating Tunnel Switching Between Sites
- 271 CHAPTER 14 Monitoring Appliances
- 271 How CPM Monitors Appliances
- 271 About network polling
- 272 About event notification
- 273 Indicators Monitored by CPM
- 273 About Appliance Availability
- 275 About Interface Status
- 275 Reorganizing Appliance Manager Window Columns
- 277 Working with Appliance Groups Folders
- 277 Reorganizing the Appliance Manager window
- 278 Filtering Appliance Manager Window Entries
- 279 Color-Coding in the Appliance Manager
- 279 Changing Appliance Manager Row Colors
- 281 Ignoring an Appliance’s Status Reports
- 281 Ignoring a specific component
- 281 Ignoring an entire appliance
- 282 Using the Appliance Detail Dialog Box
- 283 Using the Performance Graph
- 284 Opening the Performance Graph
- 284 Setting up the Performance Graph
- 288 Viewing several counters at once
- 291 CHAPTER 15 Responding to Alarms
- 291 Viewing new alarms
- 292 Using the Alarm Console window
- 293 Viewing details on alarms
- 293 Acknowledging alarms
- 293 Reopening acknowledged alarms
- 294 Clearing alarms
- 294 Reopening cleared alarms
- 294 Purging cleared alarms
- 295 Reorganizing the list of alarms
- 295 Filtering alarms
- 296 Disabling alarm filtering
- 297 Index