WatchGuard Firebox Vclass v5.1 User Guide

WatchGuard

®

Central Policy

Manager User

Guide

Central Policy Manager 5.1

Copyright

Copyright © 1998-2003 WatchGuard Technologies, Inc.

All rights reserved.

Notice to Users

Information in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copied as outlined in the Firebox System software end-user license agreement. No part of this manual may be reproduced by any means, electronic or mechanical, for any purpose other than the purchaser’s personal use, without prior written permission from WatchGuard Technologies, Inc.

TRADEMARK NOTES

WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock,

DVCP, and Designing peace of mind are trademarks of

WatchGuard Technologies, Inc. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Part No: 1200016 ii Central Policy Manager 5.1

WatchGuard Technologies, Inc.

Firebox System Software

End-User License Agreement

WatchGuard Central Policy Manager (CPM) End-User

License Agreement

IMPORTANT - READ CAREFULLY BEFORE ACCESSING

WATCHGUARD SOFTWARE:

This Central Policy Manager End-User License Agreement

('AGREEMENT') is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies,

Inc. ('WATCHGUARD') for the WATCHGUARD optional software product for the WatchGuard Firebox product you have purchased, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product) and may include associated media, printed materials, and online or electronic documentation, and any updates or modifications thereto, including those received through the

WatchGuard LiveSecurity Service (or its equivalent), (the '

OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is willing to license the OPTIONAL SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing, activating or using the OPTIONAL

SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this

AGREEMENT, WATCHGUARD will not license the

OPTIONAL SOFTWARE PRODUCT to you, and you will not have any rights in the OPTIONAL SOFTWARE PRODUCT.

In that case, promptly return the OPTIONAL SOFTWARE

PRODUCT/license key certificate, along with proof of payment, to the authorized dealer from whom you obtained the OPTIONAL SOFTWARE PRODUCT/license key certificate for a full refund of the price you paid.

Central Policy Manager User Guide iii

iv

1.

Ownership and License. The OPTIONAL SOFTWARE

PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the

OPTIONAL SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and pallets incorporated into the

OPTIONAL SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the OPTIONAL

SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the OPTIONAL SOFTWARE

PRODUCT are as specified in this AGREEMENT, and

WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.

2.

Permitted Uses. You are granted the following rights to the OPTIONAL SOFTWARE PRODUCT:

(A) You may install and use the OPTIONAL SOFTWARE

PRODUCT on that number of WATCHGUARD hardware products (or manage that number of WATCHGUARD hardware products) at any one time as permitted in the license key certificate that you have purchased and may install and use the OPTIONAL SOFTWARE PRODUCT on multiple workstation computers. You must also maintain a current subscription to the WatchGuard LiveSecurity Service

(or its equivalent) for each additional WATCHGUARD hardware product on which you will use a copy of an updated or modified version of the OPTIONAL SOFTWARE

PRODUCT received through the WatchGuard LiveSecurity

Service (or its equivalent).

(B) To use the OPTIONAL SOFTWARE PRODUCT on more

WATCHGUARD hardware products than provided for in

Section 2(A), you must license additional copies of the

OPTIONAL SOFTWARE PRODUCT as required.

(C) In addition to the copies described in Section 2(A), you may make a single copy of the OPTIONAL SOFTWARE

PRODUCT for backup or archival purposes only.


3.

Prohibited Uses. You may not, without express written permission from WATCHGUARD:

(A) Use, copy, modify, merge or transfer copies of the

OPTIONAL SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT;

(B) Use any backup or archival copy of the OPTIONAL

SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;

(C) Sublicense, lend, lease or rent the OPTIONAL

SOFTWARE PRODUCT;

(D) Transfer this license to another party unless

(i) the transfer is permanent,

(ii) the third party recipient agrees to the terms of this

AGREEMENT, and

(iii) you do not retain any copies of the OPTIONAL

SOFTWARE PRODUCT; or

(E) Reverse engineer, disassemble or decompile the

OPTIONAL SOFTWARE PRODUCT.

4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the OPTIONAL SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer:

(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase.

(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL

SOFTWARE PRODUCT will materially conform to the documentation that accompanies it or its license key certificate. If the OPTIONAL SOFTWARE PRODUCT fails

Central Policy Manager User Guide v

vi to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the OPTIONAL

SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the OPTIONAL

SOFTWARE PRODUCT or a full refund, at their election.

Disclaimer and Release. THE WARRANTIES,

OBLIGATIONS AND LIABILITIES OF WATCHGUARD,

AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS

4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN

SUBSTITUTION FOR, AND YOU HEREBY WAIVE,

DISCLAIM AND RELEASE ANY AND ALL OTHER

WARRANTIES, OBLIGATIONS AND LIABILITIES OF

WATCHGUARD AND ITS LICENSORS AND ALL OTHER

RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE

AGAINST WATCHGUARD AND ITS LICENSORS,

EXPRESS OR IMPLIED, ARISING BY LAW OR

OTHERWISE, WITH RESPECT TO ANY

NONCONFORMANCE OR DEFECT IN THE OPTIONAL

SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED

TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY

OR FITNESS FOR A PARTICULAR PURPOSE, ANY

IMPLIED WARRANTY ARISING FROM COURSE OF

PERFORMANCE, COURSE OF DEALING, OR USAGE OF

TRADE, ANY WARRANTY OF NONINFRINGEMENT,

ANY WARRANTY THAT THE OPTIONAL SOFTWARE

PRODUCT WILL MEET YOUR REQUIREMENTS, ANY

WARRANTY OF UNINTERRUPTED OR ERROR-FREE

OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,

CLAIM OR REMEDY IN TORT, WHETHER OR NOT

ARISING FROM THE NEGLIGENCE (WHETHER

ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF

WATCHGUARD AND ITS LICENSORS AND ANY

OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY

FOR LOSS OR DAMAGE TO, OR CAUSED BY OR

CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE

PRODUCT).


Limitation of Liability. WATCHGUARD'S LIABILITY

(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND

NOTWITHSTANDING ANY FAULT, NEGLIGENCE,

STRICT LIABILITY OR PRODUCT LIABILITY) WITH

REGARD TO THE OPTIONAL SOFTWARE PRODUCT

WILL IN NO EVENT EXCEED THE PURCHASE PRICE

PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE

TRUE EVEN IN THE EVENT OF THE FAILURE OF AN

AGREED REMEDY. IN NO EVENT WILL WATCHGUARD

BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER

ARISING IN CONTRACT (INCLUDING WARRANTY),

TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED

NEGLIGENCE AND STRICT LIABILITY AND FAULT),

FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR

CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT

LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS

INTERRUPTION, OR LOSS OF BUSINESS

INFORMATION) ARISING OUT OF OR IN CONNECTION

WITH THIS WARRANTY OR THE USE OF OR INABILITY

TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF

WATCHGUARD HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE

TRUE EVEN IN THE EVENT OF THE FAILURE OF AN

AGREED REMEDY.

5.United States Government Restricted Rights. The

OPTIONAL SOFTWARE PRODUCT is provided with

Restricted Rights. Use, duplication or disclosure by the U.S.

Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights

Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite

500, Seattle, WA 98104.

6.Export Controls. You agree not to directly or indirectly transfer the OPTIONAL SOFTWARE PRODUCT or

Central Policy Manager User Guide vii

viii documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.

7.Termination. This license and your right to use the

SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the OPTIONAL SOFTWARE PRODUCT in your possession, or voluntarily return the OPTIONAL

SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the OPTIONAL

SOFTWARE PRODUCT and documentation remaining in your control or possession.

8.Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United

National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the OPTIONAL SOFTWARE

PRODUCT, and supersedes any prior purchase order, communications, advertising or representations concerning the OPTIONAL SOFTWARE PRODUCT AND BY USING

THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO

THESE TERMS. IF THE SOFTWARE PRODUCT IS

BEING USED BY AN ENTITY, THE INDIVIDUAL

INDICATING AGREEMENT TO THESE TERMS

REPRESENTS AND WARRANTS THAT (A) SUCH

INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS

AGREEMENT ON BEHALF OF THE ENTITY AND TO

BIND THE ENTITY TO THE TERMS OF THIS

AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,

CORPORATE OR OTHERWISE, TO ENTER INTO THIS

AGREEMENT AND PERFORM ITS OBLIGATIONS

UNDER THIS AGREEMENT AND; (C) THIS

AGREEMENT AND THE PERFORMANCE OF THE

ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO

NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO

WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD.


Contents

CHAPTER 1

About WatchGuard CPM

...........................1

Why Use WatchGuard CPM?

.............................................1

Components of CPM

CPM Server

........................................................2

..................................................................2

CPM Client ..................................................................3

Network Security Basics ....................................................3

Offline and Online Configuration ......................................4

Address Objects in CPM Security Policies

CPM Policy Examples

..........................5

.....................................................6

CPM and Network Configuration .....................................10

Types of Appliances Administered with CPM ....................12

CPM and WatchGuard Vclass/RapidStream security appliances

...........................................................................12

CPM and RapidStream "Secured by Check Point" security appliances

..........................................................12

Remote appliances running MUVPN ................................13

CPM and third-party security appliances ..........................13

About Router Mode and Transparent Mode

Router Mode

.....................14

..............................................................14

Transparent Mode .......................................................16

Central Policy Manager User Guide ix

x

More information ........................................................ 17

CHAPTER 2

Installing or Upgrading CPM Software

.. 19

Where You Can Install CPM Server and Client .................. 19

Installation requirements .............................................. 20

System Requirements for CPM Server

Obtaining the Site License for CPM

............................. 21

System Requirements for CPM Client

Java 2 runtime environment (JRE)

.............................. 22

.................................. 23

................................ 24

Installing the CPM Server Software

Installing the CPM Client Software

Uninstalling CPM Server or Client

................................. 25

.................................. 29

Upgrading from a Previous Versions of CPM

Backing Up CPM Server

.................... 34

................................................. 35

................................... 36

CHAPTER 3

Starting the CPM Client and Server

....... 37

Starting the CPM Client for the First Time ....................... 37

Changing Your CPM Client Login Password

If CPM prompts a password change

..................... 41

............................... 41

If you want to replace an existing password ..................... 42

Starting the CPM Client After Initial Log In

Upgrading your CPM License

...................... 44

......................................... 44

Stopping the CPM Server ............................................... 46

Stopping CPM Server at the host computer ..................... 46

Shutting down CPM Server at the CPM Client workstation .. 48

Starting or Restarting CPM Server ................................... 49

CHAPTER 4

Creating CPM Administrator Accounts

. 51

CPM Default Roles ......................................................... 52

Creating New Roles (Optional)

Creating Administrator Accounts

....................................... 52

.................................... 56

Completing the Access Setup ........................................ 58

Reviewing the Current CPM Session ............................... 58

Determining Which Other Administrators Are Online ....... 59

Reserving a CPM Window .............................................. 60

If you can’t reserve a window ........................................ 62


CHAPTER 5

Configuring Appliances for Network Use

..

.......................................................................63

Getting Started ..............................................................64

Installing and Setting Up a Firebox Vclass Appliance ........64

Adding Appliances to CPM

Discovering devices

.............................................65

.....................................................65

Adding a new appliance record ......................................68

Importing Licenses and Certificates (Optional)

Obtaining the x.509 certificate

..................70

.......................................70

Importing the new x.509 certificate .................................71

Importing licenses for extended features ..........................72

Reviewing the current licenses

Deleting an out-of-date license

Installing multiple licenses

.......................................74

......................................76

.............................................76

Restoring the Appliance to a Factory-Default State ...........78

Configuring the Appliance Hardware ...............................78

Running the CPM Default Policy Wizard

If you chose the extended network

...........................80

.................................81

If you chose the local network ........................................83

Creating Network Addresses

Entering the Security Policies

...........................................85

..........................................86

Assembling the CPM Policy Components ........................87

Assembling a policy from available components ................88

Defining the Required Alarms .........................................90

Deploying the Profile

Compiling the profiles

......................................................90

..................................................90

Deploying the profiles ..................................................91

Relocating the Appliance ................................................92

CHAPTER 6

Completing the Appliance Configuration

..

.......................................................................95

Configuring a New WatchGuard Appliance ......................95

Completing the General Entries

Completing the Interfaces Entries

Completing the Routing Entries

......................................96

....................................98

....................................109

Central Policy Manager User Guide xi

Completing the DNS Entries ........................................ 111

Completing the SNMP Entries ...................................... 113

Completing the Log Settings Entries ............................. 114

Completing the Hacker Prevention Entries .................... 117

Completing the High Availability Tab ............................ 120

Configuration comparison between Active/Standby and Active/

Active mode

.................................................... 122

Completing the Tunnel Switch Entries

Completing the VLAN Forwarding Tab

........................... 125

.......................... 127

Completing the NTP Tab .............................................. 129

Completing the Blocked Sites tab

Global Blocked Sites

................................. 130

................................................. 133

Completing the Advanced tab ..................................... 134

Completing the System Configuration Setup


................. 137

..................................... 137

CHAPTER 7

Defining Security Policies in CPM

........ 139

Security Policy Components ......................................... 139

Traffic specifications

Policy actions

.................................................. 140

........................................................... 140

Security Policies in CPM

Scope of policies in CPM

............................................... 141

............................................ 141

Addresses and address groups .................................... 141

Cataloging Addresses for Use in Policies

Entering a new address group

....................... 144

..................................... 145

Entering a new RAS address ....................................... 146

Creating a New Policy .................................................. 147

Cataloging Services for Use in Policies

Adding a new service

.......................... 150

................................................ 150

Adding a new protocol .............................................. 151

Combining services in a group .................................... 153

Creating Policy Schedules

Creating a new schedule

............................................ 154

............................................ 154

Applying an existing schedule to a policy ...................... 155

xii Central Policy Manager 5.1

CHAPTER 8

Using Policy Actions

...............................157

Combining Policy Actions .............................................157

Blocking and Rejecting Traffic .......................................158

About Network Address Translation (NAT)

Activating Dynamic NAT

.....................159

.............................................159

Activating Static NAT .................................................160

About Load Balancing ..................................................161

About QoS Actions ......................................................164

Activating port shaping ..............................................166

Applying a QoS action

Customizing a QoS action

...............................................166

...........................................166

Activating TOS marking ..............................................167

CHAPTER 9

Defining Proxies in CPM

........................169

In This Chapter ............................................................170

Proxy Description

HTTP Client proxy

.........................................................170

.....................................................170

SMTP proxy ..............................................................171

Rules and rulesets .....................................................171

General Proxy Configuration .........................................173

Using a proxy action in the configuration editor ...............173

Creating a proxy action ..............................................173

Editing an existing proxy action ....................................175

Configuring proxy rules ..............................................177

Ordering listed rules in a proxy action ...........................180

Proxy Parameters Reference

HTTP Client proxy

..........................................182

.....................................................182

SMTP Proxy ..............................................................203

Reference Sources ........................................................219

CHAPTER 10 About Virtual Private Networks

...........221

About VPN Policies ......................................................222

VPN Policies and IPSec Actions

About Encryption

.....................................224

.........................................................225

Overview of Creating a VPN .........................................225

Central Policy Manager User Guide xiii

CHAPTER 11 Creating an Automatic Key IPSec Action

..

.................................................................... 229

An Overview of VPN Policies ........................................ 229

Creating a New Automatic Key VPN Policy .................... 230

Making a VPN Policy Bi-directional

Assessing the IKE settings

............................... 232

.......................................... 232

Customizing an IPSec Action ........................................ 235

Customizing an IPSec proposal using a single transform ... 236

Customizing an IPSec proposal with more than one transform .

........................................................................ 237

Customizing multiple IPSec proposals with one or more transforms

....................................................... 240

CHAPTER 12 Creating Remote Access VPN Policies

243

Creating a Policy for a Firebox V10

Creating the Addresses entries

............................... 243

.................................... 243

Creating the RAS security policy

Confirming the IKE settings

.................................. 244

........................................ 244

Generating and deploying profiles ............................... 245

Creating a Policy for MUVPN Client Software

Creating the RAS address group

................ 245

.................................. 245

Creating the security policy ......................................... 246

Confirming the IKE pair settings .................................. 246

Confirming the authentication method .......................... 246

CHAPTER 13 Establishing Tunnel Switching

.............. 251

About Tunnel Switching ............................................... 251

Activating Tunnel Switching on the Central Appliance

Activating Tunnel Switching Between Sites

.... 252

.................... 252

CHAPTER 14 Monitoring Appliances

.......................... 255

How CPM Monitors Appliances .................................... 255

About network polling

About event notification

............................................... 255

............................................. 256

Indicators Monitored by CPM

About Appliance Availability

About Interface Status

....................................... 257

....................................... 257

............................................... 259

xiv Central Policy Manager 5.1

Reorganizing Appliance Manager Window Columns .......259

Working with Appliance Groups Folders ........................261

Reorganizing the Appliance Manager window ................261

Filtering Appliance Manager Window Entries

Color-Coding in the Appliance Manager

.................262

........................263

Changing Appliance Manager Row Colors .....................263

Ignoring an Appliance’s Status Reports

Ignoring a specific component

..........................265

.....................................265

Ignoring an entire appliance ........................................265

Using the Appliance Detail Dialog Box ..........................266

Using the Performance Graph .......................................267

Opening the Performance Graph ..................................268

Setting up the Performance Graph

Viewing several counters at once

................................268

..................................272

CHAPTER 15 Responding to Alarms

...........................275

Viewing new alarms ...................................................275

Using the Alarm Console window

Viewing details on alarms

................................276

............................................277

Acknowledging alarms ...............................................277

Reopening acknowledged alarms .................................277

Clearing alarms .........................................................278

Reopening cleared alarms ...........................................278

Purging cleared alarms ...............................................278

Reorganizing the list of alarms .....................................279

Filtering alarms .........................................................279

Disabling alarm filtering ..............................................280

Index ......................................................................... 281

Central Policy Manager User Guide xv

xvi Central Policy Manager 5.1

CHAPTER 1

About WatchGuard

CPM

Congratulations on your purchase of the WatchGuard

Central Policy Manager (CPM). Using this product, you can simplify security policy deployment with a central console that lets you manage multiple Firebox

Vclass installations across an entire enterprise infrastructure. This powerful and highly scalable network management platform offers global management for large enterprises, data centers, and service providers.

Why Use WatchGuard CPM?

With WatchGuard CPM, you can configure and monitor hundreds of Firebox Vclass appliances. It is the ideal global management solution for distributed enterprises, data centers, and service providers who depend on Firebox Vclass appliances for their highspeed security.

Central Policy Manager User Guide 1

CHAPTER 1: About WatchGuard CPM

Components of CPM

CPM consists of two main components, CPM Server and

CPM Client. CPM can be used to manage many different types of appliances, as shown in the following figure.

2

CPM Server

The CPM Server software includes a database that stores the configurations and policies for all appliances while it actively monitors the status of each appliance, alerting you if problems arise. WatchGuard recommends that you install the CPM Server component onto a separate, high-


Network Security Basics capacity host computer. You can install both Client and

Server onto a single workstation if your network environment is small and you do not plan to expand it.

A large amount of appliance-specific information can be stored in CPM Server as appliance-specific profiles . When needed, you can prompt CPM Server to use its secure connections to all your appliances to deploy new or updated profiles.

CPM Client

The CPM Client application gives administrative workstations access to CPM Server. You can install and run the Client on any number of administrative workstations. After an administrator uses the Client to log into CPM Server, he or she can set up global policies and record appliance-specific profiles, including policies, system configurations, log files, alarms, and activity monitors. If the administrator has fewer privileges, he or she might only be able to review the active alarms and clear them.

You can assign more than one administrator to manage various aspects of the overall task load. Your authorized client administrative users do not have to be “local” to participate in the CPM system. If you load VPN policies into the relevant appliances that would permit secure communications between a client workstation and the server host, other remote administrators can assume their duties from their locations.

Network Security Basics

You begin your assessment of how to secure a site or network with a

security stance

. Simply put, a security stance is a statement of how an organization protects its assets. An effective organization-wide security stance considers:



• Implementation and maintenance of the stance, and how the stance fits in with the organization’s goals and objectives

• The level of access provided to the various users and groups within the organization

• Whether the organization allows recreational use of facilities and systems

• What level of remote access communication is allowed

The stance generally accepted by the Internet security community is to discard all packets not explicitly allowed; stated simply, “that which is not explicitly allowed is denied.” WatchGuard Firebox Vclass appliances, like most commercial firewalls, adopt this as the default stance. Discarding all data packets not explicitly allowed through the firewall protects against attacks based upon new, unfamiliar, or obscure IP services. It also provides a safety net regarding unknown services and configuration errors that can threaten network security.

This means that for the Firebox to pass

any

traffic, it must be configured to pass the traffic your customer wants to allow through the firewall. The network administrator must actively select the services and protocols you or your customers want, configure each one to define which hosts can send and receive them, and set other individual properties for the service.

Offline and Online Configuration

Unlike WatchGuard Vcontroller and other single-appliance management tools, CPM performs most configuration tasks offline. During offline configuration, CPM does not need a connection to an appliance. All configuration for an appliance is completed on the CPM server, compiled into a profile for the appliance, and deployed to the appliance at

4 Central Policy Manager 5.1

Address Objects in CPM Security Policies a later time. Depending on the changes initiated by the new profile, the appliance may or may not be rebooted.


In the CPM Policy Editor, a security network includes one

Internet object at the center, and multiple surrounding private networks and hosts, connecting to the internet through appliances.

Each address object is located either at the Internet or at a

Private or DMZ port on the appliance. Address objects are created either under the Internet object, or under appliances with private or DMZ ports. Internet addresses by definition apply to all Public ports.

Address objects can be defined as:

• any IP address behind an interface

• a single IP address behind an interface

• a range of IP addresses behind an interface

• an IP address subnet behind an interface

• the IP address of the interface

In addition, address groups can contain any of the previous types of address objects.

Address objects and address groups simplify the configuration of multiple appliances. A new security policy can be defined once, compiled once, and deployed once. However, depending on its definition, the policy might apply to a single IP address, an entire corporate network, a collection of networks, or the entire Internet. And a single CPM policy can create one policy on one appliance, or multiple policies on multiple appliances, and other objects related to those policies.



CPM Policy Examples

The following examples illustrate various network topologies and their related CPM policies.

Internet traffic to a Web server

In this example, a policy is created that allows HTTP and

HTTPS traffic from any IP address on the Internet to reach a Web server. The Web server is a single IP address object called “WebServer,” located behind the Vclass appliance named “V80.” The Web server is located on Port 3 (DMZ2).

Address

Internet

Internet any IP address 1 3

Address

WebServer@V80

Vclass "V80" Web server

The policy configuration is shown as Policy 1:

6

Source

Any

After the policy is compiled and deployed, the resulting policy on the Vclass “V80” is:

Destination In port

WebServer 1 (Public)

Service

HTTP

HTTPS

Action

Allow

Branch office to an FTP server

In this example, a policy is created that allows FTP traffic from a range of addresses behind one appliance to reach an

FTP server behind a different appliance. The appliances are


Address

BranchFTPusers

@BranchOffice

BranchOffice

FTP users

Address Objects in CPM Security Policies in different physical locations, and communication occurs over the internet, using single-direction IPSec. The

“BranchFTPUsers” address is an IP) address range located behind Port 0 (Private) of the Vclass appliance called

“BranchOffice.” The “FTPServer” address is located behind Port 2 (DMZ1) of the Vclass appliance “V80.”

0 1

Vclass "BranchOffice"

Internet

Address

FTPServer@V80

1 2

Vclass "V80"

The policy configuration is shown as Policy 2:

FTP server



Source

BranchFTP

Users

After the policy is compiled and deployed, the resulting policy on the Vclass “BranchOffice” is:

Destination In port

FTPServer Private

Service

FTP

Action

IPSec

Source

BranchFTP

Users

A policy is also created on the Vclass appliance “V80.”

Destination In port

FTPServer Public

Service

FTP

Action

IPSec

In addition, an IKE policy is created for this connection. In the IKE Pairs tab in CPM, the following policy appears.

Pair IKE Proposals

BranchOffice - V80 Default

Authentication Status

Pre-Shared Key Ready

Branch office to a corporate network

In this example, all users at the branch office are allowed access to all services on the private network of the main corporate office. The appliances are in different physical locations, and communication occurs over the internet, using bi-directional IPSec. The “BranchNetwork” address is an IP subnet located behind Port 0 (Private) of the Vclass appliance “BranchOffice.” The main corporate network is a subnet located behind Port 0 (Private) of the Vclass appliance “V80.”



Address

BranchNetwork@

BranchOffice

Branch office IP subnet

0

Vclass "BranchOffice"

1

Internet

Address

CorporateNetwork@V80

1 0

Vclass "V80"

The policy configuration is shown in Policy 3:

Corporate network

After the policy is compiled and deployed, the resulting policy on the Vclass “Branch” is:

Source

BranchNetwork

Destination In port Service Action

CorporateNetwork Private ANY IPSec (bidirectional)



A policy is also created on the Vclass appliance “V80.”

Source Destination

CorporateNetwork BranchNetwork

In port Service Action

Private ANY IPSec (bidirectional)

In this example, the same IKE pair is used as in the previous example.

Pair

BranchOffice - V80

IKE Proposals

Default

Authentication Status

Pre-Shared Key Ready

Multiple addresses

Policies can include multiple addresses. For example, you can create a single policy that includes separate subnets under “BranchOffice,” and even other appliances at other offices as sources. You can combine destination addresses; for example combining different subnets at the corporate office, or IP address ranges behind the Private interface.

You can use any combination of services and actions you want, if the actions are compatible. CPM creates the correct policies for each appliance, including all required IPSec actions and policies.

CPM and Network Configuration

You can use CPM to maintain and monitor any number of

Firebox Vclass and RapidStream security appliances both within your local firewall and outside the firewall. The key requirement is an SSL/HTTPS policy on each appliance that permits CPM to gain complete access to that appliance through whatever firewalls may exist between the Server and that appliance. This includes full-strength gateway security appliances, internal-use appliances that guard pri-


CPM and Network Configuration vate network assets, and VPN client appliances, distributed throughout the Internet and serviced by ISPs.

Most networks using CPM have one of the two following configurations:

• An extended network has CPM connected to a gateway appliance, through which it is connected to other appliances outside the local firewall.

• A local network has CPM connected to a collection of appliances, all inside the local firewall.



Types of Appliances Administered with CPM

You can administer, monitor, and coordinate network communications between a number of devices in CPM:

• WatchGuard Firebox Vclass security appliances

• RapidStream appliances

• RapidStream “Secured by Check Point” appliances

• Third-party security appliances

• “Virtual appliances” that represent VLAN or user domain tenants associated with an operational appliance

• Remote appliances running MUVPN

CPM and WatchGuard Vclass/RapidStream security appliances

You can use CPM to install and configure the operational profile for any “factory default” Firebox Vclass appliances from WatchGuard or legacy appliances manufactured by

RapidStream. After the appliances are deployed and operational, you can monitor and troubleshoot them.

CPM and RapidStream "Secured by Check

Point" security appliances

If you are using RapidStream appliances running preinstalled Check Point software, you can continue to use

RapidStream Navigator to administer the appliances, while using CPM to identity the location of these appliances for policy-making purposes. CPM can also be used to monitor appliance status using SNMP.

Because CPM includes a link to RapidStream Navigator, you can integrate CPM system—monitoring with the maintenance “Secured by Check Point” security appliances through RapidStream Navigator.

Recording the Check Point appliances in CPM as network assets allows you to record security policies that establish


Types of Appliances Administered with CPM traffic between the Check Point devices and Firebox Vclass or RapidStream devices.

Remote appliances running MUVPN

Telecommuters working from home and traveling employees who need corporate network access are common fixtures in today’s business environment. Mobile User VPN

(MUVPN) creates an IPSec tunnel between an unsecured remote host and your trusted and optional networks using a standard Internet dial-up or broadband connection without compromising security. This type of VPN requires only one Firebox for the private network and the Mobile User

VPN software module.

Maintaining and managing VPN tunnels established between a main corporate office and one or more branch offices can become an overwhelming task. CPM centralizes all intersite communication, which preserves network performance and simplifies maintenance.

Appliances running MUVPN are recorded as “RAS user” in CPM.

CPM and third-party security appliances

You can record all third-party appliances, which include third-party security appliances or older-model Firebox appliances, as assets in your extended network. You can then use CPM to configure security policies for communications between Firebox Vclass appliances and these thirdparty appliances.

The following table summarizes all of the CPM management options, by appliance type:



WatchGuard Firebox Vclass appliances

WatchGuard Firebox appliances

RapidStream appliances

RapidStream Check Point appliances

Third-party appliances

X

X

X

Use CPM to configure

X

X

Use CPM to monitor

X

Use as addresses in CPM policies

X

X

X

X

X

About Router Mode and Transparent Mode

Vclass appliances can operate in two distinctly different modes–Router Mode and Transparent Mode. Descriptions of these modes are included in this section.

Router Mode

Router Mode is the default mode for Vclass appliances.

Vclass appliances running in Router Mode integrate firewall, VPN, and routing functions in a single appliance. In this mode, the Vclass appliance functions as a security gateway, as shown in Figure 2, “Vclass Router Mode operation,” on page 15.

Depending on the Vclass model, up to four network interfaces are provided, which you can use to route traffic between a private network, the public network or Internet, and DMZ networks. Private and DMZ networks are considered to be trusted, and the public network is not trusted.

Networks are on different subnets.

In Router Mode, all interfaces are routable. Each individual interface is assigned an IP address on the subnet it is connected to. Packets crossing the Vclass appliance are man-


About Router Mode and Transparent Mode aged by configured policies and proxies. Allowed packets are routed to their destinations. In this mode, the Vclass appliance only receives the packets that are addressed to it.

Packets sent out from the Vclass are marked with the

Vclass interface MAC as their source.

DMZ Network

Untrusted Trusted

Internet

Vclass

Private Network

Figure 2:

Vclass Router Mode operation

No special configuration is required to set an appliance to

Router Mode. Vclass appliances are set to Router Mode by default. Use the instructions provided throughout this guide to configure your Router Mode appliance.

You can switch an appliance to Router Mode at any time, using Device Discovery, the Installation Wizard, the System Configuration window on the Interfaces page, or by importing a Router mode XML configuration.



Transparent Mode

Internet

Not Trusted

Router

Existing Network

Not Trusted

16

Not Trusted Trusted

Internet

Router Vclass

Existing Network with a Transparent Mode Vclass appliance

Figure 3:

Vclass Transparent Mode operation

Vclass Transparent Mode is designed to allow simple

“drop-in” integration of the Vclass appliance in an existing network topology. Figure 3, “Vclass Transparent Mode operation,” on page 16, depicts a typical Transparent Mode scenario. In this scenario, the Vclass is placed between an existing router gateway and an internal network. Routing functions are handled by the router, and the Vclass provides firewall and VPN functions.

The main differences between Transparent and Router modes are:

• Transparent mode interfaces are promiscuous. A promiscuous interface receives not only the packets addressed to it (as in Router Mode), but also packets addressed to other hosts on the network. However, the

Vclass appliance passes packets without taking any action, if both the packet source and target are connected and reachable on the same interface.

• In Transparent Mode, the Vclass appliance uses one IP address and one Subnet Mask for all interfaces. These


About Router Mode and Transparent Mode addresses are called the System IP and the System Mask .

All interfaces on the Vclass appliance use these addresses.

• The System IP is used as the IPSec tunnel peer address.

• In contrast to Router Mode operation, in Transparent

Mode the Vclass switches a packet to its destination, if the packet is allowed. Like a typical network switch, the packet’s source MAC address is preserved.

Unsupported features in Transparent Mode

Not all features available in Router Mode are feasible or usable in Transparent Mode. Unsupported features are:

• Backup WAN connection (WAN Failover)

• DHCP Client and Server

• Proxies

• Dynamic Routing

• High Availability (Active/Standby or Active/Active)

• VLAN and Tenants

• NAT, including SNAT, DNAT, VIP

• PPPoE

• Secondary IP

• Spanning Tree Protocol

• Tunnel Switching

More information

Information on Router Mode and Transparent Mode configuration options is included in the relevant material throughout this User Guide.




CHAPTER 2

Installing or

Upgrading CPM

Software

This chapter describes how to install or upgrade the two components of the CPM system: the CPM Server software and the CPM Client application. Each software installation relies on the use of an InstallShield™

Wizard stored on the CD-ROM enclosed with your manual and software registration. This chapter also covers backing up and removing CPM software.

For information on installing CPM Server on a Solaris host, see the CPM Applications Guide .

Where You Can Install CPM Server and Client

You can install both CPM Server and CPM Client onto any qualifying computer, workstation, or host/server.

Or you can install the components onto separate machines; the choice depends upon the following requirements:


CHAPTER 2: Installing or Upgrading CPM Software

Workstation only

If your workstation CPU processor speed is sufficient, you can install both server and client software onto a workstation/desktop computer.

WatchGuard recommends installing CPM Server onto an auxiliary drive with at least 50 megabytes of free space.

You can install CPM Client onto the main drive of the workstation. It does not increase in size during use.

20

Workstation/Server

WatchGuard recommends this mode of installation, in which you install the CPM Server software separately onto a server with an auxiliary drive or a separate partition that has at least 50 MB in free space.

You can install CPM Client onto the main drive of any locally networked workstation. It does not increase in size during use.

Installation requirements

To manage more than one security appliance with CPM, you must have the appropriate WatchGuard CPM license.

This license determines the number of appliances that you can administer. After the required license is entered, CPM



Server can contact and administer the maximum number of licensed appliances. (If you add more appliances to your network, you can easily obtain and install an expandedcapacity license.) For information about obtaining a site

license for CPM, see “Obtaining the Site License for CPM” on page 24.

All CPM Clients communicate with CPM Server through a

Secure Socket Layer (SSL) connection, whether the client workstation is located inside or outside the firewall of the corporate network.

If any client applications are intended for use outside the firewall, you must open a specific SSL connection through the firewall. The SSL port can be customized by opening and editing the cpm_server.conf and cpm_client.conf files.

• If you’ve installed several separate CPM Server software packages, you can connect to any of them with the same CPM Client application assuming that you have an access account for that server.

• When logging into a CPM Server on a separate host computer, you must have the IP address of that host.

After you have initially logged in, CPM Client stores the IP address of this CPM Server host in its configuration file and uses it as the default host next time you bring up CPM Client.

N

OTE

You can review “About the CPM Configuration Files” in the

CPM Applications Guide for complete details on both cpm_server.conf and cpm_client.conf files.


Host computer

Any workstation or server with sufficient hard drive capacity located inside the corporate network/firewall. A standalone server is


CHAPTER 2: Installing or Upgrading CPM Software recommended. The CPM Server software cannot be installed on more than one host computer.

Operating System

Windows NT 4.0 Server, Windows NT 4.0

Workstation (Service Pack 6a), Windows 2000

Server, Windows 2000 Professional, or Windows

XP Professional. Do not install the CPM Server software onto non-NT computers such as Windows

98.

Sun Solaris, v2.8 (Sparc)

Processor Type

Pentium II or later version of Pentium CPU

Processor Speed

700 MHz minimum

Memory

256 MB minimum

Hard Disk Space

50 MB minimum (for CPM Server database software)

20 MB minimum (for CPM Client software)

Input Device

CD-ROM or DVD

Network Interface

NICs or embedded network connections


Host Computer

Any desktop computer. The CPM Server software must be installed on a host computer and be currently active before you install any CPM Client.

For the initial CPM Client, the computer must be inside the same corporate network/firewall as



CPM Server. You can install subsequent Client installations on any computers located either inside or outside the network.

Operating System

MS Windows 98/ME/XP or NT/2000/XP

Processor Type

Pentium II or later version of Pentium CPU

Processor Speed

500 MHz or faster

Memory

128 MB minimum

Hard Disk Space

10 MB minimum (for CPM software)

Input Device

CD-ROM or DVD

Network Interface

NICs or embedded network connections

Java 2 runtime environment (JRE)

When CPM is installed on a Windows system, a local copy of the Java Runtime Environment is installed in the CPM installation directory. CPM ignores other installed versions of JRE on the computer, to prevent conflicts with other

Java-based applications and guarantee the correct version of JRE for all CPM functions.

CPM for Solaris requires that you install JRE version

1.4.1_01 before you install CPM.



Obtaining the Site License for CPM

Before you proceed with installation, you must obtain the license for CPM.

1 Find the license key certificate that was included with your CPM package. This item contains a code you must enter at the WatchGuard Web site.

2 Use a Web browser to connect to the URL printed on the same card.

3 Make all the relevant entries in that Web page, including your company’s name and the host name of the computer on which CPM Server will be installed.

To find the host name, on a Windows computer, rightclick My Computer and then select the Property menu to bring up the System Properties dialog box. Select the Network Information tab to view the full computer name. The name may be followed by the domain name, which you should not include in the license request. For example, if abc.mydomain.com

is listed as the full computer name, enter only abc as the host name.

On a Solaris computer, enter “uname-n” to find the host name.

After you successfully submit the entries, the feature key text is printed in the browser, which you should cut and paste into a text file stored on your workstation.

After you have obtained the feature key and stored it safely on your workstation, you can proceed with the CPM installations. You don’t need the feature key text until you first start CPM Client and attempt to log into CPM Server.




To install the CPM Server software onto the target host computer running the Windows operating system:

1 If you have a WatchGuard CPM CD-ROM, remove the

CD-ROM from the package and insert it into the CD-

ROM drive of either the administrative workstation or the host server.

If you do not have a CD-ROM, but have downloaded the installation package, go to step 5.

2 Locate and double-click the CD-ROM drive icon.

N OTE

The CD-ROM may not start automatically on some computers. If this is the case, open the Run process.

Run enter the CD-ROM drive letter and setup.exe

to start the

3 Open the CPM Server folder (inside the Windows folder).

4 Double-click the Server installer icon (Setup.exe).

The CPM Server Setup Wizard appears, displaying the initial

Welcome screen.

5 If you do not have a CD-ROM, but have downloaded the installation files from LiveSecurity, locate the files you have downloaded, and double-click the file

WGCPMServer50.exe

.



6 Click Next .

The Wizard displays the WatchGuard CPM Server Software

License Agreement, as show below, which you must accept to continue with the installation.

26

7 Read the complete agreement before proceeding. Click

Yes to accept the terms of the agreement.



8 Assuming you clicked Yes , the wizard prompts you for a destination directory, and lists a default destination folder and its directory pathway. WatchGuard recommends that you use the default folder.

If you would like to change the installation folder, click

Browse to open the Choose Folder dialog box (shown below) which you can use to locate the computer, drive, and directory. However, you cannot choose a folder on a network drive.



28

9 Click Next to accept the selected drive, path, and directory.

10 The wizard now loads the archived installer files from the CD-ROM into the designated drive and directory.

All of the CPM Server files are stored in the CPM

Server directory. Click Next .

N

OTE

The CPM Server software is installed as a service by

Microsoft Windows, and as a result does not have a program folder listed under Programs in the Start menu. It is set to start automatically in the Services dialog box of Control

Panel during the installation process.

11 The wizard now displays a confirmation message.

Click Finish .



12 Click the checkbox to select whether you want to start the CPM Server, then click Finish to close the dialog box. If you start CPM Server, it runs as a service. If you do not click the checkbox to start CPM Server, you can start it later manually. CPM Server also starts each time the host computer is rebooted.


You can install multiple CPM clients onto the same compputer. Each CPM client is represented by a separate icon.

You are not required to uninstall previous CPM clients, but each CPM client can log in only to a CPM Server that is the same version. You can only install one version of CPM

Server per computer.



To install the WatchGuard CPM Client application on a computer running Microsoft Windows, follow these steps:

1 Remove the WatchGuard CPM CD-ROM from the package and insert it into the CD-ROM drive of your administrative workstation.

2 Locate and double-click the CD-ROM drive icon.

3 Open the Client folder on the CD (inside the Windows folder).

4 Double-click the CPM Client installer icon (Setup.exe).

After startup is complete, the InstallShield Wizard appears, displaying the Welcome screen.

30

5 Click Next to proceed.

The Wizard displays the WatchGuard CPM Client Software

License Agreement, as shown below, which you must accept to continue with the installation.



6 Read the complete agreement before proceeding. Click

Yes to accept the terms of the agreement.

7 Assuming you clicked Yes , the wizard prompts you for a destination directory, and lists a default destination folder and its directory pathway. WatchGuard recommends that you use the default folder.



If you are unsure of the drive location, click Browse to open the Choose Folder dialog box (shown below) which you can use to locate the computer, drive, and directory.

8 Click Next to accept the selected drive, path, and directory.

9 The wizard now prompts you for a default Program

Folder in which to install the program icon.

WatchGuard recommends you use the default location.

Click Next .



After the wizard completes the installation, it displays a confirmation message.

10 Click the checkbox to select whether you want to start the CPM Client, then click Finish .



Upgrading from a Previous Versions of CPM

CPM 5.0 does not accept the CPM 4.x or 3.x database. If you are using CPM 4.xand want to use the database in

CPM 5.0, you must first convert it to a CPM 5.x database.

To convert a database, you must first back up the database while running the old version of CPM, uninstall the old version, install and run the new version, and then copy the backed-up database into the new version.

If you want to convert a CPM 3.x database, you must first convert it to a CPM 4.x database, then convert that to a

CPM 5.x database.

N OTE

If you installed the Server onto a separate computer and have one or more Clients on other computers/workstations, you should first upgrade the Server on that machine before upgrading all other installations of the Client.

To complete the upgrade, follow these steps:

1 Log into CPM Client (from the root admin workstation).

2 Open the Backup/Restore window and back up your current CPM database. For more information on how

to back up a CPM database, see “Backing Up CPM

Server” on page 35.

3 Use the Windows Add/Remove Programs dialog box to remove CPM Server, and then CPM Client from your computer.

4 Install the current version of CPM Server, as described

in “Installing the CPM Server Software” on page 25.

5 When asked whether you want to start CPM Server, click the checkbox.

6 Start the CPM Client Installer and complete that installation on your root admin workstation. (For more

information, see “Installing the CPM Client Software” on page 29.)



7 When asked whether you want to start CPM Client and log into the Server, click the checkbox.

8 Use the Login dialog box to connect to CPM Server.

A dialog box appears, informing you that a valid license is needed.

9 Use the CPM Server Info window that appears automatically to import the license.

10 When this is complete, you can log into CPM Server and restore the archived CPM database.

For more information on restoring the archived database, see the

CPM Applications Guide.


Before uninstalling, you may want to preserve your existing database contents, such as appliance configurations and policies. To do so, you should back up the CPM database files before proceeding. Removal of the CPM Server database deletes all of your appliance logs, configurations, and policies.

To back up the CPM database, follow these steps:

1 Log into CPM Client (from the root admin workstations).

2 Click Backup/Restore .

The Backup/Restore dialog box appears.



3 Enter the directory path and file name of where you want to save the backup image.

4 Click Backup .

When the backup image is complete, a message dialog box appears.

5 Click OK .

6 Click Close .

Uninstalling CPM Server or Client

If problems arise and you need to make a clean reinstallation of the CPM software or remove corrupted files, you must first uninstall the CPM Client or CPM Server software. To uninstall the software, use the Windows Add/

Remove Program dialog box.


CHAPTER 3

Starting the CPM

Client and Server

Prior to starting CPM Client, make sure CPM Server is running. For information on starting CPM Server, see

“Starting or Restarting CPM Server” on page 49.

N OTE

If the CPM Server has been installed on a host server with multiple network interface cards (NICs), you must use the IP address of the NIC used for the CPM Server as the server IP address. The CPM Server IP address is stored in cpm_server.conf, which you can review in

“About the CPM Configuration Files” in the CPM

Applications Guide .

Starting the CPM Client for the First Time

The “cpmadmin” username and password give the user full admin account access. WatchGuard recommends logging in as “cpmadmin”, then using the

Account Manager window to set up a range of other administrator access accounts. This is described in the next chapter.


CHAPTER 3: Starting the CPM Client and Server

To log into the CPM Client, follow these steps:

1 Click Start => Programs => WatchGuard CPM Client , or double-click the WatchGuard CPM Client shortcut icon if one was placed on the Windows desktop.

The CPM login dialog box appears.

2 In the Server IP Name field, type the IP address or hostname of the server computer.

If multiple NICs present in the workstation may cause problems, use the appropriate IP address.

3 In the Password field, type cpmadmin .

4 Click Log In to submit the access entries.

If this is your first login attempt, an alert dialog box may appear to tell you that you need to import the basic WatchGuard license that allows you to use CPM for appliance management.

38

5 Click OK to proceed.

The CPM Server Information window appears (in front of the

CPM Console window), displaying the General Info tab.


Starting the CPM Client for the First Time

6 Open the license file (a text file that you obtained and saved earlier) and copy the contents onto the

Clipboard. For information on how to access a license

file, see “Obtaining the Site License for CPM” on page 24.

7 Close the license file.

8 Click Upgrade License in the General Info tab (as indicated in the previous illustration).

The Upgrade License dialog box appears.



9 Click Paste to insert the license text. Click OK .

A confirmation dialog box appears, indicating the number of appliances this license will allow you to manage with CPM.

10 Click OK to close this dialog box.

The dialog box closes and the General Info tab now displays information about the license.

40

11 Close this window.

The CPM Console window appears, ready for use.




You must change the password used for access to the CPM

Server on two occasions:

• If you have not yet changed the default password since you completed the original installation. In this case,

CPM prompts you to make the change.

• If you want to periodically change the password to maintain system security.

If CPM prompts a password change

If you have never replaced the default password, a dialog box recommends that you change the original default

“cpmadmin” password. You must change it by following these steps:

1 When the following dialog box appears, click OK to close it.

The Set Password dialog box appears.



2 Type the new password into both New Password and

Confirm Password text fields.

Use only alphanumeric characters between 6 and 16 characters for the password.

N OTE

After replacing the password for “cpmadmin”, be sure to write down your new password and store it in a safe, accessible place. If the password is forgotten and lost, all root admin access is lost and you must uninstall and reinstall the CPM Server, losing all your policies and configurations.

3 Click OK to submit the new password.

A confirmation dialog box appears.

4 Click OK to close this dialog box. Your new password is in effect.

You can continue using CPM during this login session without having to log out and log back in using the new password.

If you want to replace an existing password

After changing the original password, you should periodically replace the current password to maintain system security:

1 With the CPM Console active, click CPM Server .

The CPM Server Information dialog box appears.



2 Click Change Password (in the lower-right corner of the General Info. tab).


3 Type a new password into both New Password and

Confirm Password text fields.

Use only alphanumeric characters between 6 and 16 characters for the password.

N OTE

After replacing the password for “cpmadmin”, be sure to write down your new password and store it in a safe, accessible place. If the password is forgotten and lost, all root admin access is lost and you must uninstall and reinstall

CPM Server, losing all your settings and entries.

4 Click OK to submit the new password.




5 Click OK to close this dialog box. Your new password is in effect.

You can continue using CPM during this login session without having to log out and log back in using the new password.

Starting the CPM Client After Initial Log In

1 Select the Start => Programs => WatchGuard => CPM .

2 When the Login dialog box appears, enter your account user name and password. Click OK . (Note that

CPM “remembers” the IP address of the Server.)

3 The Console window appears, ready for use.


You need a new CPM license if you want to:

• Increase the number of appliances your CPM can manage

• Change the hostname of the computer running CPM

Server

For information on how to obtain this license, see “Obtaining the Site License for CPM” on page 24. This section

describes how to upgrade your CPM Server license after the original has expired.



After you obtain the upgrade license (as a text file), follow these steps:

1 Open the file containing the license text and copy the text to the Clipboard.

2 After logging into CPM Client, click CPM Server in the

CPM Console.

3 When the CPM Server Information dialog box appears, click Upgrade License .

4 When the Upgrade License dialog box appears, click

Paste to insert the license text from the Clipboard.



5 Click OK to load this information into the CPM Server database.

If the upgrade is successful, a confirmation dialog box appears.

The CPM Server Information dialog box should now indicate the new number of manageable appliances.

Stopping the CPM Server

You may want to shut down CPM Server (an optional step) before upgrading the Server software. You can shut down

CPM Server in two ways:

• Using the Services control panel on the actual host server location where the CPM Server application is installed.

• Using the CPM Client on the host computer logged in as the Root Admin.

Stopping CPM Server at the host computer

This section describes the process for the Microsoft Windows 2000 and XP operating systems. It is slightly different for Windows NT 4.

1 Select Start => Settings => Control Panel .


Stopping the CPM Server

2 When the Control Panel opens on the desktop, click

Administrative Tools => Services .

3 When the Services control panel appears, scroll down the list and select WatchGuard CPM Server .

4 Click the Stop button in the control panel toolbar.

A status dialog box appears.

This dialog box automatically closes after the Service control panel has completed the shutdown of the

WatchGuard CPM Server service.

The control panel Status column will be blank, indicating that the service has stopped.



5 You can now close the Services control panel.

The CPM Server application can now be upgraded or removed from the server.

Shutting down CPM Server at the CPM

Client workstation

1 If you have not already done so, start the CPM Client.

2 Log into the CPM Server as “cpmadmin”.

3 When the CPM Console appears, click CPM Server .

The CPM Server Information dialog box appears.

48

4 Click Shutdown .


5 Click Yes to proceed with shutdown.

After an interval, the following information dialog box appears.


Starting or Restarting CPM Server

6 Click OK .

7 You can now quit (exit) CPM Client.

Starting or Restarting CPM Server

The WatchGuard CPM Server application runs as a systemlevel service, which you can manually start or restart. This section explains how to start CPM Server. This is necessary only during unusual circumstances.

1 Select Start => Settings => Control Panel .

2 When the Control Panel opens on the desktop, click

Administrative Tools => Services .

3 When the Services dialog box opens, scroll down the list until you locate the WatchGuard CPM Server listing.

The Status message should read “Started”. If for some reason the CPM Server has been shut down, the Status message will read “Stopped”.

4 Select the CPM Server entry and click Start .

Microsoft Windows attempts to start the WatchGuard CPM

Server. When the startup is complete, “Started” should appear in the Status column for CPM Server.

5 You can now close the Control Panel.

The CPM Server is now operational. You can now start the

WatchGuard CPM Client and log into the CPM Server as described in a preceding section.

N OTE

If the host server ever needs to be rebooted, the CPM Server will automatically restart.




CHAPTER 4

Creating CPM

Administrator

Accounts

Administrative accounts enable users to connect to

CPM Server so that they can monitor and manage the system to the extent of the group privileges assigned to them. You can give one account user a wide range of controls over the appliance and policies, while you can restrict other account users to basic status checks and alarm monitoring.

To set up the system for multi-user access (with multiple levels of role privileges), you must do the following:

• Assess the existing default roles, to see whether more are needed. (The default roles should cover most, if not all of your network management options.)

• (Optional) Create as many additional roles as are needed to establish precise levels of CPM access.

• Create separate administrator accounts, for individual users.


CHAPTER 4: Creating CPM Administrator Accounts

CPM Default Roles

CPM is installed with five basic access-privilege roles.

Starting with the lowest role, and proceeding to the highest role, the default roles are:

“Help Desk Staff”

Users have read-only access to all features of CPM.

“MIS Staff”

Users can configure and resolve all alarms, but all other features are read-only.

“Network Operator”

Users can set up and manage appliances and customize new alarm definitions.

“Network Administrator”

Users can create and manage appliance entries, configure new alarm definitions, and create and deploy policies.

“MIS Admins”

Users have the full range of access privileges, including appliance record entry/configuration and policy creation/deployment. They can also create new admin accounts.

If you find these role definitions not fully inclusive, you can use CPM to add more roles to the list, or delete any default roles and replace them with your own combinations of responsibilities.


If you decide that more roles need to be customized for your network administrative users, you can do so at this


Creating New Roles (Optional) time. This section describes the creation of any additional access-privilege roles.

1 Log onto CPM Client.

2 Click Account .

A shortcut menu appears with three options.

3 Select Setup Admin Users .

The Administrator Accounts dialog box appears.

4 If the icon at the bottom of the window is set to View

Only, as shown below to the left, click it so that it changes to Writable, as shown on the right.

You can use this dialog box to set up and coordinate both administrative role privileges and individual user


CHAPTER 4: Creating CPM Administrator Accounts accounts. The Privileges column includes the following:

CPM Control (CPM Ctl)

Can shut down and restart CPM Server.

Alarm Clearance (Alm Clr)

Can review and clear any alarms that are triggered in CPM-managed appliances.

Appliance Configuration (App Cfg)

Can enter new appliance records and then configure and deploy the required profile.

Alarm Configuration (Alm Cfg)

C an create any needed custom alarm definitions, whether individual or global.

Appliance Control (App Clt)

Can monitor and shut down or reboot problematic appliances.

Admin Account Configuration (Adm Cfg)

Can create or change administrative access accounts, including assignment of privileges.

Policy Configuration (Pcy Cfg)

Is allowed full access to the insertion and deployment of security policies.

5 If you want to add a new role, click New Role (to the right of the Roles list).

The Admin Role Properties dialog box appears, displaying the

General tab.



6 In the Role Name text field, type a name for the role.

A role name should consist of numbers and letters, up to 24 characters in length. Use hyphens (-), underscores (_), or spaces as separators.

7 (Optional) Type a brief description of the role in the

Description text field.

8 Select one or more checkboxes corresponding to the access privileges you want to assign to the role. You can select any of the listed access privileges. For information on access privilege options, see the definitions in Step 4.

9 Click OK to save your selections.

The Admin Role Properties dialog box closes. When the

Administrator Accounts dialog box becomes visible, it lists your new role entry below the default entries.

10 Repeat the previous process to create any other roles to incorporate the levels of access privilege you want to assign to your network administrators.




This section describes how to create an administrator account (which you can include in one or more of the existing roles). To do so, you should first determine the following:

• Which people can administer the security appliances

• A login name for each administrator

• The full name of each administrator

• A password for each administrator account

• What role each administrator should undertake

To create a new administrator account, follow these steps:

1 If you have not already opened the Administrative

Access dialog box, click Account in the CPM Console.

The Administrator Accounts dialog box appears, listing the groups that have been previously created.

2 Click New User .

The Admin Account Properties dialog box appears.



3 In the Login Name text field, type a login name for the administrator.

An administrator name should consist of numbers and letters, up to 24 characters in length. Use hyphens (-), underscores (_), or spaces as separators.

4 In the Full Name text field, type the full name of the first administrator.

Use only numbers and letters up to 24 characters in length, and use the space bar for spaces between names.

5 In the Contact Info field, type any relevant contact information (phone number or email address).

6 To add the role privileges that you want this administrator to have, click Add Role .

The Add Group dialog box appears displaying the login name for this account in the title bar.

7 Select the role privilege groups and click OK .

8 Repeat this process to add other groups, if needed.

9 Click Set Password .

The Set Password dialog box appears, displaying the login name for this account in the title bar.



10 In the New Password text field, type a password for this user account.

Use only alphanumeric characters, between 6 and 16 characters in length.

11 In the Confirm Password text field, reenter the same password.

12 Click OK .

The Set Password dialog box closes and the Admin Account

Properties dialog box reappears.

13 Click OK to close the Admin Account Properties dialog box.

14 Repeat this process to enter all of the administrator access accounts and to assign them the appropriate role privileges.

Completing the Access Setup

Now that you have defined the access privileges and the administrator accounts, you can do the following:

• Contact each potential administrator

• Verify that they have installed the CPM Client onto their workstations

• Deliver to them an account login name and password

• Define their responsibilities and provide instructions for the performance of their tasks. (You can distribute the Acrobat file containing this user guide as a teaching aid to all network administrators or support staff.)

Reviewing the Current CPM Session

You can use CPM to view a snapshot of your current session:

1 Log onto CPM Client.


Determining Which Other Administrators Are Online

2 Click Account .

A shortcut menu appears, as shown here.

3 Select Show My Session .

The My Session Info dialog box appears.

This dialog box summarizes your login information, along with your administrative group privileges.

4 Click OK to close this dialog box when you are finished.

Determining Which Other Administrators Are

Online

CPM provides a way to see which other administrators are online in active sessions, who has been locked out of particular windows, or who has locked a particular window.

1 Log onto the CPM Client.

2 Click Account .

A shortcut menu appears, as shown here.



3 Select Show All Sessions .

The All Session Info dialog box appears.

This window lists the following:

- All currently active administrative sessions

- The initial session login time (From)

- The current time (Time)

- Whether any active administrator has locked a particular CPM window and naming the window if it has been locked

4 If you need to use a locked window and you have the proper privileges, you can contact the locking administrator and discuss access to that window.

Reserving a CPM Window

You can reserve the following CPM windows for your exclusive use:

• The Configuration Editor window

• The System Configuration dialog box (on a perappliance basis)


Reserving a CPM Window

• The Alarm Definition dialog box (the Alarm Console is not lockable)

• The main Administrative Accounts window

If more than one CPM administrator logs into CPM Server, the Server allows the first one who opens one of these four windows to make it writable, and to reserve it for his or her own use for as long as needed. Other administrators can open these windows with view-only access.

The status of a window is indicated by the two icons below:

Click the icon to toggle the status and change the icon accordingly.

If the second administrator needs to have full access, he or she can use the All Session Info window to determine who locked that window, and then contact that administrator and ask him or her to change the access to view-only

(which releases the lock).

To lock a window for your own use, follow these steps:

1 Log into the CPM Server.

2 Open any one of these lockable windows:

- Configuration Editor window

System Configuration dialog box (on a perappliance basis)

- Alarm Definition dialog box (the Alarm Console is not lockable)

- Administrative Accounts window

3 Click the View Only icon at the bottom of the window to change it to the “writable” icon.

4 To make this window writable for another’s use, if requested by another administrator, click the

“Writable” icon to return it to “View Only”.



At this point, you are (potentially) prevented from working in this window by any other administrator who chooses to make it writable.

If you can’t reserve a window

Another administrator may have reserved the window. If this occurs, you’ll see this dialog box when you try to change “View Only” to “Writable”.

This dialog box notes the user name and the IP address of the administrative workstation so that you can contact that user and request a release of the window.

N OTE

If you reserve a window as writable for your exclusive use, remember that CPM Client does not release that window until you manually return the window to “View only” or close the window.


CHAPTER 5

Configuring

Appliances for

Network Use

The chapter describes how to use CPM to initialize, configure, and prepare new security appliances for your network. You complete the following steps when you configure a new appliance with CPM:

• Add appliances to CPM Client

• (Optional) Add certificates and licenses

• Configure system and policies

- Configure appliance hardware

- Run the Default Policy Wizard

- Create network addresses

- Create security policies

- Assemble policy components

• (Optional) Define alarms

• Compile and deploy appliance profile

• Relocate the appliance


CHAPTER 5: Configuring Appliances for Network Use

Getting Started

To start the process of entering a new appliance record in

CPM, follow these steps:

1 Connect your factory default security appliances

(either a new WatchGuard Firebox Vclass appliance or a legacy RapidStream) to the subnet shared by CPM

Server.

2 Power up the new appliance. The process should take no longer than three minutes.

3 Log in to the CPM Client, using an account with full appliance-creation and management privileges.

For more information on administrator accounts, see “Creating

CPM Administrator Accounts” on page 51

.

Installing and Setting Up a Firebox Vclass

Appliance

If you plan to use the WatchGuard CPM system to configure “factory default” appliances, you must mount, connect, and power up the appliance before any initial configuration can occur. Use the WatchGuard Vclass Hardware Guide that came with your appliances to guide you through these tasks:

• Mounting the appliance in a network setting

• Connecting the network cabling to the appropriate data interfaces

• Powering up the security appliance

Be sure to mount any new Firebox Vclass appliance in the same subnet as the CPM Server host computer, so that you can proceed with the full CPM profile creation and deployment process.




The first step to managing the security appliance with

CPM is to add the appliance to CPM. You can do this in two ways:

• Discover the device

• Add appliance records

You can configure and deploy policies using CPM Client after the security appliance is added.

Discovering devices

CPM Client can find security appliances connected to the same subnet shared by CPM Server using device discovery. Before using CPM to discover an uninstalled (“factory default”) appliance, you must have the following:

• A temporary IP address, for use in discovery and the initial deployment.

• Whether the appliance will be deployed in transparent or router mode. You can change this later.

• A unique password that CPM will use to gain access to this appliance. If a unique password is not specified, the default password is used.

• A basic appliance profile, ready for deployment.

To discover a device:

1 Log on to CPM Client.

2 Click Appliance Manager .

3 Click Discover in the Configuration Editor toolbar.

The Device Discovery dialog box appears.



4 Click Find .

If locally networked appliances were discovered, the Device

Discovery window appears.

66

This window lists any factory default appliances found on your local subnet.

5 If you want to deploy the appliance in Transparent

Mode, click the Transparent Mode checkbox.

6 Click the To Do cell. From the drop list, select Set IP .

Set IP appears in this cell.

7 Click the Temp IP cell, and then type a unique localsubnet IP address.

This IP address is used in the deployment process.

8 Click the Mask cell, and then type the subnet mask.



9 Click the Associated Appliance cell and then select

Create New from the menu.

10 Click the CPM Password checkbox.


11 In both Password fields, enter the CPM password.

This is for CPM appliance communication use; administrative use passwords serve a separate function and are not related to this password. For more information on CPM Administrator

Accounts, see “Creating CPM Administrator Accounts” on page 51.

12 Click OK to save the password.

13 Click Apply located at the bottom of the Device

Discovery window.

A confirmation dialog box appears, asking if you intend to apply all the settings made in this window.


A processing message appears in the Processing Status cell on the Device Discovery window.

15 When Device Discovery is complete, the string Temp

IP set to [IP specified] appears in the Processing Status cell on the Device Discovery window.



16 Click Cancel to close the Device Discover window.

The Profiles tab now lists the appliance profile. The Configuration Status column displays Incomplete, Last Compiled column displays Never Compiled, and Last

Deployed column displays Never Deployed. You need to configure the appliance hardware using the System Configuration tabs and create policies using the Policy tab before you can compile and deploy policies to this appliance. For more information on System Configuration, see

“Configuring the Appliance Hardware” on page 78. For

more information on creating policies, see “Running the

CPM Default Policy Wizard” on page 80 and “Assembling the CPM Policy Components” on page 87.

Adding a new appliance record

If you do not want to discover a device, you can add a new appliance record in the Configuration Editor.


2 Click Configuration Editor .

The Configuration Editor window appears.

3 Right-click in the Appliance/Addresses tab, and select

New => New [type] Appliance from the drop list.

WatchGuard Vclass or RapidStream RSSA

RapidStream Secured by CheckPoint



The Add [type] Appliance dialog box appears.

4 Type a Name for the appliance in the Name field.

5 Select one of the three options Blank , Copy From , or

On-line .

A new set of menu options appear below.

Blank

Use when you want to set up the system configuration from scratch or if this is a new

“factory default” appliance.

Copy From

Use when you want to copy the system configuration from an existing appliance record.

On-Line

Use when you want to copy the system configuration from an appliance that is currently running on-line.

6 If you selected Blank , select the model number and version of the WatchGuard operating software installed on the appliance from the drop list.

7 If you selected Copy From , select the appliance record you want to copy from the drop list.



8 If you selected On-line , enter the IP address of the appliance you want to contact on-line.

9 Click Open “System Configuration” after appliance is created if you want the System Configuration dialog box to open after the appliance is added.

For more information on the System Configuration dialog box,

see “Creating Network Addresses” on page 85.



If a factory-default security appliance needs an x.509 certificate (for use in IKE authentication), you must import the certificate contents before performing the full setup and configuration. Additionally, if you have certain extendedfeature licenses that you’ve purchased for use in this appliance, you should import the licenses at this time.

To import licenses and certificates into a factory default security appliance, you need to obtain x.509 certificates or licenses and then import them.

If you do not need to import a x.509 certificate or license,

proceed to “Configuring the Appliance Hardware” on page 78.

Obtaining the x.509 certificate



The Appliance Manager window appears.

3 Right-click the new appliance record and select

Certificate from the shortcut menu.

The Certificates dialog box appears with the Certificates tab visible.

4 Click Create Request .

The Certificate Request Wizard appears.



5 Use the resulting four-stage wizard to prepare the x.509 request for the preferred Certificate Authority

(CA).

6 When you are finished with the request (and have copied the text to the Clipboard), open a Web browser window and connect to the Web site of the preferred

CA.

7 Open the CA site certificate request form and paste this text into the relevant field.

8 Fill in the other fields.

9 Provide the required payment information.

10 Submit the request, and then close the browser window.

You now wait for the certificate (in the form of a text file sent to you by the co-signing authority). When you receive it, import it into the Firebox.

Importing the new x.509 certificate

To import the newly received x.509 certificate:

1 Log into the CPM Client.



3 Right-click the row that represents the appliance that uses this new certificate. Select Certificate from the shortcut menu.

4 Click Import Certificate/CRL .

5 When the Import Certificate/CRL dialog box appears, you have two options:

- Use a text editor to open and copy the certificate data file, and then click Paste to insert the text contents into the text field in this dialog box.

- Click Load the certificate from a file and use the resulting dialog box to locate and import the certificate data file.

If the process is successful, the certificate data appears in the Import Certificate/CRL dialog box’s text field.



6 When the certificate text is present in the dialog box’s text field, click Import Certificate .

7 Click Cancel .

Importing licenses for extended features




3 Right-click the record of the appliance that will use this feature and select Show License .

The [Appliance Name] License window appears.

72

4 Click Add .

The Import New License dialog box appears.



5 You have several options:

- Open the license file in a text editor, copy the text onto the Clipboard, and then click Paste to insert the contents into the text area in this dialog box.

- Click Load the license from a file and use the resulting dialog box to locate and import the certificate data file.

- Manually transcribe the license text from some open source.

6 Click Import License to complete the import.

The newly applied license is listed in the License window.



74

7 Click OK to close the License window.

The extended-feature license has now been incorporated in the appliance.


If you have already configured an active appliance and want to review the extended-feature licenses previously imported into the appliance, follow these steps:

1 Right-click an appliance record in the Appliance

Manager window and select Show Licenses.

The [Appliance Name] Licenses window appears, listing any licenses present in this appliance.

2 To review the complete set of active features, click

Show Active Features .

The Active Features dialog box appears.



This dialog box shows the feature names, the capacity (dictated by the current license), and the expiration date.

3 When you are finished reviewing the contents, click

Close to close the dialog box.

4 To review the actual text of a license, double-click the license entry in the License window.

The License Detail dialog box appears, displaying the license text.

This text cannot be copied and applied to any other appliances, because it is linked to the serial number hard-coded into the appliance.



Deleting an out-of-date license

You can remove old or out-of-date licenses from this appliance by following these steps:

1 Open the License window.

2 Select an expired license and click Delete .


3 Click OK to confirm.

The license entry is erased from the window.

N OTE

You are not required to delete expired licenses, and they will not cause any problems.

Installing multiple licenses

When you purchase licenses for multiple Vclass appliances, they are delivered in a License Package file. This is a gzipped tar (*.tgz) format file. Internally, the file includes license and serial number information, so when you install licenses from a License Package file, only the licenses that apply to the current appliance (determined by the serial number) are applied. You must install the License Package separately to each appliance to apply or update all of your licenses.

To install a License Package:

1 Open the Appliance Manager .

2 From the Appliance menu, select Install Bulk

Licenses.



3 Select the License Package file and click Open .

The Bulk License window appears.

4 Select the licenses you want to install by clicking the checkboxes in the Install column. Click Select All to select all licenses. Click Clear All to clear all licenses.

5 Click Install to install the licenses you have selected.

The applicable licenses are applied to the appliances, based on the appliance serial numbers.



Restoring the Appliance to a Factory-Default

State

If you are configuring an appliance to be used as a backup or secondary appliance in a High Availability configuration, you must restore the appliance back to factory default settings after setting up the license and certificate. Note that the license and certificate are not removed during this restoration.




3 Right-click the appliance record and select Operations

=> Restore Default .


4 Click Yes to proceed.

After a short interval, the status of this appliance will be “out of contact.”

The appliance (and the initial CPM record) is now ready

for the full profile deployment process. See “Creating Network Addresses” on page 85 to proceed. You can reuse the

existing appliance record, even though the appliance has been reverted to a blank state.

Configuring the Appliance Hardware

As an automatic extension of the new appliance entry process, the System Configuration window allows you to com-


Configuring the Appliance Hardware plete the hardware configurations required by this appliance.

1 Open the Configuration Editor window.

2 Locate the new appliance record in the Appliance/

Address tab and right-click it.

3 Select Edit/View .

The System Configuration window opens.

4 Fill in the General tab text fields with appliancespecific information.

5 Open the Timezone menu and select the geographic setting for this appliance.



6 Click Apply .

You can now work through all of the remaining System

Configuration tabs and make the necessary entries. The tabs include the following, depending upon the security appliance model number.

All appliance models

General, Interfaces, Routing, DNS, SNMP, Log

Settings, Hacker Prevention, Blocked Sites

V60/V80/V100 models

High Availability, Tunnel Switch, VLAN Forward,

NTP, Advanced

For more information on completing the System

Configuration tabs, see “Completing the Appliance

Configuration” on page 95


After you’ve completed the initial appliance entry and configuration, you should run (or update) the Default Policy

Wizard, which establishes policies for secure administrative communications between the newly recorded appliance and CPM Server.


2 Select the Policies tab.

3 From the Wizards menu, select Create CPM Default

Policies .

The CPM Default Policy Wizard appears.



This initial wizard displays two topology drawings:

- The configuration on the left shows an extended network with the CPM system connected to a gateway appliance, through which it is connected to other appliances over the Internet ( outside the local firewall.)

- The configuration on the right shows a local network with the CPM system connected to a collection of appliances, all inside the local firewall.

4 Click either drawing, depending upon which topology your network matches. Click Next .

If you chose the extended network

If you clicked the extended network drawing, the following screen appears.



82

1 From the Appliance menu, select the appliance acting as your local firewall gateway.

2 In the IP Address field, type the IP address of your

CPM Server.

N OTE

If the host computer for the CPM Server software has more than one interface (usually when several NICs are in use), you should enter the IP address configured previously for the

CPM Server, which is recorded in the cpm_server.conf file in the installation directory.

3 If your external connection does not use dynamic NAT and your host computer has its own IP address, click the DNAT option No button. (Otherwise, the default connection state is that DNAT is active and does apply to your CPM host computer’s external connections.)


The next screen appears, summarizing what is about to be accomplished.

5 Review the information, and then click Next to finish the process.

When the policy wizard is finished, the wizard closes and the Policy window lists two global policies:



- A “Heartbeat Tunnels” policy, for incoming IPSec traffic that directs the remote appliance’s heartbeats to the CPM Server.

- An “Allow CPM” policy that permits outgoing

CPM HTTPS traffic, for use in contacting all remote appliances.

If you chose the local network

If you clicked the network drawing on the right, the following screen appears.

1 Delete any text that might appear in the IP Address field, and type the IP address of CPM Server.

N

OTE

If the host computer for the CPM Server software has more than one interface (usually when several NICs are in use), you should enter the IP address configured previously for the

CPM Server, which is recorded in the cpm_server.conf file in the installation directory.


The final screen appears.



3 Click Next to finish.

When the wizard is finished, it closes and the Policy tab in the Configuration Editor lists a single new policy that permits SSL traffic exchanged between all sources, including the management port IP addresses of the local security appliances.

The Configuration Editor also adds a new address entry

(named “Mgmt Ports,” shown below), representing all management interfaces for all appliances.




Note that this appliance has been automatically registered in the Configuration Editor window as new address entries for the appliance itself and for each of the data interfaces.

You now need to create address entries associated with this appliance that represent all network entities behind each of the interfaces.

To view the automatic entries:


2 Look in the Appliances/Addresses tab for this new appliance record.

3 Click the toggle to the left of this entry, as shown here.

The record expands to show the automatically generated interface address entries.

N

OTE

These addresses represent the data interface, not the networks behind them.

4 Right-click the appliance entry to open the shortcut menu, and select New Address .

The Add Address dialog box appears, which you can use to enter the first of any required network-entity address records for later use in policies. For more information on adding addresses and



groups, see “Cataloging Addresses for Use in Policies” on page 144.

Entering the Security Policies

The Configuration Editor assists you in the creation of security policies by organizing many policy “building blocks” into convenient tabs or dialog boxes.

The tabs to the left in the Configuration Editor are Appliances/Addresses, Services, IPSec actions, Proxy Actions,

QoS actions, Schedules, and IKE proposals.

86

The Configuration Editor shortcut menu (which you open by right-clicking the Action cell in a policy row) provides access to other policy action options, as shown here.


Assembling the CPM Policy Components

The tabs to the left of this window are catalogs of components that you can add to or customize before starting on the policy-creation process. Each tab contains a default selection of basic items, which you might find adequate for your use.


After entering the network addresses associated with this appliance, you should enter the following before compiling policies:

• Any additional, custom services or combined service groups. Note that when using the HTTP or SMTP proxies, you should remove the “Any” service and replace it with the correct service–HTTP or SMTP.

• Any custom IPSec actions including transforms and proposals

• Any additional, custom QoS actions

• Any pertinent custom schedules



N

OTE

For detailed information on defining security policies, see

Chapter 7, “Defining Security Policies in CPM.”

Assembling a policy from available components


2 Select the Policies tab.

3 To create a new policy row in the Policies tab, click the Add a Policy icon, shown at right.

4 Double-click the Name cell and type a policy name.

5 Drag and drop (or click and select) the Traffic

Specification components:

Source

Drag one or more entries from the Appliance/

Address tab

Destination

Drag one or more entries from the Appliance/

Address tab

Service

Drag one or more entries from the Services tab



6 Drag and drop (or click and select) the required Action components:

- Pass, Block, Reject, or Do Proxy (the firewall options)

- IPSec (manual key or automatic key VPN actions)

- Bidirectional IPSec/VPN (set after completing a new policy)

- Dynamic NAT (activates DNAT)

- Static NAT (with a menu for directional options)

- Load Balancing

- QoS

- TOS Marking

7 Repeat this process to create policies for other devices



Defining the Required Alarms

At this time you can open the CPM Alarm Console and review the default alarm definitions, and if needed, customize and add new definitions for use in this appliance.

For more information on the alarm definition process, see the CPM Applications Guide .


After you have completed the tasks outlined in this chapter, you are ready to deploy the profiles to the newly recorded appliances. This makes the appliances active and enables the monitoring and maintenance of these appliances.

Compiling the profiles

1 Open the Configuration Editor. Click the Profiles tab.

2 Select any (or all) appliance entries.

3 Click the Compile button (in the tab’s top toolbar).

The profile-compilation process begins, and a status message appears in the Status column.

N OTE

If the Compile or Deploy buttons are not active, the most likely cause is a missing or wrong IP address in an appliance record. Review the System Configuration window Interface tab entries for each appliance until you find and change the error—at which time you will be able to compile and deploy the profiles.

After the profiles have been compiled from the database, the Status column reports one of the following states for each profile entry:



No Contact

The appliance is not in communication with CPM.

Use the Appliance Manager to assess the situation.

Needs Deployment

This profile has been changed since the last deployment, and you should redeploy the contents to the relevant appliance.

Up to date

The appliance profile has not been changed since the last deployment and you do not need to redeploy the contents.

If the profile for your new appliance displays "Needs

Deployment,” you can proceed with the deployment process.

Deploying the profiles

1 Select the new appliance/profile record.

2 If you want to verify the profile’s readiness, click the now-active Compile button in the tab’s top toolbar.

The Status column now displays "Compiling" (while the Details column displays "Profile compilation in progress..."). When profile generation is complete, the Status column displays

"Compilation done".

3 With this compiled profile still selected, click the

Deploy button. (Or, right-click the appliance record and select Deploy .)

N OTE

If the Deploy button is not active, the most likely cause is a missing or erroneous IP address in an appliance record.

Review the System Configuration window Interface tab entries for each appliance until you find and change the error—at which time you can deploy the profiles.

A confirmation dialog box appears, to alert you that the primary management IP address will be changed—and contact lost with this appliance—after deployment is complete.




CPM now deploys the new profile to this appliance, where it is immediately put into effect.

- The Status column notes “Deployment started.”

- The Details column notes "Deployment in progress..."

These status messages remain until replaced by the following combination of messages:

No Contact

As noted in the Status column.

Successful

As noted in the Last Deployed column, along with the date and time this profile was deployed. This is the key message.

Unable to connect...

As noted in the Details column.

Relocating the Appliance

At this time, you can power down the appliance and disconnect it, prior to shipping it to its service location.

After it is delivered to its location, the appliance should be connected to the appropriate networks and then powered up.

A few minutes after power-up is complete and the Ready

LED on the appliance is lit solidly (not blinking), you can use CPM to remotely establish contact with the device, for


Relocating the Appliance all future monitoring and maintenance. To do so, follow these steps:

1 After logging into CPM (if you’ve not already done so), open the Appliance Manager window.

2 Locate the appliance record in the group folder and select it.

The appliance entry appears in the table to the right, shaded

Green (for "in contact with CPM"). The Status column should read "Normal".

N OTE

In certain circumstances, a minor alarm is triggered and the appliance row appears in yellow. You can open the Appliance

Detail dialog box to get an accurate reading of the appliance’s status, as noted in the remainder of this section.

3 Double-click the appliance row.

The Appliance Detail dialog box appears.



94

4 Review the Availability indicator, highlighted above. It should be green, and should display “Contacted.” The

Interface/Port indicators should list the proper IP addresses and be green.

You’ve successfully configured and deployed a working appliance.


CHAPTER 6

Completing the

Appliance

Configuration

The System Configuration dialog box assists in the recording of a variety of appliance-specific options that optimize your appliance for your specific network environment. You can also use the System Configuration dialog box to revise existing system settings in operational appliances, as needed.

Although appliance configurations are immediately stored in the CPM Server database, they are not put into effect until you deploy a complete appliance profile to the actual device. Do this after completing the profile and adding policies, alarm definitions, and log file settings to the profile.

Configuring a New WatchGuard Appliance



The Configuration Editor window appears.


CHAPTER 6: Completing the Appliance Configuration

3 Right-click an appliance record (in the Appliances/

Addresses list) and select Edit/View .

The System Configuration dialog box appears, displaying the

General tab.


You can use the General tab to enter a basic set of appliance-informational entries. To do so, follow these steps:

1 In the Appliance Name field, type the name of the appliance.



2 In the Location field, type the location (current or intended) of this appliance.

The entry can be a city, state, or country name, a building and floor number, any combinations of these, or a simple identifier such as “my_office.”

3 In the Contact field, type the name of the person who will be locally responsible for administration of this appliance–if anyone has been assigned that responsibility.

4 Click Local Admin if you want to assign a password for use when logging in as admin (Vclass) or rsadmin

(RSSA) with CLI or Vcontroller.

N

OTE

This local password supersedes the existing “admin” or

“rsadmin” access password after the initial deployment of

CPM-generated configurations. If an administrator needs to use the WatchGuard Vcontroller, RapidStream Manager, or

CLI to administer that appliance, the new password applies.

The Local Admin Account dialog box appears.

5 In the Local Admin Password text field, type the new password, using 6—16 alphanumeric characters.

6 Click OK to save the new settings and close this dialog box.

7 Review the Configured Model and Configured

Version information. If you need to change this information, click Migrate , and enter the correct model number and version of the appliance operating system.

The generic model is used for appliances that are already online. It is replaced with the correct model/ version after CPM contacts it.



8 Click Apply .


In Router Mode , you must configure the IP addresses and network (or subnet) masks for all of the accelerated data interfaces incorporated into this appliance before you can compile and deploy the configuration.

In Transparent Mode , you must enter a single IP address and network mask, called the System IP and the System Mask .

In Transparent Mode, all of the appliance interfaces use the same IP address and network mask.

The choice of IP address for Interface 1 (Public) determines how the appliance should obtain the IP address for this interface, how CPM should compile IKE policies for this appliance, and how CPM should contact this appliance after the appliance uses this configuration.

If you choose static IP:

• The appliance does not perform DHCP or PPPoE when the interface is initialized. The IP address specified is used as the IP address of this interface.

• CPM creates IKE policies with this appliance as the peer when IKE with this appliance is required.

• If this interface is selected as the interface for CPM management, CPM will use its IP address to contact the appliance.

If you choose DHCP or PPPoE:

• The appliance performs DHCP or PPPoE to obtain the

IP address for this interface.

• Because CPM assumes that this IP address may change from time to time, it does not create IKE policies with this appliance as the IKE peer. Instead, it creates IKE policies that initiate IKE from this appliance and


Completing the Interfaces Entries creates IKE policies for its peer to accept IKE from

ANY.

• If this interface is the interface for CPM management,

CPM relies on the heartbeat message from the appliance for the IP address to contact.

Users must make sure the IP address is specified correctly.

If the appliance obtains a different address, the policies that use this IP address will not work. This can also cause

CPM to use an incorrect IP address to contact this appliance. If this happens, you must correct the IP address in this tab and recompile to fix the profile. You must also correct the IP address in the management setting of this appliance so CPM can contact the appliance.

1 Click the Interfaces tab.

The Interfaces tab displays a set of interfaces with different options corresponding to the specifications of the appliance model number. In every case, you will see a different set of interface options.

2 For a Vclass appliance at software version 5.0 or higher,

Select Router Mode or Transparent Mode . For more

information on this choice, see“About Router Mode and Transparent Mode” on page 14.



100

Figure 1:

Interfaces window in Router Mode



Figure 2:

Interfaces window in Transparent Mode

In Transparent mode

• Type the IP address for the System IP and the System

Mask . This is the only configuration information required for interfaces in Transparent Mode.

In Router Mode

• In each pair of interface-specific text fields, enter the IP

Address and Network Mask assigned to that data interface.



3 Click Enable DHCP Server/DHCP Relay if you want to enable DHCP on Interface 0 (Private).

DHCP Server allows the Firebox Vclass to act as a DHCP server, leasing addresses to DHCP clients.

DHCP Relay allows the Vclass appliance to operate as a DHCP agent, relaying addresses from a separate DHCP server to DHCP clients.

N OTE

You can enable DHCP only on the following appliances:

Firebox V10, V60, V80, V100, V200 and RSSA 500, 2000,

4000, 6000, 8000. For RSSA 500, the maximum number of

DHCP client IP addresses is 20. For all other models, it is

253 (subject to license).

4 If you enabled DHCP Server or DHCP Relay, click

Detail.

The DHCP Server dialog box appears.

- To set up the appliance as a DHCP server, click

DHCP Server , and type the number of clients and leasing time.

- To set up the appliance to relay DHCP addresses from a separate DHCP server, click DHCP Relay , and type the IP address of the DHCP server.

OK

Click Cancel page.

5 If you want to use WAN Interface Failover, click

Backup Connection . WAN Interface Failover allows you to specify a backup ISP to provide Internet service to Interface 1, in the event of an ISP network outage.



6 Select the Enable WAN Interface Failover checkbox to enable failover to another ISP. Configure the interface as previously described, by clicking Static, DHCP, or

PPPoE and entering the required values.

N

OTE

If PPPoE is selected for the backup WAN, it must be configured as Always On available.

7 Establish Connection Failure Detection criteria.

This section of the window allows you to type up to three different

IP addresses that the appliance should be able to ping, to determine whether the WAN is up or down, and timing values to determine when the ISP has failed.

8 Type up to three IP addresses for public, well-known and robust internet sites that allow ping . Examples include Yahoo, Google, and local government sites. Do a DNS lookup for IP addresses for these sites, and remember that pingable addresses might change frequently for large sites.

9 In the Polling Interval field, type the polling interval in seconds to determine a failure. This value determines the amount of time between ping sessions to test the


CHAPTER 6: Completing the Appliance Configuration servers listed in the previous step. The default is 30 seconds.

10 In the Polling Timeout field, type the polling timeout in seconds to determine a failure. The default is 5 seconds. If none of the listed servers respond to a ping request within the specified interval, the connection is considered failed, and a failover occurs.

11 In the last field on this dialog, type the number of minutes you want to elapse between successive failovers. The default is 10 minutes.

Since each failover requires a system restart, processing is interrupted for a brief period during failover. If both your

Primary and Backup WAN connections are subject to frequent failure, this can lead to a lot of processing interruptions. This setting allows you to minimize downtime for the Firebox, with the tradeoff that the WAN or internet might not be available for longer periods of time.

12 Click OK to return to the Interfaces configuration window.

13 Click one of the checkboxes to define how the IP address will be assigned for Interface 1 (Public). The choices are Static IP, DHCP, or PPPoE. The text entry fields change based on the checkbox you select. For example, IP Address and Netmask appear if you select

Static IP.

N

OTE

Only Static is supported for RSSA 1000, 2000, 4000, 6000, and 8000.

14 If the Public interface is not Internet routable, click the

If the Public IP is not Internet routable check box.

A Detail button appears.

The Routable IP dialog box allows you to specify a static IP address to use to contact the appliance, if it is behind a NAT device or if the public port address is using DHCP or PPPoE. You can also specify that a dynamic IP address be used, if the appliance is connected to the internet through an ISP, and the IP address is unknown. In these cases, the address is not internet routable, and must be contacted through an alternate method.

15 Click the Detail button.

The Routable IP dialog is displayed.



16 Select Dynamic or Static to select the Routable IP routing method.

Dynamic the internet through an ISP, and the IP address is unknown.

Static static DHCP or PPPoE. Type the IP address of the NAT device, or the IP address of the external network.

If HA/Active-Active is enabled, you must specify a routable IP address for the secondary appliance.

17 Click to select the Enable Port-Shaping checkbox if you want to activate system-wide port shaping for the available port interfaces.

A Detail button appears in the Interfaces tab.



18 Click Detail to open the Specify Port Bandwidth dialog box.

106

This dialog box allows you to precisely adjust the output/ throughput of the available accelerated data interfaces. Values can be recorded in either Kbps or Mbps.



19 In each interface-specific field (as needed), type the appropriate number, according to your selections from the Increment menus.

In most cases, you will want to set bandwidth for the

Public port only, because that network connection will probably be the slowest.

20 From the Use port name drop-down list, select the interface to be used for CPM management connections

(after the new configuration is deployed to this appliance).

N OTE

By specifying this port, you are providing the necessary topology information for CPM to determine the policy needed for CPM traffic and how CPM should contact this appliance.

- CPM adds the port to the “Mgmt Ports” address object that is created by CPM Default Policy

Wizard (see “Running the CPM Default Policy

Wizard” on page 80). This creates the required

policy during policy compilation.

- If the port has a static IP address (including static routable IP) and the Change Management

Setting after Deployment checkbox is selected,

CPM automatically uses that IP address to contact the appliance after deploying the profile to the appliance. If the port has dynamic IP, CPM relies on the heartbeat.



108

21 If you want CPM to automatically change the management settings for this appliance according to these interface entries after the configuration is deployed, click the Change Management Setting after deployment checkbox. This ensures that CPM can:

- Use a new IP address to contact the appliance if the management interface IP address changes

- Use the appliance’s serial number (embedded in the heartbeat) to manage the appliance if the designated management interface of the appliance is dynamically assigned by the ISP



N

OTE

You can change the management setting manually from

Appliance Manager at any time.

22 If you want to specify the MTU end link speed for each interface, click Advanced .

The Advanced dialog box appears.

23 Enter the MTU link speed, and select the Specification and Duplex settings from the drop list. Click OK to save and close the Advanced dialog box.

24 Click Apply to save the changes in the Interfaces tab.

If you need to change the IP address information for any of these interfaces at a later time, you can do so by reopening this dialog box tab and making the changes.


You use the Routing tab to set up static or dynamic routes.

Firebox Vclass supports 3 dynamic routing protocols, which are built on GNU Zebra ( http://www.zebra.org

) routing software support:

• Routing Information Protocol (RIP) version 1 and 2

• Open Shortest Path First (OSPF)

• Border Gateway Protocol (BGP)

N

OTE

Dynamic routing currently does not support MIBs, SNMP, multicast, or IPv6 routing protocols.

N OTE

Dynamic Routing is not supported in Transparent Mode.

All routing configurations depend upon the following qualifications:

• The appliance listens on the Private interface, not the

Public or DMZ interface



To enter the preferred routes, follow these steps:

1 Click the Routing tab.

110

2 To catalog the first of any static routes that will be used by network traffic passing through this appliance, click

Add .

The Add Route dialog box appears.


Completing the DNS Entries

3 In the Destination , Network Mask , and Gateway fields, enter the information necessary for a route.

4 From the Interface/Port menu, select the port used for this route.

5 In the Metric field, type the number of hops in this route.

6 Click OK to close the dialog box and add this route to the tab contents.

7 Repeat this process to catalog all other static routes.

8 If you want to use the Dynamic Routing, click the

Enable Dynamic Routing checkbox.

9 Select the type of Dynamic Routing you want to use

(RIP, OSPF, or BGP), and click Enable protocol .

After you enable the protocol, you can type your configuration file contents into the text box, or paste the configuration file

Copy from file

10 When you have finished making changes to the

Routing tab, click Apply to save all the new entries.

Completing the DNS Entries

The Domain Name Server (DNS) tab allows you to catalog all local DNS servers that might be used by this security appliance.

1 Click the DNS tab.



2 In the Domain Name field, type the domain name used for this security appliance.

3 To start cataloging the DNS servers, click Insert .

The DNS Server dialog box appears, as shown here.

112

4 In the blank numeric text field, type the IP address of a

DNS server.


Completing the SNMP Entries

5 Click the Add button to save this entry in the DNS

Servers list.

6 Repeat this process to record the IP addresses of other

DNS servers.

7 If more than one server is listed in this tab, you can shuffle the search order by choosing a server entry and then clicking the Up or Down buttons until each server appears in the proper order.

8 When you are finished with the DNS tasks, click Apply to save your new entries.

Completing the SNMP Entries

The CPM software allows you to assign this security appliance to an SNMP community, so it can be monitored through SNMP management stations. You can also configure this appliance so that an SNMP trap is sent to management stations when certain alarms are triggered. This tab assists you in the following tasks:

• Adding required IP addresses of management stations

• Recording the SNMP community string

• Activating the SNMP trap

N OTE

For a complete list of supported MIBs in the CPM software, open and review the MIB files that are stored on the CPM

CD.

1 Click the SNMP tab.

The SNMP Management Stations area (currently empty) lists the

IP addresses (one or more) of all the network management stations that will receive SNMP traps when generated by this

WatchGuard appliance.

2 To add a specific management station to this list, click

Add .

The SNMP Management Station dialog box appears.



3 Type the station’s IP address in the blank numeric text field.

4 Click the Add button to catalog this management station in the SNMP tab.

5 If necessary, repeat the SNMP Management Station dialog box process to record the IP addresses of all other management stations that will be monitoring this security appliance.

6 If you are going to enable the SNMP management, in the Community String field, type the password text that will identify the appliance to the management station.

7 If you want this security appliance to send any alarmtriggered traps to the listed management stations, click to select the Enable SNMP Trap checkbox.

Although no traps will be sent if you deactivate this option, any triggered alarms will still be logged in the appliance or emailed to the appropriate WatchGuard appliance administrator.

8 When you are finished with the SNMP tab, click Apply to save your new entries.

Completing the Log Settings Entries

1 Click the Log Settings tab.


Completing the Log Settings Entries

2 The Log Settings workspace provides two sets of options pertaining to the two separate log types–

Traffic and Event :

- Click to select the Enable Traffic Logging checkbox to activate the WatchGuard logging function for all data traffic passed through this

WatchGuard appliance.

- Click to select the Enable Event Logging with

Log Level checkbox, and then click the slider below this checkbox and move it until it is level with the desired logging level.



The slider allows you to include fewer events or more events in your event log file–depending upon which selection you make. The “Critical Events only” selection creates a basic log file including only major events, while the remaining selections below add increasing amounts of information and detail to the log file.

N

OTE

Because the system purges the contents of the log files when a certain size is reached (usually a maximum of 200 Kb), the more events you include, the more often the logs are purged.

See the CPM Applications Guide appliance logging.

for more information about

3 If you want to enable remote logging, select the

Remote Logging to checkbox, and type the IP address of the syslog server where you want the remote logs saved.

The Detail button is enabled.

4 Click Detail if you want to define the facility and priority settings of remote logs.

The Remote Log Detail dialog box appears.

116

N OTE

The Remote Log Detail dialog box is supported only on the following appliances: Firebox V10, V60, V80, V100, V200 and RSSA 500, 2000, 4000, 6000, 8000.


Completing the Hacker Prevention Entries

5 Use the drop list to define Facility and Priority of

Alarms, Events, Traffic, P1Sa, and Ras for remote logs.

Click OK to save and close the dialog box.

6 When you have finished with the Log Settings tab, click Apply to save your new entries.

For more information about configuring a syslog server to accurately store all log files from a range of Firebox Vclass appliances, review the tech notes available in the Watch-

Guard support Web site.

Completing the Hacker Prevention Entries

1 Click the Hacker Prevention tab.



118

The Hacker Prevention tab appears, displaying the default values.

2 Select and configure the Denial-of-Service Prevention options.

The following anti-hacker attack options safeguard your servers from denial-of-service attacks. All such attacks flood your network with “requests” for information, clogging your servers and possibly shutting down your site. After you activate these options and set threshold numbers for this Firebox

Vclass appliance, it will prevent such attacks. If there are more than the specified number of requests (per second), the security appliance drops the excess number of requests within the same second while


Completing the Hacker Prevention Entries permitting the acceptable number of requests to pass through. This protects your servers from becoming overwhelmed by too many requests within a short period of time.

ICMP Flood Attack

Allows you to safeguard your network from a sustained flood of ICMP pings. You can change the threshold number in the accompanying text field to a value that will trigger the denial-of-service protection.

SYN Flood Attack

Allows you to safeguard your network from a sustained flood of TCP SYN requests without the corresponding ACK response. You can change the threshold number in the accompanying text field to a value that will trigger the denial-of-service protection.

UDP Flood Attack

Allows you to safeguard your network from a sustained flood of UDP packets. You can change the threshold number in the accompanying text field to a value that will trigger the denial-ofservice protection.

Ping of Death

Safeguards your network from user-defined large data-packet pings.

IP Source Route

Safeguards your network from a flood of false client IP addresses, designed to bypass firewall security.

3 Select the Distributed Denial-of-Service Prevention options.

As a subset of denial-of-service attacks, distributed

DoS attacks occur when hackers coordinate a number of “borrowed” computers for malicious purposes and program them to simultaneously assault a network


CHAPTER 6: Completing the Appliance Configuration with information requests. If allowed to pass through, they can overwhelm and crash your Web servers.

Per Server Quota

Allows you to safeguard your servers from coordinated denial-of-service attacks against any single server. You can change the threshold number in the accompanying text field to a value that represents the maximum request capacity (per second) of that server. If there are more than the specified number of connection requests within a second, the Firebox Vclass appliance drops the excess requests within that same second. This protects your server from being overwhelmed by too many connection requests in a short period of time.

Per Client Quota

Restricts the number of connection requests from a single client within a second. You can change the threshold number in the accompanying text field to a value that represents the maximum number of requests (per second) from a single client. If there are more than the specified number of connection requests within a second, the Firebox Vclass appliance drops the excess requests within that same second.

4 When you have finished with the Hacker Prevention tab, click Apply to save your new entries.

Completing the High Availability Tab

The High Availability tab appears only if the model of Firebox Vclass appliance being configured incorporates one or more HA interfaces. High Availability (HA) allows you to set up a system that activates an almost instantaneous replacement of a primary appliance with a secondary appliance in the event of system failure. This identically


Completing the High Availability Tab profiled secondary appliance takes over all traffic control in place of the failed primary appliance.

There are two High Availability modes: Active/Standby and Active/Active. Active/Standby is available for all models that have an HA interface. Active/Active is available for V80 and V100 models, and requires the purchase of a software upgrade license. Please refer to the WatchGuard

Web site for information on purchasing software upgrade licenses:

https://www.watchguard.com/upgrade

Active/Standby

In Active/Standby mode, when a primary appliance fails, the passive appliance comes online with a full copy of the state table and VPN tunnels, to provide maximum uptime and network availability. Active/Standby is available for all models that have an HA interface. In this mode, both appliances are configured with the same system name, IP address, and configuration information.

Active/Active

In Active/Active mode, the paired appliances process traffic in parallel, and use transparent state failover. In the case of a failure, all processing and traffic transitions seamlessly to the appliance that is still working. System configuration, security policies, active connections, and VPN tunnels are shared between the two active appliances. Both appliances are sending and receiving packets, so processing throughput is potentially doubled. If one appliance fails, the other is fully aware of the state of all connections and can continue carrying the load without dropping any packets. Active/

Active mode requires the purchase of an upgraded software license.



Configuration comparison between Active/

Standby and Active/Active mode

Parameter Active/Standby Mode

Host Name

IP addresses

Same for primary and secondary appliances.

Same for primary and secondary appliances.

MAC address Same for primary and secondary appliances. Uses

VRRP defined MAC addresses.

Sending/

Receiving

Packets

Only the Active appliance can send and receive packets.

Active/Active Mode

Different for primary and secondary appliances.

Different for primary and secondary appliances.

Different for primary and secondary appliances. Use the devices’ factory MAC addresses.

Both Active appliances can send and receive packets, potentially doubling system throughput.

To learn how to set up an HA Active/Active connection, see the High Availability Guide .

To set up CPM Client to manage an HA Active/Standby connection:

1 Connect two Firebox Vclass appliances through the

HA port.

- Connect the Private interface (0) of the Active

(primary) device to the hub or switch

- Connect the Private interface (0) of the Standby device to the same hub or switch

- Connect the HA interfaces with crossover cables

- Connect the management station to the hub

1 Click the High Availability tab.


Completing the High Availability Tab

2 Click to select the checkbox marked Enable High

Availability if you want to enable this feature.

The Active/Standby and Advanced buttons become available.

3 Select Active/Standby to enable High Availability in

Active/Standby mode.

4 If desired, click Extra HA traffic protection , and type and confirm a Shared Secret .

This feature is optional, and can be left blank if you do not need to encrypt information sent between these appliances during normal operation. Encryption is not necessary if the HA1 interfaces are connected directly with a crossover cable.



N

OTE

HA secret shared secret is used to encrypt HA state-sync information.

VPN tunnel information is always encrypted even if this encryption is disabled.

5 Click Advanced

The Advanced HA Settings dialog box appears.

124

6 Click the checkbox of each port you want the backup appliance to monitor.

7 Enter an HA Group ID, if you want to use a different one than the default.

HA Group IDs are used to identify High Availability Active/

Standby pairs on your network. Each HA Active/Standby pair should have a separate Group ID.

8 Click the checkbox to select the HA interface you want to enable and send HA heartbeats over.

9 Enter the Primary IP address, Secondary IP address, and Netmask of the HA interface you enabled.



10 Click OK .


If this model of security appliance incorporates Tunnel

Switch hardware functionality, the Tunnel Switch tab appears in the System Configuration dialog box. You can use this tab to enable the hardware features. After that, you must then set up the policies required to enact tunnel switching with qualifying data streams.

N OTE

Tunnel switching is supported only on the following appliances: Firebox V60, V80, V100, V200 and RSSA

2000, 4000, 6000, 8000.

1 Click the Tunnel Switch tab.



126

2 Click to select the checkbox marked Enable Tunnel

Switch if you want to enable this feature.

3 Click Apply to save this change to the configuration.

For more information about tunnel switching configura-

tion and setup, see “Establishing Tunnel Switching” on page 251.




Your network may include a number of VLANs (either classic VLAN or multi-tenant domains). As a result, you may need to create security policies to route traffic between two separate domains that use the same VLAN switch. In such a situation, which is known as “VLAN forwarding,” you can enter such inter-VLAN policies in CPM, but you must activate VLAN forwarding, as described in this section.

VLAN forwarding is a feature built into certain Firebox

Vclass models. This function is inactive by default.

N OTE

VLAN forwarding is supported only on the following appliances: Firebox V60, V80, V100, V200 and RSSA

2000, 4000, 6000, 8000.



128

To activate the VLAN forwarding components of a Firebox appliance, follow these steps:

1 Open the System Configuration window for the designated appliance.

2 Click the VLAN Forwarding tab.

If this tab is not visible, the selected Firebox model does not incorporate VLAN-forwarding capabilities.

3 Click to select the checkbox marked Enable inter-

VLAN forwarding .

4 Click Apply . Click OK to close the window.

After you deploy this revised profile, the appliance will be ready for inter-VLAN communications.


Completing the NTP Tab

Completing the NTP Tab

This tab allows you to specify whether you want to enable a connection between the Firebox Vclass appliance and the

NTP servers. The NTP server synchronizes the time settings on the Firebox Vclass appliance. Vclass appliances can use any of three NTP servers to synchronize the time setting.

N OTE

Connecting to NTP servers is supported only on the following appliances: Firebox V10, V60, V80, V100, V200 and RSSA

500, 2000, 4000, 6000, 8000.

1 Click the NTP tab.



2 Click the Enabled checkbox to establish a connection between the NTP server and Firebox Vclass appliance.

3 Enter the IP address of the NTP server you want the

Firebox Vclass appliance to connect to when enabled.

4 Click Apply .


The System Configuration Blocked Sites List allows you to create a permanent list of blocked IP addresses, and a per-


Completing the Blocked Sites tab manent list of Exceptions, which are never blocked. When packets from a Blocked IP address reach the Vclass through the Public port, they are dropped. The Blocked Sites List also includes an Exception List, for IP addresses that are allowed.

You can also specify a global list of blocked sites and exceptions, and import them into any appliance.

N

OTE

The System Configuration Blocked Sites List is static, and changes only when an administrator makes changes to it.



To Block an IP address:

1 Click the Blocked Sites tab.

The System Configuration Blocked Sites window appears.

2 To add a blocked site, click the Add button under the

Permanent Blocked Site IP List. To edit a blocked site entry, select the entry and click Edit .

The Add or Edit Site dialog appears.

3 In the Site field, type the IP address to block, then click

OK .

The new or edited site address is listed in the Blocked IP List.

To add an IP address to the exception list:



2 To add an exception, click the Add button under the exceptions list. To edit an exception list entry, select the entry and click Edit .

The Add or Edit Site dialog appears.

132

3 In the Site (IP) field, type the IP address exception, then click OK .

The new or edited site address is listed in the Exception List.

To delete a blocked site or exception list entry:

1 Click the Blocked sites tab.




2 Select an entry from the Blocked Sites List or the

Exceptions List, and click Delete .

You can select multiple IP addresses by holding the Shift key to select multiple contiguous IP addresses, or by clicking the

Control key and selecting multiple discontinuous IP addresses.

Global Blocked Sites

The global blocked sites list includes the list of globally defined blocked sites in the configuration for this appliance. The global blocked sites list is stored locally to the

CPM server, and can be used as a central repository for blocked sites and exceptions that can be applied to any appliance.

To define global blocked sites:



2 Click Edit Global Blocked Sites .

The Global Blocked Sites window appears.

3 Add, Edit, and delete blocked sites and exceptions as with the System Configuration blocked sites list.

4 Click OK .



There are two ways you can include the contents of the

Global Blocked Sites list:

1 In the System Configuration Blocked Sites window, click Include Global Blocked Sites .

The global blocked sites list is included when the system is running.

2 Click Fill with the Global Blocked Sites to populate the System Configuration Blocked Sites lists with the contents of the Global Blocked Sites list.

The Blocked Sites list is filled with the contents of the Global

Blocked and Exceptions lists.

Completing the Advanced tab

N OTE

The Advanced tab is supported only on the following appliances: Firebox V10, V60, V80, V100, V200 and RSSA

500, 2000, 4000, 6000, 8000.

1 Click the Advanced tab.


Completing the Advanced tab

2 Click Enable Syn Checking to establish syn checking on all TCP/IP packets.

3 Click Ignore DF for IPSec to enable fragmentation of large packets through the VPN tunnel.

4 Cick IPSec/NAT Pass Through to enable IPSec/NAT

Pass Through.

5 Click Allow all ICMP errors or Allow Specified ICMP errors .

If you chose Allow Specified ICMP errors, select the checkboxes of the ICMP errors you want to allow.

6 Adjust the TCP Maximum Segment Size, if required.



This feature works in conjunction with the MTU settings to limit the size of packets, if configured. This feature overcomes the following problems:

- Oversized packets can result in fragmentation, degrading VPN performance.

- Proxies may require MSS adjustment to prevent fragmentation.

- Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU.

The following settings are available:

Auto Adjustment

Auto adjustment calculates the MSS automatically, using the following calculations:

- Determining the lesser value of the input port

MTU and the output port MTU.

- Subtracting packet overhead, including IP and

TCP addressing, VLAN, ESP, PPPoE, AH, and

UDP encapsulation.

- The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet transmission.

The results of this calculation are used as the MSS for the connection.

Limit to N Bytes (40-1460)

This limits MSS to the specified size in bytes.

No Adjustment

This specifies that no change be made to the TCP header. If you select this option, packets may fragment.




After you have completed the settings in the System Configuration dialog box for this appliance, click OK . This saves all the entries and closes the dialog box.


If you have already configured an active appliance and want to review the extended-feature licenses previously imported into the appliance, follow these steps:

1 Right-click an appliance record in the Appliance

Manager window and select Show Licenses.

The [Appliance Name] Licenses window appears, listing any licenses present in this appliance.

2 To review the complete set of active features, click

Show Active Features .

The Active Features dialog box appears.

This dialog box shows the feature names, the capacity (dictated by the current license) and the expiration date.

3 When you are finished reviewing the contents, click

Close to close the dialog box.

4 To review the actual text of a license, double-click the license entry in the License window.

The License Detail dialog box appears, displaying the license text.



This text cannot be copied and applied to any other appliances, because it is linked to the serial number hard-coded into the appliance.


CHAPTER 7

Defining Security

Policies in CPM

A primary function of CPM is to protect your network from unwanted traffic while allowing valid data streams to enter. The mechanisms by which traffic is evaluated and managed are called security policies .

For example, you might apply one global policy over all devices in your network to block intrusive service requests such as FTP or Telnet. A separate policy might allow email, FTP, and HTTP traffic for a group of servers connected to DMZ interfaces. Still another policy for certain devices might block access to the

Internet to most users while granting it to a special group of users.

Security Policy Components

Every security policy has two basic components: a traffic specification and an action .


CHAPTER 7: Defining Security Policies in CPM

Traffic specifications

The first component of a security policy qualifies every data stream received. Traffic specifications incorporate the following components:

Source

Where the data packets come from: from outside your network or from within a specific region of your network.

Destination

Where the data packets will be sent: to external networks or to another region of your network.

Service

What type of traffic is in these data streams; for example, HTTP, mail, FTP, or Telnet.

Policy actions

A policy action determines what procedure an appliance follows when it detects a data stream that matches a particular traffic specification. An appliance can take one or more of the following actions:

• Pass, block, reject, or proxy filter qualifying traffic

• Apply one of three general NAT actions: dynamic NAT, static NAT, or load balancing

• Apply Quality of Service (QoS) and Type of Service

(TOS) marking

• Initiate and maintain a VPN connection with another device. This includes several types of corporate site connections and remote-access service connections between external users and a corporate network.

For more information on policy actions, see Chapter 8,

“Using Policy Actions.”




When you use CPM to create security policies, you can designate a wide range of possibilities as traffic sources or destinations: whole networks, whole subnets, specific ranges of IP addresses, or single IP addresses. You can also choose the services, the actions, and a specific schedule of operations for each policy.

Using CPM, you first create a policy, and then you prompt

CPM to determine which appliances it applies to. Any given policy can be applied to a number of security appliances. You also create all policies off-line, which keeps you from tying up an operational appliance while you work.

Scope of policies in CPM

Because you use WatchGuard CPM to manage all of your security appliances, you can create policies that apply to a single appliance or to several. For example, you may want to apply a VPN policy that permits branch offices to communicate back and forth between corporate headquarters.

The required policy would define all gateway security appliances as both source and destination, and then apply the required IPSec action to protect communications.

Addresses and address groups

Using CPM, every private/trusted network resource is linked to a “private” data interface, a “DMZ” interface, or, if available, a “DMZ2” interface on an appliance, while all others are linked to the external, “public” data interface, or to the Internet. As a result, addresses are recorded as both an address specification and an interface of a particular appliance. If you create a number of internal 10.10.0.0-type address entries per specific site, there is no conflict in CPM because each 10.10.0.0 entry is specifically assigned to a data interface on a specific appliance. All resources not within the protective coverage of an appliance are assigned to the Internet.



Using CPM, you first create address objects or groups, and then you create policies using those objects or groups.

Based on the location of each address object (which port of which appliance this address object is attached to), CPM can determine which policies should be created and applied to each appliance. The act of determining which policies are applied to a given appliance is called policy compilation. The output of policy compilation is combined with system configuration and alarm definitions to form a configuration profile. You then deploy the profile to the appliance. Like system configuration, policy configuration occurs offline. It does not take effect until you deploy the new profile into the appliance.

You can use this group to make a single bi-directional VPN policy to permit access to the corporate network, with your gateway appliance (and the private network) as the destination and this one address group as the source.



V80

You can then easily add new V10 private clients (6, 7, and 8) to this one address group–or remove out-of-date client

V10s as they are taken out of service. As a result, you need only a single policy to cover all the relevant VPN clients associated with a single site gateway.

For more information on cataloging network addresses and defining address groups, see the next section.



Cataloging Addresses for Use in Policies

1 After opening the Configuration Editor window, make the Appliance/Address tab visible, if it is not already open.

2 Right-click the relevant appliance record and select

New => New Address from the pop-up menu.

The Address dialog box appears.

144

3 In the Name field, type a name for this address entry.

4 Click the button by the port used by this address:

Private (external), DMZ (mixed access), or Public

(trusted).

5 From the IP Type menu, select the appropriate type of address.

Any

Select this option if you want to permit any addresses to be the source or destination. For example, you would choose Any if you were creating an address entry that represents all external users who might want access to your Web servers.

You can also select Any if this new address entry represents all of the network assets that


Cataloging Addresses for Use in Policies communicate through the Private interface of a specific appliance.

IP Address

Select this option if this address represents a single

IP address. This could be the IP address of a server or other host.

IP Subnet

Select this option to create an address entry for a subnet that incorporates devices that would be the source or destination for specific traffic, such as a work group or a collection of common-purpose servers.

IP Address Range

Select this option to create an address entry that includes all of the network assets represented by a specific range of addresses.

Private Port

Select this option to create an address entry that represents the Private interface of a specific Firebox

Vclass appliance. If you select this option, you do not have to enter the actual IP address.

6 Specify the IP address or range according to the selection you made in the previous step.

7 When you are finished, click OK to save your new address entry.

Entering a new address group

After you have catalogued a number of individual addresses, you can combine related address entries into a group that you can then designate as the source or destination for a particular policy. For example, after entering the addresses of all your security appliances, you can then collect them into a group for use in applying actions that would be performed by all the appliances.

1 Make sure the Appliance/Address tab is visible.



2 Right-click the relevant appliance record and select

New => New Address Group from the pop-up menu.

The Addresses dialog box appears, displaying the Group Entry features.

3 In the Name field, type a name for the new group.

4 (Optional) In the Description field, type a description of this group and its addresses.

5 Click OK to save this new group.

6 Add addresses to the group by dragging and dropping from the Appliance/Address list.

You can add ports from appliances, addresses you have defined, and address groups. You can not add entire appliances or toplevel objects (for example, the Address Groups object).

Entering a new RAS address

If you are anticipating a number of “remote access” users

(clients, vendors, and contractors) who will be establishing

VPN connections to your extended network, you can use the RAS Addresses features to register one or more pools of internal-use IP addresses to be temporarily assigned to those connections. These addresses can be recorded as a range of IP addresses or as a single subnet (IP address) and subnet mask (representing the actual pool of IP addresses.)

You have one option: create location-specific address pools to be deployed to each security appliance. Individual users who initiate connections with a particular appliance will be assigned an IP address from that appliance’s address pool when the connection has been established.

Make sure the IP addresses recorded in this group are dedicated to RAS connection use, and have not been assigned to any other purpose in the network.

1 Right-click the gateway appliance entry (in the

Appliance/Addresses tab) and select New => New

RAS Address from the pop-up menu.

The Addresses dialog box appears, displaying a set of RAS

Address entry features.


Creating a New Policy

2 In the Name field, type a name for the new address entry.

3 (Optional) In the Description field, type a description of this entry.

4 Click the button by either IP Subnet or IP Range , depending upon the number and organization of the internal-use IP addresses.

5 Enter the subnet and netmask. Click OK .


1 Connect to CPM Client.

2 From the CPM Console window, click Configuration

Editor .

The Configuration Editor appears, as shown in the following figure.



3 Select Policy => Add Policy => Add Top . Or, select the Add a Policy at Top button, shown at right.

If you are adding a new policy to a list of several policies, from the Policy =>

Add Policy menu, select Insert Before or Insert After . Or, select the Add a

Policy Before or Add a Policy After buttons, shown at left.

A new policy appears in the table, as shown in the following figure.



4 Define the source of the traffic: From the Appliance/

Addresses tab at the left of the window, drag an address entry into the Source cell.

5 If the traffic for this policy will come from more than one source, drag those other sources into the Source cell.

6 Define the destination of the traffic: From the

Appliance/Address portion of the window, drag an address entry into the Destination cell.

7 Specify the services to be permitted: Click the Services tab on the left portion of the window and drag the service you want into the Service cell. (For information on adding or combining services, see the next section.)

8 Specify the action or actions for the policy: Depending upon which type of action you want, click either the

IPSec Action tab or the QoS tab on the left portion of the window and drag the action you want. You can also right-click the Action cell and select one of the choices. For more information on policy actions, see

Chapter 8, “Using Policy Actions.”



9 If you want to define more than one action for the policy, specify the additional actions using the procedures described in the previous step.


Although the list of services in the Configuration Editor may be sufficient, you can add services or sets of services to this listing.

Adding a new service

1 From the Configuration Editor, click the Service tab (in the left portion of the window).

The Services tab appears, as shown in the following figure.



2 In the Services tab header, click the Create a

New Object button (shown at right) and select

New Service . Or right-click anywhere in the list of services and select New Service .

The Service-Object Details dialog box appears.

3 In the Name field, type a name to represent the service.

4 From the Protocol menu, select a protocol.

5 If your protocol selection requires that you specify a port, from the Port menu, select Any , Specific Port , or

Range .

If you chose Specific Port , enter the port number. If you chose Range , type the starting and ending port numbers in the fields to the right.

6 (Optional) In the Description field, type a description of the service.

7 Click OK .

The Service tab now displays the name of your new entry.

Adding a new protocol

1 From the Configuration Editor, click the Service tab (in the left portion of the window).

The Services tab appears, as shown in the following figure.





New Service . Or right-click anywhere in the list of services and select New Service .

The Service-Object Details dialog box appears.

152

3 Type a name for the Service.



4 From the Protocol pull-down menu, select User-

Specified .

The dialog changes to display Protocol Number fields.

5 Type a protocol number in the Protocol field.

6 (optional) Type a description for the protocol in the

Description field.

7 Click OK .

Combining services in a group

1 From the Configuration Editor, click the Service tab (in the left margin).



New Combined Service . Or right-click anywhere in the list of services and select New

Combined Service .

The Services - Object Details dialog box appears as shown in the following figure.

3 In the Name field, type a name to represent the service group.

4 Click Add .

The Protocol/Port dialog box appears.

5 From the Protocol menu, select a protocol.

6 If your protocol selection requires that you specify a port, from the Port menu, select Any , Specific Port , or

Range .



If you chose Specific Port , enter the port number. If you chose Range , type the starting and ending port numbers.

7 (Optional) In the Description field, type a description of the service group.

8 Click OK .

9 Repeat steps 4 - 6 to add new protocols to the group.

When you are finished, click OK to close the New

Service Group dialog box.


You define policy schedules if you want appliances to perform policy actions at specific dates and times. You can either create the schedules in advance and drag-and-drop the schedule into policies, or you can create the required schedule along with the policy.

Creating a new schedule

1 From the Configuration Editor, click the Schedules tab.

2 Click the Create a New Object button, shown at right.

The Schedule dialog box appears, as shown in the following figure.



3 In the Name field, type a name for the schedule.

4 (Optional) In the Description field, type a description of the schedule.

5 Click the cells in the table to designate the days and hours in which you want the policy action applied.

Note that any schedule created in CPM is adapted to the local time zone of any appliance it is applied to.

6 Specify either CPM Server time or Appliance time .

7 Click OK .

Applying an existing schedule to a policy

1 Make the policy row active.

2 Add the Schedule cell to the policy row: select View =>

Show Columns => Schedule .

3 Click the Schedule tab.

4 Drag the schedule you want to apply from the

Schedule tab onto the Schedule cell in the policy row.




CHAPTER 8

Using Policy Actions

Every security policy is composed of two basic components: a traffic specification and an action. A policy action determines what procedure an appliance will follow when it detects a data stream that matches a particular traffic specification.

This chapter covers the following Action menu options: Block/Reject , Do Dynamic NAT , Do Static

NAT , Do Load Balancing , Do QoS , and Do TOS

Marking . For more information on the Do Proxy

action and proxies, see “Defining Proxies in CPM” on page 169. For information on the

Do IPSec option, see the CPM Applications Guide. For information on the

Bi-directional

option, see “Making a VPN Policy Bidirectional” on page 232.

Combining Policy Actions

You can also combine one or more actions in a policy.

For example, suppose you created a VPN policy that permits two server-farm sites to share data with one


CHAPTER 8: Using Policy Actions another. You might also want to implement load balancing, so that the data is distributed equally among several servers. The required policy would focus on the two gateway appliances as source and destination and then apply both the VPN/IPSec action and a load-balancing action.

Not all actions can be combined. The following table shows the combinations of actions that can be applied in a single policy.

Firewall

IPSec

Virtual IP/

NAT a

Dynamic

NAT

YES

Static NAT YES

QoS YES

Firewall IPSec Virtual IP/

NAT na

YES

YES

YES na

YES

YES

YES na

YES

YES

YES

NO

NO

YES a.

Dynamic

NAT

YES

YES

NO na

NO

YES

Static

NAT

YES

YES

NO

NO na

YES

QoS

YES

YES

YES

YES

YES na

Blocking and Rejecting Traffic

To pass, block, or reject traffic, right-click the Action cell and select one of the following:

Pass

The appliance passes all qualifying traffic.

Block

The appliance blocks all qualifying traffic from gaining access to your network.

Reject

The appliance drops the traffic stream after the sender initiates three subsequent connection attempts and sends a TCP reset message back to


About Network Address Translation (NAT) the sender. (Note, however, that this option reveals to the sender that the appliance’s IP address is valid.)

Do Proxy

The appliance content-filters the traffic according

to the rules specified in the Proxy you select. See

“Defining Proxies in CPM” on page 169.

About Network Address Translation (NAT)

Through policy actions, CPM supports the following types of NAT:

Dynamic NAT

If you have a number of employees or other private network users whose client computers have been assigned IP addresses for internal use, you can grant all of them full access to the Internet using this type of NAT.

Static NAT

If you want to keep the IP address of a subnet, a server, or a group of users hidden from the public, you can put a different IP address in public view that is replaced with the real IP address when traffic passes through this appliance.

Activating Dynamic NAT

Dynamic NAT action applies to appliances whose address objects are in the source field of the policy. This causes all traffic from internal sources routed from the Private to

Public interfaces to be assigned the Public interface IP address:

1 After creating a policy row, drag-and-drop an address representing the appliance’s private or DMZ network into the Source cell.


CHAPTER 8: Using Policy Actions

2 Drag-and-drop “Internet” into the Destination cell.

3 Right-click the Action cell, select Pass , and then select

Do Dynamic NAT .

A dynamic NAT label and icon appears in the Action cell.

Activating Static NAT

There are two types of Static NAT: outbound and inbound.

Outbound Static NAT hides the real IP address of the source. It changes the source IP field of outbound packets

(packets that go out from a public port) from an “internal

IP” located behind private, DMZ, or DMZ2 ports to a publicly routable “external IP”. It is applied to the appliances whose address objects are in the source field of the policy.

To configure outbound Static NAT:

1 Create an address to represent the internal IP. This address is created at a private, DMZ, or DMZ2 port on the appliance that will perform Static NAT.

2 Enter this address in the source field of the policy.


Do Static NAT-Outbound .

160

4 Enter the external IP as the “translated to” IP address.

You can also enter a subnet to SNAT, by clicking the Subnet

SNATing the subnet.

Inbound Static NAT hides the real IP address of the destination. It changes the destination IP field of inbound packets (packets that come in from a public port) from a


About Load Balancing publicly routable “external IP” to an “internal IP” located behind a private, DMZ, or DMZ2 port. It is applied to the appliances whose address objects are in the destination field of the policy.

To configure inbound Static NAT:

1 Create an address to represent the external IP. This address is created at a private port on the appliance that will perform Static NAT.

2 Enter this address in the destination field of the policy.


Do Static NAT- Inbound .

4 Enter the internal IP as the “translated to” IP.

You can also enter a subnet to SNAT, by clicking the Subnet

SNATing the subnet.

About Load Balancing

Using load balancing, you can distribute a high volume of incoming requests to an array of network assets, such as

Web servers, according to the capacity of those servers. For example, you can add a load balancing action to a policy that lists each server, assigns a percentage of requests to that server, and distributes new requests to unused servers when previous servers are being fully utilized.



If, as shown in the following illustration, you assigned each

Web server a unique private IP address, you can set up the

Firebox Vclass appliance (“WG”) to recognize the public

URL that external users access, and then distribute the external requests to those servers. Up to 16 servers can be incorporated in each load-balancing cluster.

You can apply load-balancing policies only to an internal network destination where the specific servers are connected.

Make sure that any firewall policies listed above any loadbalancing policies in the Policies window do not block load balancing. You can apply load balancing to data traffic incorporating these services: HTTP, HTTPS, Telnet, FTP,

L2TP, PPTP. Load balancing actions are applied to appliances that have addresses in the destination field of the policy.


About Load Balancing

Use the following procedure to create a load-balancing action:

1 Right-click the policy’s Action cell and select Do Load

Balancing .

The Load Balancing dialog box appears.

2 From the Algorithm menu, select the appropriate loadbalancing option:

Round Robin

Each server is treated with equal priority.

Weighted Round Robin

Each server is given priority based on its ability to deliver specific applications.

Random

Traffic is randomly distributed to a series of servers.

Weighted Random

Algorithm weights are assigned to servers based on server capacity limitations.

Least Connection

When new traffic is sent to the servers, an algorithm determines which server has the least number of connections.

Weighted Least Connection

When new traffic is sent to the servers, an algorithm determines the least number of connection and weights that can be assigned.

3 In the IP Address field of the Server dialog box, type the IP address of the server that will be included in the load-balancing array.



4 In the Port field, type the number of the port that the server listens to:

If HTTP

Type “80” in the Port field.

If HTTPS


If PPTP


If L2TP


5 If you chose Weighted Round Robin , Weighted

Random , or Weighted Least Connection from the

Algorithm menu, the Server dialog box contains a

Weight slider, as shown in the following figure. Use the slider to assign a weight to this server.

6 Click OK .

About QoS Actions

In an extensive network with a large number of host computers, the volume of data traffic moving through the

Internet can be immense. When the traffic is more than the network can sustain, data packets are dropped as a result of congestion.


About QoS Actions

When severe network congestion occurs, all traffic is affected equally. Mission-critical traffic (such as data exchanges made between the corporate center and the branch offices) slows down to an unacceptable speed while other, less important traffic (such as Web content sent to the Internet) takes up a disproportionate amount of network capacity.

All Firebox Vclass security appliances offer two Quality-of-

Service (QoS) features that enable you to assign higher bandwidth to your most valuable traffic. As a result, some traffic entering a Firebox Vclass appliance receives more network capacity, while other data streams are accordingly reduced.

The QoS features implemented in Firebox Vclass appliances include Weighted Fair Queuing (WFQ), TOS marking, and port shaping.

• The WFQ algorithm, a data queueing technique, allows you to assign a relative bandwidth ratio for specific types of traffic with different weights. For example, data exchanges between the corporate center and branch offices can be allotted a weight of 20 while

Internet traffic is given a weight of 4. During periods of extreme network congestion, the traffic between HQ and branch offices benefit from five times more bandwidth than that allowed to outbound Internet data streams.

• TOS marking allows you to overwrite the TOS byte value in the IP header of qualified packets. These TOS values can be used by routers that recognize TOS precedence/DTR bits or by routers that implement

Differentiate Services Code Point (DCP) so that they can prioritize packets during routing.

• Port shaping allows you to restrict the bandwidth of outgoing traffic directed through interface 0 or interface 1. Typically, interface 0 is connected to the private network with higher capacity connections than interface 1, which is usually connected to the Internet through a lower-capacity T1 line. In such a case,


CHAPTER 8: Using Policy Actions packets in outgoing traffic are dropped due to the physical limitations of the internal-to-external connection. With port shaping, you can restrict the overall capacity of interface 1 to match the actual bandwidth of the physical connection. If a huge volume of traffic comes from the private network to interface 1, packets are transmitted according to the weight defined in a QoS policy action–with no unnecessary loss of packets.

Activating port shaping

Port shaping is a system-wide configuration. You must set it up using the Interface tab of the System Configuration

dialog box, as described in “Completing the Interfaces

Entries” on page 98.

Applying a QoS action

1 Create a new policy row and define traffic components.

2 Click the QoS Action tab.

3 Drag the action you want from the tab to the Action cell of the policy.

QoS actions are applied to all appliances whose address objects are in either the source or destination field of the policy.

Customizing a QoS action

1 From the QoS Action tab, select New => New QoS

Action .

The QoS Action dialog box appears, as shown in the following figure.


About QoS Actions

2 In the Name field, type a name for the new action.

3 In the Weight field, enter the relative WFQ weight.

You can type a value ranging from 1 to 100. For example, when network traffic becomes congested, traffic with the weight of 20 is given five times more bandwidth than traffic with a weight of

4.

4 (Optional) In the Description field, type a description of the action.

5 Click OK .

Activating TOS marking

Type of Service (TOS) marking makes this policy able to overwrite the TOS byte in the IP header of qualified incoming packets:

1 Right-click the policy’s Action cell and select Do TOS

Marking .

The TOS Marking dialog box appears, as shown in the following figure.

2 Select one of the TOS marking options: TOS-

Precedence , TOS-Precedence and DTR , or DiffServ

CodePoint .



3 Select either Incoming Traffic , Outgoing Traffic , or both:

Incoming Traffic

If you select this option, the policy marks packets that are transmitted through the Public interface to either Private or DMZ interfaces.

Outgoing Traffic

If you select this option, the policy marks packets sent through the Private or DMZ interfaces to the

Public interface.

4 Depending on your TOS choice, a number of bit fields to the right appear, as shown in the following figure.

The bit 0 (zero) is the leftmost field and the bit 7 is the rightmost field. To toggle any field to 1 (ON), click the field.


CHAPTER 9

Defining Proxies in

CPM

Proxy filtering goes a step beyond packet filtering to examine a packet’s content, not just the packet’s header. Consequently, the proxy determines whether a forbidden content type is hidden or embedded in the data payload. For example, an SMTP Incoming proxy examines all incoming SMTP packets (email) to determine whether they contain forbidden content types, such as executable programs or items written in scripting languages. Such items are common methods of transmitting computer viruses. The SMTP proxy knows these content types are not allowed, while a packet filter would not detect the unauthorized content in the packet’s data payload.

Proxies work at the application level, while other policies work at the network and transport protocol level.

In other words, each packet processed by a proxy is stripped of all network wrapping, analyzed, rewrapped, and forwarded to the intended destination. This adds several layers of complexity and processing beyond the packet filtering process. What this means, of course, is that proxies use more processing bandwidth than packet filters. On the other hand, they


CHAPTER 9: Defining Proxies in CPM catch dangerous content types in ways that packet filters cannot.

In This Chapter

This chapter includes the following topics:

•

“Proxy Description” on page 170

•

“General Proxy Configuration” on page 173

•

“Proxy Parameters Reference” on page 182

•

“Reference Sources” on page 219

Proxy Description

The Firebox Vclass supports two proxy types:

• HTTP Client Proxy

• SMTP Proxy (Outbound and Inbound)

HTTP Client proxy

The HTTP Client proxy is a versatile, high-performance content-filtering method that you can use to selectively filter and protect your web clients from potentially hostile entities on the Internet.

The HTTP proxy offers the following features:

• Can be used to force strict RFC compliance for the web server and clients

• Allows MIME content-type filtering

• Allows configurable screening for Java, ActiveX, and other code types

• Performs HTTP header checking


Proxy Description

The HTTP proxy sits between the sending Web server and your receiving Web client, much like a standard proxy server. It processes the HTTP line-by-line for any potentially harmful content before passing it to the internal Web client. It also acts as a buffer between your Web server and potentially harmful Web clients, enforcing HTTP RFC compliance for GET and POST operations.

SMTP proxy

The SMTP proxy can be used to limit or prevent potentially harmful email content. The proxy scans SMTP messages for a number of filtered parameters, and compares them against the configuration and rulesets specified in the proxy action. Email messages containing suspect attachments can be stripped of their attachments and then sent to the intended recipient, denied entirely, or Blocked (denied, with the Sender IP added to the Blocked Sites List).

The Outbound SMTP proxy can be used to prevent malicious SMTP messages that originate within your network from passing through the Vclass appliance, and out to the internet or WAN. The Inbound SMTP proxy is used to prevent malicious messages or code from reaching destinations within your network.

Rules and rulesets

Proxy actions are configured using a set of general parameters, and several sets of rules.

Rules

• Rules specify a type of content, pattern, or expression that the proxy action should identify.

• Rules specify actions (allow, strip or strip, drop, or

Block) that are taken when content matches a rule.

• Rules allow for independent alarm notification.

• Rules allow for independent logging.


CHAPTER 9: Defining Proxies in CPM

Rulesets

Every rule is part of a ruleset. A ruleset can include factory-configured rules and user-defined rules. Every ruleset also includes a default rule. Figure 10, “Ruleset description,” on page 172, illustrates the different parts of a rule.

172

Figure 10:

Ruleset description

Rule processing occurs as follows:

• Rules are processed in order from the top to the bottom of the window.

• Rules can be ordered using the rule ordering arrows.

• Once a filtered item matches a rule, it is processed according to the rule’s action.

• Content within a packet can match multiple listed rules or the default rule. However, only the first rule matched is used.


General Proxy Configuration

• All content within a packet of the filter type that does not match a listed rule is processed according to the default rule.

• The default rule is always the last step for packet content filtering. The action in the default rule is applied to all content in a rule Category that does not match a listed rule.

See “Proxy action rule ordering example” on page 181 for an example of how rule ordering works.


Proxies are configured using the Proxy Actions tab in the

Configuration Editor. CPM includes default proxy actions, preconfigured for the available proxy types. In addition to these preconfigured proxies, you can create your own customized proxies, or copy and edit the defaults.

Using a proxy action in the configuration editor

Proxy actions are implemented and ordered in the Policy

Manager in the same way as other policies. See “Defining

Security Policies in CPM” on page 139 and “Using Policy

Actions” on page 157 for more information.

Remember to remove “Any” Service, and

• add HTTP as the Service for the HTTP Client proxy

• add SMTP as the Service for the SMTP Incoming or

Outgoing proxy

Creating a proxy action

To create a new proxy action:

1 Launch CPM, and log in.




3 Click the Proxy Actions tab on the left.

The Proxy Actions tab appears.

4 Click the Add button.

The Add Proxy Action dialog appears.

174

5 Select an existing proxy action to use as the base for the new proxy action from the Based On drop-down list.

Click OK . The proxy action Details window appears.

This window is different for each type of proxy. The following figure shows the initial window for a new proxy action based on the Default HTTP-Outgoing proxy action.



6 Adjust the values and rulesets using the tabs, according to your preference.

A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See

“Proxy Parameters Reference” on page 182 for more

information.

Editing an existing proxy action

To edit an existing proxy action:

1 Launch CPM, and log in.


3 Click the Proxy Actions tab on the left.

The Proxy Actions tab appears.



4 Select a proxy action from the list, and click Edit .

N

OTE

Note that you cannot save changes to the three default proxy actions.

The Proxy Action Details dialog appears.



5 Adjust the values and rulesets using the tabs, according to your preference.

A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See

“Proxy Parameters Reference” on page 182 for more

information.

6 When you have finished configuring the proxy action, click OK to save your changes, or click Cancel to close the proxy action without saving your changes.

Configuring proxy rules

To create and configure proxy rules:

1 Create or edit a proxy action.

2 Navigate to the tab where you are creating the rule.

In this example, a proxy rule is created in the HTTP Client

Request Headers dialog. The Header Fields

3 Edit or Add a rule.



• To edit a rule, double-click the rule, or select the rule and click Edit .

The Edit Rule dialog box appears.

• To add a new rule, click Add to Top or Insert After .

The New Rule dialog box appears.

4 In the Name field, type a name for the rule.

5 Select the type of matching to use with this rule from the pull-down menu.

Rule matching options are:

Exact Match

Select this to match an exact (case-insensitive) string. For example, you can use this to match the exact e-mail address “[email protected]” or the hexadecimal representation for a Java file,

“%0xCAFEBABE%”.



Pattern Match

Select this to match a “glob” style pattern. This field is case-insensitive.

Character Usage

*

?

a wildcard used to match 0 to many characters a wildcard used to match any single character

Example

*.vbs

will match any filename that includes the extension “.vbs” www.example.???

This will match the domains

“www.example.com,”

“www.example.net,”

“www.example.org,” and

“www.example.biz.”

It will not match “www.example.tv” or

“www.example.net.org.”

Regular Expression

Select this to match a pattern employing full regular expression syntax. This field is case sensitive. Substring is the default; explicit anchoring is required otherwise, using

“^(regexp)$”. For example, “(\.bat|\.exe)$” will match anything ending in “.bat” or “.exe”.

For more information consult a reference book, such as O’Reilly’s Mastering Regular Expressions .

6 From the Action drop-down list, select the action the the proxy takes when a match occurs.



Action options are:

Action

Block

Description

Allow This option allows the connection to proceed as normal.

Deny or Strip This option denies or strips a specific request, but maintains the connection, if possible. When this option is deny, the content is dropped and replaced with the deny message. When this option is strip, all applicable filtered content is removed and dropped, but the rest of the message is allowed through, subject to further proxy filtering.

Drop This action denies the specific request and drops the connection.

This action denies the specific request, drops the connection, and adds the originating host to the Runtime

Blocked Sites list.

7 Use the Alarm drop-down list to select whether to trigger an alarm for this event.

8 Use the Log drop-down list to select whether to write this event to the event log.

9 Click OK to complete the rule.

Ordering listed rules in a proxy action

Rules are processed in order from top to bottom of the window. The default rule is always the last step for filtered content in a proxy action.

To order listed rules:

1

Edit a proxy action. See “Editing an existing proxy action” on page 175 for this procedure.

2 Locate the ruleset you want to order.

3 Select the rule you want to move, and use the up or down arrows to change its position in the list.

Repeat this process for each rule that needs to be re-ordered.



Proxy action rule ordering example

This example describes how you can use proxy action rule ordering to strip a specific MIME subtype, while still allowing the rest of the master MIME type. This example uses the SMTP-Inbound proxy action, with the default settings.

In this example, the strip rule for the MIME subtype

(image/tiff) is ordered so it is above the allow rule for the all image types (image/*).

The strip TIFF images rule is an exact match rule for the

MIME type “image/tiff,” and the All image types rule is a pattern match rule for the master type “image/*.” At runtime, the proxy processes the strip TIFF images rule first, so images of type image/tiff are identified and stripped.

However, all other “image” subtypes do not match the strip TIFF images rule, so they pass on to subsequent rules. When they reach the next rule, which allows the master type (image/*), they are identified and allowed.




This parameter reference describes the fields you can configure for proxy actions. Settings for the three factory default proxy actions are also described.

The following default proxy actions are described:

•

“HTTP Client proxy” on page 182

•

“SMTP Proxy” on page 203

HTTP Client proxy

Info tab

This tab allows you to type a name and description for the

HTTP proxy action.



Name

A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than

30 characters, the name is truncated to 30 characters.

Description

A description of the proxy, for your reference.

The proxy action should be used with the following services

The default services for the HTTP proxy are TCP

Ports 80, 8000, and 8080. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.

If another service is used, report policy as

This describes how HTTP traffic is reported when it uses a TCP port other than 80, 8000, or 8080. You can select Warning or Error for the reporting level.

This proxy action is supported on

This section lists the appliances and software versions that support this proxy action.



Request General tab

This tab allows you to configure content filtering for clientside general HTTP Request parameters.

184

Client Connection Idle Timeout

Specifies the time in seconds the proxy waits before dropping an idle connection. Default is 110 seconds.

Maximum Allowed URL Length

Specifies the maximum length in bytes of an allowed outbound HTTP URL. Default is 1024 bytes. Some sites may use longer URLs than this; however, the longer the URL, the greater the chance that some systems may be vulnerable to certain attacks.

Log Connections / Maximum Log URL Length

Enables or disables logging of HTTP outbound connections. When enabled, you can specify a


Proxy Parameters Reference maximum Log URL length in bytes. The default is

1024 bytes.

Category

Specifies the category of HTTP request rules.

Request Methods

The Request Methods ruleset specifies HTTP request methods that the proxy allows. Note that the ruleset is configured to allow the listed rules, and deny all other methods.

The most commonly used HTTP request methods are Get, Head, Post, and Put. Some of the less frequently used Request Methods may be vulnerable to certain exploits and hacks.

Options

The OPTIONS method requests information about the communication options available on the request/response chain identified by the Request-

URI. This method allows the client to determine the options or requirements associated with a resource, or the capabilities of a server, without implying a resource action or retrieving a resource

(

RFC 2616

).

Head

The HEAD method is identical to GET except that the server must not return a message-body in the response. The metainformation contained in the

HTTP headers in response to a HEAD request is identical to the information sent in response to a

GET request. This method can be used for obtaining metainformation about an entity without transferring the body. This method is often used for link testing (

RFC 2616

).

Get

The GET method retrieves the information entity identified by the Request-URI. This is the most frequently used request method ( RFC 2616 ).



Post

The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the

Request-URI in the Request-Line. POST allows a uniform method for:

- Annotation of existing resources

- Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles

- Providing a block of data, such as the result of submitting a form, to a data-handling process

- Extending a database through an append operation

The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI ( RFC 2616 ).

Put

The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the

Request-URI refers to an already existing resource, the enclosed entity should be considered as a modified version of the existing resource. If the

Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI

( RFC 2616 ).

Delete

The DELETE method requests that the origin server delete the resource identified by the

Request-URI (

RFC 2616

).

Trace

The TRACE method is used to invoke a remote, application-layer loop-back of the request message.

The final recipient of the request reflects the message received back to the client as the body of a



200 (OK) response. A TRACE request must not include an entity (

RFC 2616

).

Link

The LINK entity-header field provides a means for describing a relationship between two resources, generally between the requested resource and another resource. An entity may include multiple

LINK values. LINKS at the metainformation level typically indicate relationships like hierarchical structure and navigation paths (

RFC 2068 section

19.6.2.4

).

Unlink

The UNLINK method removes one or more LINK relationships from the existing resource identified by the Request-URI. These relationships may have been established using the LINK method or by any other method supporting the Link header. The removal of a link to a resource does not imply that the resource ceases to exist or becomes inaccessible for future references ( RFC 2068 section 19.6.1.3

).

Checkin

A CHECKIN request can be applied to a checkedout, version-controlled resource, to produce a new version whose content and dead properties are copied from the checked-out resource. If a

CHECKIN request fails, the server state preceding the request is restored (

RFC 3253 section 4.4

).

Checkout

A CHECKOUT request can be applied to a checked-in version-controlled resource, to allow modifications to the content and dead properties of that version-controlled resource. If a CHECKOUT request fails, the server state preceding the request is restored (

RFC 3253 section 4.3

).

Patch

The PATCH method is similar to PUT except that the entity contains a list of differences between the


CHAPTER 9: Defining Proxies in CPM original version of the resource identified by the

Request-URI and the desired content of the resource after the PATCH action has been applied.

The list of differences is in a format defined by the media type of the entity (for example,

“application/diff”), and must include sufficient information to allow the server to recreate the changes necessary to convert the original version of the resource to the desired version ( RFC 2068 section 19.6.1.1

).

188

URL Paths

The URL Paths ruleset allows you to filter the content of an HTTP path. The path is everything after the initial slash. For example, in www.server.com/cgi/index.html, the path content is “cgi/index.html.”

The current ruleset implementation is set to catch and strip common executable program file extensions for Windows (*.exe and *.dll). By default this ruleset allows all URL path information except for the listed rules.

N OTE

One possible use for a URL Paths rule is to create pattern match rules to match the content *ad/* and *ads/*. Though not guaranteed to work, this can function as a simple, effective screening tool to reduce the amount of online advertising users see. Check the URLs of popup windows or banner ads you or your users find on the Web for other ideas.

Windows EXE

A pattern match rule that denies URL path content with the extension “.exe.” This effectively prevents


Proxy Parameters Reference users from accessing common Windows applications using HTTP. Installable programs are often EXE files, so in some scenarios this rule can cause problems.

Blocking *.exe files in URLs prevents Windows users on your network from downloading executable software over HTTP. This might inconvenience users who need access to software downloads or updates.

Windows DLL

A pattern match rule that denies URL path content with the extension “.dll.” This effectively prevents users from accessing some Windows applications across HTTP. DLLs are sometimes use for web applications such as banners or tickers. Some legitimate sites, such as the Internet auction site eBay , use DLLs as integral components of their functionality. However, DLLs can pose a threat to your systems and network. Exercise caution when changing this rule.

N OTE

Blocking *.exe files in URLs prevents Windows users on your network from downloading executables over HTTP. This might inconvenience users who need access to software downloads. In addition, blocking *.dll files in URLs prevents some web applications and sites from working.



Request Headers tab

This tab allows you to configure content filtering for clientside HTTP Request Headers.

190

Maximum Total Length

The maximum total length of the HTTP Request

Header. Some systems may be vulnerable to overflow attacks if the header field is too large. The default value is 0, which means there is no maximum.

Maximum Line Length

The maximum length of each line of characters in the HTTP Request Header. Some systems may be vulnerable to exploits that use very long lines. The default value is 2048 bytes.

Category

This specifies the ruleset category–Header Fields or Authorization.



Header Fields

This ruleset provides content filtering for HTTP

Header fields. The ruleset uses exact matching rules to strip From , Via , and Referer headers, and allows all other headers by default.

From

The From request-header field, if provided, contains an Internet e-mail address for the human user who controls the requesting user agent

( RFC 2616 ).

Via

The Via general-header field must be used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses. It is intended to be used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of all senders along the request/ response chain. (

RFC 2616

)

Referer

The Referer request-header field allows the client to specify the address (URI) of the resource from which the Request-URI was obtained, for the benefit of the server (

RFC 2616

).

Authorization

This ruleset provides content filtering for HTTP

Request Header authorization fields. A user agent that wishes to authenticate itself with a server does


CHAPTER 9: Defining Proxies in CPM so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

This ruleset is designed to allow NTLM , Digest , and

Basic authorization, and to strip all other authorization by default.

Basic

The Basic authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm. The realm value is an opaque string that can only be compared for equality with other realms on that server. The server services the request only if it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters (

RFC 2617

).

Digest

Like Basic Access Authentication, the Digest scheme is based on a simple challenge-response paradigm. The Digest scheme challenges using a nonce value. A valid response contains a checksum

(by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI. The password is never sent in the clear (

RFC 2617

).

NTLM

Windows NT LAN Manager (NTLM), also known as Windows NT Challenge/Response, is the authentication protocol used on networks that include systems running the Windows NT operating system, and on stand-alone systems.

NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password. NTLM uses an encrypted


Proxy Parameters Reference challenge/response protocol to authenticate a user without sending the user’s password over the wire.

Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials ( Microsoft ).

.NET Passport 1.4

This authentication type is used by Microsoft’s

.NET Passport service. For more information, see http://www.passport.net

.



Response General tab

This tab allows you to configure general content filtering for server-side HTTP Response parameters.

194

Server Connection Idle Timeout

Specifies the amount of time, in seconds, that the connection to the server is allowed to idle before the connection is dropped. Default is 110 seconds.

Body Content Type

This ruleset specifies rules for filtering content in an HTTP Response. The ruleset is configured to strip Windows OCX , Windows CAB , and Java applets .

The default rule allows all other response body content types.

Java applet

Java applets are widely used in many safe applications on the Web. However, Java applets can be used to maliciously attack or exploit a client.



This rule specifies a pattern match for the Java applet signature: %0xcafebabe%*.

Windows CAB

A cabinet (.cab) file is a library of compressed files stored as a single file. Cabinet files are used to organize installation files. A CAB file can contain malicious code that can be executed on a client system. This rule specifies a pattern match for the

Windows CAB signature:

%0x4d53434600000000%*.

ActiveX

ActiveX controls (OCX) can be used to execute code on client machines. This rule specifies a pattern match for the OCX signature:

%0x5a4d00900003000000040000ffff0000%*.



Response Headers tab

This tab allows you to configure content filtering for server-side HTTP Response Headers.

196

Maximum Total Length

Specifies the maximum total length of the HTTP

Response Headers, in bytes. Set this to 0 to specify no limit. Some systems might be vulnerable to overflow exploits that use very large headers. If the total header size exceeds this limit, the entire HTTP

Response is denied. The default value is 0 (no limit).


This specifies the maximum allowed length of a line of characters in the HTTP Response Headers.

Some systems might be vulnerable to buffer overflows with very long lines, so you can adjust


Proxy Parameters Reference this setting according to the capabilities of your systems. The default value is 2048 bytes.

Category

This specifies the ruleset category–Header Fields,

Content-Type, or Cookies.

Header Fields

This ruleset specifies rules for filtering content in

HTTP Response Header Fields. The ruleset is configured to allow a number of typical Header

Fields. The default rule strip all other Response

Header Fields.

The allowed Header Fields are:

- Accept ( RFC 2616 )

- Accept-Charset ( RFC 2616 )

- Accept-Encoding (

RFC 2616

)

- Accept-Language (

RFC 2616

)

- Accept-Ranges ( RFC 2616 )

- Age ( RFC 2616 )

- Allow (

RFC 2616

)

- Alternates (

RFC 2068 19.6.2.1

)

- Authorization ( RFC 2616 )

- Cache-Control ( RFC 2616 )

- Connection (

RFC 2616

)

- Content-Base (

RFC 2068 14.11

)

- Content-Disposition (RFC 1806)

- Content-Encoding (

RFC 2616

)

- Content-Language (

RFC 2616

)

- Content-Length (

RFC 2616

)

- Content-Location ( RFC 2616 )

- Content-MD5 ( RFC 2616 )

- Content-Range (

RFC 2616

)

- Content-Type (

RFC 2616

)

- Content-Version ( RFC 2068 19.6.2.2

)



- Cookie ( RFC 2965 )

- Date ( RFC 2616 )

- Derived-From (

RFC 2068 19.6.2.3

)

- ETag (

RFC 2616

)

- Expires ( RFC 2616 )

- From ( RFC 2616 )

- Host (

RFC 2616

)

- If-Match (

RFC 2616

)

- If-Modified-Since ( RFC 2616 )

- If-None-Match ( RFC 2616 )

- If-Range (

RFC 2616

)

- If-Unmodified-Since (

RFC 2616

)

- Keep-Alive ( RFC 2068 19.7.1.1

)

- Last-Modified ( RFC 2616 )

- Link (

RFC 1945 D.2.6

)

- Location (

RFC 2616

)

- Mime-Version ( RFC 1945 D.2.7

)

- Max-Forwards ( RFC 2616 )

- Pragma (

RFC 2616

)

- Proxy-Authenticate (

RFC 2616

)

- Proxy-Authorization ( RFC 2616 )

- Proxy-Connection ( undocumented – Functionality is same as Connection, but applies only to proxies. This can cause problems with proxies that do not support it.)

- Public (

HTTP [1992]

)

- Range ( RFC 2616 )

- Referer ( RFC 2616 )

- Retry-After (

RFC 2616

)

- Server (

RFC 2616

)

- Set-Cookie ( RFC 2109 )

- Transfer-Encoding (

RFC 2616

)



- UA-CPU (non-standard header sent by Internet

Explorer to specify CPU type)

- UA-Color (non-standard header sent by Internet

Explorer to specify color depth)

- UA-OS (non-standard header sent by Internet

Explorer to specify operating system)

- UA-Pixels (non-standard header sent by Internet

Explorer to specify screen pixel size)

- URI ( RFC 1945 D.2.10

)

- Upgrade ( RFC 2616 )

- User-Agent (

RFC 2616

)

- Vary (

RFC 2616

)

- Via ( RFC 2616 )

- Warning ( RFC 2616 )

- WWW-Authenticate (

RFC 2616

)

Content-Types

This ruleset specifies rules for filtering Content-

Type (MIME type) content in HTTP Response

Headers. The ruleset is configured to allow some

“safe” Content-Types, and strip MIME content that has no specified Content-Type. The default rule strips all Content-Types that do not match the listed rules.

N

OTE

You might want to allow JavaScript content, depending on your organization’s needs. JavaScript is not allowed by the default rule. To allow JavaScript, create a new rule in this


CHAPTER 9: Defining Proxies in CPM category, and specify an exact match for application/xjavascript. Set the rule to allow content.

WebLogic Server

This rule allows Web Logic Server content, by identifying the MIME Content-Type “application/ x-WebLogic.” The rule uses an exact match for application/x-WebLogic.

Video

This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*.

Text-based

This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*.

No Content-Type present

This rule strips all MIME data that has no specified

Content-Type, by identifying empty MIME types.

The rule uses an exact match for no text.

Images

This rule allows all MIME text types, by identifying the MIME Content-Type “image.” The rule uses a pattern match for image/*.

Audio

This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*.



Cookies

This ruleset specifies rules for filtering Cookies in

HTTP Responses. One rule is included,

“DoubleClick.net.” This rule strips cookies from doubleclick.net, using a pattern match for

“*.doubleclick.net.” The ruleset can be configured to strip other cookies, based on your network needs. The default rule allows all other cookies.

When you configure a rule to strip a Cookie, use pattern matching, then type * cookiedomain.com

* as the pattern to match.

Deny Message tab

This tab allows you to customize a Deny Message. The

Deny Message replaces content that is denied.

You can customize the Deny Message with standard

HTML. The first line of the Deny message is part of the



HTTP header. There must be a blank line between the first line and the body of the message.

You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.

The following values can be called from the proxy action:

%(method)%

This inserts the proxy rule that identified the content to strip.

%(reason)%

This inserts a plain text reason that the content was stripped.

%(transaction)%

This inserts transaction information for the stripped content.

%(url-host)%

This inserts the server address from which the stripped content originated.

%(url-path)%

This inserts the URL of the stripped content.



SMTP Proxy

The SMTP incoming and outgoing proxies allow the same configuration options. However, outgoing proxy rulesets, with the exception of the ESMTP ruleset, contain no preconfigured Rules, and incoming and outgoing proxies provide different defaults.

N

OTE

Most screens in this section show the SMTP Incoming Proxy action. The SMTP Outgoing Proxy action appears identical, except that the outgoing proxy windows are named

“outgoing” instead of “incoming,” and outbound proxy rulesets contain no rules, except as noted.

Info tab

This tab allows you to type a name and description for the

SMTP proxy action.



Name

A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than

30 characters, the name is truncated to 30 characters.

Description

A description of the proxy, for your reference.

The proxy action should be used with the following services

The default service for the SMTP proxy is TCP

Ports 25. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.

If another service is used, report policy as

This describes how SMTP traffic is reported when it uses a TCP port other than 25. You can select

Warning or Error for the reporting level.

This proxy action is supported on

This section lists the appliances and software versions that support this proxy action.

General tab

This tab allows you to specify general values for SMTP content filtering.



Maximum Recipients

Specifies the maximum number of email recipients to which a message can be sent. This acts as a counter, and allows the specified number of messages through, then drops the remaining addresses. For example, if the default setting of 50 is used, and a message is addressed to 52 recipients, the first 50 addressees receive the email message, and the last two addressees are dropped.

Distribution lists that appear as a single SMTP email address (for example, [email protected]

) are counted as a single address.

Maximum Message Size

Specifies the maximum size of an incoming SMTP message. Note that most email is sent as 7-bit

ASCII text, with the exceptions of Binary MIME and 8bit MIME. 8-bit content (for example, MIME attachments) are encoded using standard


CHAPTER 9: Defining Proxies in CPM algorithms (Base64 or quote-printable encoding) to enable them to be sent over 7-bit email systems.

These types of encoding causes an increase in size of approximately 1/3 for encoded files. Therefore, if you want to allow messages of up to 1000 bytes, you should set this field to a minimum of 1334 bytes to ensure that all mail gets through.

The default is 2929 kilobytes (approximately 3 million bytes).

Maximum Address Length

Specifies a maximum length for email addresses.

Restricting email address size can prevent some buffer overflow exploits from being used. The default is 50 bytes.


Specifies the maximum line length for lines in an

SMTP message. Very long line lengths can cause overflow conditions on some mail systems. Most email clients and systems send relatively short line lengths, but some web-based email services send very long lines. The default is 1000 bytes.

Connection Idle Timeout

Specifies the amount of time an incoming SMTP connection can idle before the connection is timed out. The default is 600 seconds (10 minutes).

Address Validation (RFC-822 Compliance)

Allowable Characters : Allows you to specify all of the characters that are allowed in incoming email addresses. If there are particular characters that you do not allow, remove them from this field. All allowed 7-bit ASCII characters are listed by default.

The percentage sign (%) is listed twice (%%) to represent itself. The percentage sign is used as an escape character in the Proxy windows, to enclose hex code and high ASCII characters, but the Proxy windows read two percentage signs in a row as a single percentage sign character. The “commercial


Proxy Parameters Reference at” character (@) is not included, because this list specifies only the characters on separated by the @, as email addresses cannot be specified without it.

Allow Source-Routed Addresses : Allows sourcerouted addresses. This is an old UUCP convention that is not used much today, except in the proliferation of spam email. This field is disabled by default. It is recommended that you do not enable this field.

HELO/EHLO Greeting Hostname

These commands are used to identify the SMTP receiver to the SMTP server. The argument field contains the fully-qualified domain name of the

SMTP host, if it is available. A Host is a computer attached to the Internet that supports the SMTP protocol.

Allowable Characters : Allows you to specify the characters that can be used in the HELO/EHLO greeting hostname. By default, this includes the 26 letters of the alphabet in upper and lower case, the numbers 0—9, the period (.) and the dash (-).



Content Checking tab

This tab allows you to specify values for SMTP content filtering.

208

Category

This specifies the ruleset category–Content Types or Address Patterns.

Content Types

The outgoing SMTP ruleset contains no rules.

The incoming SMTP ruleset allows six common

MIME types, and all of their subtypes. The default rule strips all other MIME types.

This ruleset does not, by default, allow any

“application” or “model” MIME types. Depending on your network needs, you might want to allow certain application MIME types. To find MIME types that you might want to allow or strip, refer to


Proxy Parameters Reference the current master list of MIME types, located at http://www.iana.org/assignments/media-types/

.

All audio types

This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*.

All image types

This rule allows all MIME image types, by identifying the MIME Content-Type “image.” The rule uses a pattern match for image/*.

message/*

This rule allows all MIME message types, by identifying the MIME Content-Type “message.”

The rule uses a pattern match for message/*.

All multi-part MIME types

This rule allows all MIME multipart types, by identifying the MIME Content-Type “multipart.”

The rule uses a pattern match for multipart/*.

Note that if you do not allow multipart MIME, your users might lose a lot of messages and attachments. Multipart is used frequently to create messages that include attachments.

All text types

This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*.

All video types

This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*.



Attachment Filenames

The outgoing SMTP proxy action contains no rules for attachment filenames.

The incoming SMTP proxy ruleset allows three common attachment filename extensions. The default rule strips all other filename content.

Word document

This rule allows attachments with the standard

Microsoft Word .doc file extension. The rule uses a pattern match for *.doc.

Text file

This rule allows standard text attachments with the

.txt file extension. The rule uses a pattern match for

*.txt.

Excel spreadsheet

This rule allows attachments with the standard

Microsoft Excel spreadsheet .xls file extension. The rule uses a pattern match for *.xls.



Address Patterns tab

This tab allows you to specify values for SMTP Address

Pattern filtering.

Category

This specifies the ruleset category–Mail From or

Mail To.

Mail From

This ruleset contains no listed rules from the factory. The default rule is allow. With the SMTP

Incoming proxy, this configuration allows mail from all senders into your network. With the SMTP

Outgoing proxy, this configuration allows all users on the network to send email.

Mail To

This ruleset contains no listed rules from the factory. The default rule is allow. With the SMTP

Incoming proxy, this configuration allows mail


CHAPTER 9: Defining Proxies in CPM addressed to any email address into your network.

With the SMTP Outgoing proxy, this configuration allows users on your network to send email to any recipient.

Headers tab

This tab allows you to specify values for SMTP Header filtering.

212

Header Rules

The SMTP Outgoing proxy contains no rules for

SMTP Headers.

The SMTP Incoming proxy action ruleset allows a number of SMTP Headers. The default rule strips all other SMTP headers. As there are hundreds of possible SMTP headers, it might be useful or


Proxy Parameters Reference necessary to allow other SMTP headers in your system.

The Headers that are allowed include:

- Approved-By

- Bcc

- Cc

- Comments

- Content-Description

- Content-Disposition

- Content-ID

- Content-Language

- Content-Length

- Content-MD5

- Content-Transfer-Encoding

- Content-Type

- Date

- Encoding

- Encrypted

- From

- In-Reply-To

- Keywords

- MIME-Version

- Message-ID

- Precedence

- References

- Reply-To

- Resent-Bcc

- Resent-Cc

- Resent-Date

- Resent-From

- Resent-Message-ID

- Resent-Reply-To



- Resent-To

- Status

- Subject

- To



ESMTP tab

The ESMTP tab allows you to specify the filtering for

ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality.

ESMTP provides a means for functional extensions to

SMTP, and for clients who support extended features to recognize each other. For RFC documentation sources on

extensions to SMTP, see “Reference Sources” on page 219.

Allow BDAT/CHUNKING

Allows BDAT and CHUNKING, if enabled on the

SMTP host and client. BDAT and CHUNKING enable large messages to be sent more easily over

SMTP connections (

RFC 3030

).

Allow Remote Message Queue Starting

Allows Remote Message Queue Starting, if enabled on the SMTP host and client. This is an extension to the SMTP service that allows an SMTP client and


CHAPTER 9: Defining Proxies in CPM server to interact to start the processing of message queues for a given host (

RFC 1985

).

Allow 8bit-MIME

Allows 8bit-MIME, if the client and host support the extension. The 8bit-MIME extension allows a client and host to exchange messages made up of text containing octets outside of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) using SMTP

( RFC 1652 ).

Allow Binary MIME

Allows the Binary MIME extension, if the sender and receiver support it. Binary MIME avoids the overhead of base64 and quoted-printable encoding of binary objects sent using the MIME message format over SMTP (

RFC 3030

).

N

OTE

BDAT/CHUNKING must be allowed for Binary MIME to work.

Authentication Rules

Both the incoming and outgoing SMTP proxy actions contain the same Authentication rules. The

Authorization ruleset allows a number of ESMTP

Authentication types. The default rule denies all other Authentication types.

Allowed Authentication types include:

- CRAM-MD5

- DIGEST-MD5

- GSSAPI

- LOGIN

- LOGIN (old style)

- NTLM

- PLAIN

The SMTP service extension for Authentication is described in RFC 2554 .



Masquerading tab

This tab allows you to masquerade domain names and message-IDs for incoming or outgoing SMTP messages.

Masquerading domains allows you to present all email as if it originates from a single domain. Masquerading message-IDs allows you to replace the message-ID SMTP

Header with new IDs.

Masquerading is generally only useful for outgoing SMTP.

Domain Name

Type a domain name here to replace the domain names for incoming or outgoing messages with the specified domain. For example, if you type

“watchguard.com,” on the Incoming SMTP Proxy, then to your users it will appear that all incoming email is from senders at watchguard.com.



Masquerade Message IDs

Select this checkbox to replace the Message-ID

Header field in all incoming messages. Note that this may disrupt message threading.

Deny Message tab

This tab allows you to customize a Deny Message. The

Deny Message replaces inline content that is stripped.

218

You can customize the Deny Message with standard text.

You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.

The following values can be called from the proxy action:

%(type)%

This inserts the Content-Type for the content that is stripped.


Reference Sources

%(filename)%

This inserts the filename of the stripped content.

%(rulename)%

This inserts the name of the rule that stripped the content.

Reference Sources

Throughout this Reference, material is adapted from–and linked to–information from Internet standards bodies, relevant corporations and groups.

In all possible cases, the most recent available definition for a parameter is used.

Reference sources include:

• HTTP: a Protocol for Networked Information [1992] http://www.w3.org/Protocols/HTTP/HTTP2.html

• RFC 822, Standard for the Format of ARPA Internet Text

Messages http://www.ietf.org/rfc/rfc0822.txt

.

• RFC 1652, SMTP Service Extension for 8bit-MIME transport http://www.ietf.org/rfc/rfc1652.txt

• RFC 1806, Communicating Presentation Information in

Internet Messages: The Content-Disposition Header http://www.ietf.org/rfc/rfc1806.txt

• RFC 1869, SMTP Service Extensions http://www.ietf.org/rfc/rfc1869.txt

• RFC 1945, Hypertext Transfer Protocol -- HTTP/1.0

http://www.w3.org/Protocols/rfc1945/rfc1945.txt

• RFC_1985, SMTP Service Extension for Remote Message

Queue Starting http://www.ietf.org/rfc/rfc1985.txt



• RFC 2068, Hypertext Transfer Protocol -- HTTP/1.1

[January 1997] http://www.w3.org/Protocols/rfc2068/rfc2068.txt

• RFC 2518, HTTP Extensions for Distributed Authoring --

WEBDAV http://www.ietf.org/rfc/rfc2518.txt

• RFC 2554, SMTP Service Extension for Authentication http://www.ietf.org/rfc/rfc2554.txt

• RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1 [June

1999] http://www.w3.org/Protocols/rfc2616/rfc2616.html

• RFC 2821, Simple Mail Transfer Protocol [April 2001] http://www.ietf.org/rfc/rfc2821.txt

• RFC 2965, HTTP State Management Mechanism http://www.ietf.org/rfc/rfc2965.txt

(also RFC 2109 )

• RFC 3030, SMTP Service Extensions for Transmission of

Large and Binary MIME Messages http://www.ietf.org/rfc/rfc3030.txt

• RFC 3253, Versioning Extensions to WebDAV (Web

Distributed Authoring and Versioning) http://www.ietf.org/rfc/rfc3253.txt

• MIME Media Types http://www.iana.org/assignments/media-types/


CHAPTER 10

About Virtual Private

Networks

The Internet is a technical and social development that puts a multitude of information at your fingertips. On this worldwide system of networks, a user at one computer can get information from numerous other computers. The benefits of using the Internet to exchange information and conduct business are enormous.

Unfortunately, so are the risks. Because data packets traveling the Internet are transported in plain text, potentially anyone can read them and place the security of your network in jeopardy.


CHAPTER 10: About Virtual Private Networks

Virtual private networking technology counters this threat by using the Internet’s vast capabilities while reducing its security risk. A virtual private network (VPN) allows communication to flow across the Internet between two networks or between a host and a network in a secure manner.

Typical networks and hosts using a VPN might include a corporate headquarters, branch offices, remote users, telecommuters, and traveling employees. User authentication verifies the identity of both the sender and the receiver.

Data sent over the Internet is encrypted so that only the sender and the receiver of the message can see it in a clearly readable state.

About VPN Policies

To establish VPN connections between your present site and other remote sites, you must create and apply VPN policies in security appliances on each end. These policies specify the required levels of authentication and encryption to protect the data streams. In addition, you can also create VPN policies for Vclass appliances that permit


About VPN Policies secure communications between a site and authorized clients.

The first step in creating a VPN policy is determining the way in which keys are selected. Key selection can occur in two ways:

Manual

Manual key mode requires that the administrator of each security appliance manually enter the text of a key on each system that exactly matches the other system’s key. The drawbacks to manual keys are

- potential errors in key entry

- keys must be manually replaced on a regular basis

- a fixed key is more prone to hacking attempts

Automatic

Automatic key mode requires use of the IKE protocol to generate new keys when they are needed. Keys and encryption/authentication algorithms are first negotiated, and then chosen and used by the two participating security appliances.

An additional level of protection can be applied through third-party authorities, who provide verification that a security appliance (and the source behind it) is exactly what it represents itself to be.

In either key management mode, the user can choose different encryption and authentication algorithms to protect the data streams sent through a VPN connection.



VPN Policies and IPSec Actions

A VPN security policy always includes an IPSec action , regardless of whether you are creating a manual key or automatic key policy. The IPSec action determines what type of authentication and encryption will be used to protect traffic governed by this policy. VPN policies can incorporate different kinds of keys (manual or automatic) and different types of encryption and authentication algorithms, and apply them to the data stream. If a VPN policy has no IPSec action, the data is sent as clear text.

Three major qualifications are established in an IPSec action: mode , key management , and encryption/authentication .

Mode

Tunnel mode is used when appliances act as security gateways on both ends or when a remote

VPN client connects to an appliance. Data packets are encrypted and tunnelled from one appliance to the other, where decryption takes place and the data is forwarded to its final destination. The IP address of each tunnel peer must be specified.

Transport mode is usually applied in end-to-end secured communications.

Key Management

This specifies whether the key is automatically or manually created. Automatic key management is done in accordance with IKE, an IETF standard protocol. Using IKE, encryption keys are automatically negotiated and selected by two connected security appliances. This provides the easiest, most efficient key management.

Encryption/authentication

Two principal types of security protocols exist to protect data packets in Internet communications.

AH (Authentication Header) protocol is applied to

IP packets for authentication, while ESP


About Encryption

(Encapsulating Security Payload) can be applied to

IP packets for both encryption and authentication.

About Encryption

The Firebox Vclass security appliance supports the following algorithms:

AH

Authentication algorithm MD5, SHA

Encryption algorithm not applicable

ESP

MD5, SHA

DES, 3DES

When a manual key is configured in an IPSec action, security protocols (AH, ESP, or both) must be selected. The related keys are created by the administrator. Using an automatic key provides more flexibility regarding which security protocols and algorithms are used.

This flexibility is expressed in the form of proposals incorporated into the IPSec action. For example, one proposal may use ESP with 3DES for encryption and SHA for authentication. A second proposal uses ESP with DES for encryption and AH with MD5 for authentication. When a

Firebox Vclass appliance negotiates with another appliance to select an automatic key, the initiating appliance sends a list of proposals to the other, starting a negotiation process at the end of which a protocol and algorithm are chosen and used.

Overview of Creating a VPN

In a typical site-to-site VPN connection, a Firebox Vclass security appliance is placed at each end of the connection–where the site network interfaces with the external

Internet.



It is especially important to remember that a VPN setup that connects two components over any kind of network requires two security appliances, one on each end of the connection. One of the ends of the VPN connection could also be a Firebox V10 appliance acting as a VPN client.

Each Vclass appliance is then configured with a single bidirectional VPN policy that manages both incoming and outgoing traffic exchanged with the other appliance.

226

The general process of creating a VPN policy includes:

• Choosing between automatic (IKE) and manual (PSK) key management.

• Determining whether to use a shared key or certificates for authentication. If you are using certificates, you must request a certificate and import it into the appliance.

• Determining the specifications that qualifying traffic must match.

• Specifying an IPSec action to protect this stream.

If you are planning automatic key management, you must create a separate IKE policy to restrict the peers that are allowed to participate in the exchange, as well as protect-


Overview of Creating a VPN ing the key selection process negotiated between two security appliances.

The following chapter will guide you in creating and applying a VPN policy that uses automatic keys. For information on creating manual key VPN policies, see the CPM





CHAPTER 11

Creating an

Automatic Key IPSec

Action

You can use CPM to create and deploy IPSec/VPN security policies that use IKE automatic key creation and management. The process is greatly simplified in

CPM because the peers involved in such policies are automatically assigned a default PSK-based IKE proposal by CPM. You can then open and edit it (and the associated transforms) to reflect your IKE/authentication preferences.

This chapter describes how to compile and apply automatic key VPN policies with the attending actions

(proposals and transforms) to specific appliances.

An Overview of VPN Policies

The following outlines the general process of defining and deploying an automatic key VPN policy:

1 Import all required certificates for all registered

appliances, as described in “Importing Licenses and Certificates (Optional)” on page 70. (This is


CHAPTER 11: Creating an Automatic Key IPSec Action optional if you are not using third-party authentication.)

2 Create the IPSec/VPN policy, as described in this chapter.

3 Fine-tune any applicable IKE proposals, using the IKE

Proposals window, as described in the CPM


4 Fine-tune the IKE authentication, using one or both of the following:

- A default pre-shared key

- An x.509 certificate (per appliance)

5 Deploy the policy to the pair of appliances.

Creating a New Automatic Key VPN Policy

You have two options in creating VPN policies that use automatic keys:

• Create a policy using one of the default IPSec actions, which use a range of proposals. This simplifies your work while providing sufficient protection for your traffic.

• Create a policy that uses a custom action (with proposals), if you choose. CPM provides all the required resources for this process.

To select an existing automatic key IPSec action for use in a policy, follow these steps:


2 Insert a new policy row in the Policy tab.

3 Drag-and-drop the appropriate internal-network address (one or more) into the Source cell.

4 Drag-and-drop the appropriate internal-network addresses (one or more) into the Destination cell.


Creating a New Automatic Key VPN Policy

5 Drag-and-drop the service or combined services that this policy will permit.

6 Click the IPSec Action tab in the left margin.

7 Drag-and-drop any of the listed IKE actions from the

IPSec Action tab onto the Action cell in the appropriate policy row.

Maximum Security is the recommended action for all confidential traffic. If you want to customize your own IPSec

action for use in this policy, see “Customizing an IPSec Action” on page 235.

8 If needed, open the Schedule tab and drag a schedule into the Schedule cell.

9 Select a logging option.

.

The three default IPSec actions offer the following levels of protection:

Minimum

Security

High

Security

Maximum

Security

Mode

PFS

PFS Key Group

SA Life

ESP

AH

Replay Detection?

Window Size

Tunnel

Enabled

D-H Group 2

480 min/50MB

DES

-N/A-

Yes

32

Tunnel

Enabled

D-H Group 2

480 min/50MB

3DES

-N/A-

Yes

32

Tunnel

Enabled

D-H Group 2

480 min/50MB

3DES/SHA-1

-N/A-

Yes

32


CHAPTER 11: Creating an Automatic Key IPSec Action


Each new automatic-key VPN policy is bidirectional by default, and depends upon Source and Destination entries to establish the direction of traffic. You can, however, change this state to “unidirectional” by following these steps after the action has been added to a policy. In doing so, you do not have to further revise the Source or Destination entries.

To make a bi-directional policy unidirectional, based on the source and destination settings, right-click the policy row’s

Action cell and deselect Bi-directional .

Assessing the IKE settings

After you create the policy, CPM automatically registers the two appliances as an IKE pair . You can now review the

IKE proposal and fine-tune the IKE authentication, which involves replacing the default pre-shared key text if you choose or selecting an x.509 certificate, if available.

1 Click the IKE Pairs tab.

2 Look for the new pair entry, which lists the two appliances you just combined in your new policy.

3 Right-click the pair entry and select Set IKE Proposal .

4 When the IKE Proposal dialog box appears, you can replace the current proposal with any custom proposals, if any are listed in this dialog box.



5 Click OK to close this dialog box, whether or not you select a replacement proposal.

6 Right-click the same pair entry and select Edit/View

IKE Authentication Rules .

One of two versions of the Authentication dialog box appears.

If an appliance has an x.509 certificate

1 If the wrong appliance or certificate is listed in the menu, open the Cert to be used by menu and select another certificate.

2 If the Certificate is matched by entries will be symmetrical (applied equally to both appliances), make your entries in the single tab below the Use

Symmetrical checkbox.

3 If the Certificate is matched by entries are unique to each appliance, click to clear the checkbox marked Use

Symmetrical .

4 Click each of the two appliance-specific tabs and make the appropriate certificate-matching entries.

5 Click OK .

6 Repeat this IKE-authentication review process for all possible pairs that were automatically created from your new policy (as a result of using more than one appliance as source and destination) .



234

If neither appliance has an x.509 certificate

1 Click Edit Key .

The Pre-Shared Key dialog box appears.

2 If you want to replace the automatically generated key text, click the button by your entry preference, and then type new text in the Key field.

3 Click OK to save this entry.

4 Click OK to close the Authentication dialog box.


Customizing an IPSec Action


Normally, one of the three default IPSec actions will be sufficient. However, if your network has unique needs, you can create a custom action:

1 With the IPSec Action tab selected, click the

Create a New Object button (shown at right) and select New Auto IPSec from the pop-up menu.

The IPSec Action dialog box appears.

2 Click the General tab. In the Name field, type a name for this action.

The name should include only numbers, letters, hyphen (-), and underscore (_) characters.

3 From the Mode menu, select either Tunnel or

Transport .

Tunnel

This policy prompts the Firebox Vclass appliance to hide any information about the original sender of data, representing the Firebox Vclass appliance as the original sender. This option is preferred for


CHAPTER 11: Creating an Automatic Key IPSec Action site-to-site connections, in which the traffic goes through the Firebox Vclass appliance.

Transport

No additional identity masking will be applied.

This option is ideal for use in secured communication directed to this Firebox Vclass appliance, such as SNMP traffic.

4 If you want to activate PFS, click the checkbox marked

Enable Perfect Forward Secrecy .

If you do not activate this option, key replacement (when a key expires) takes place using the source key material that generated previous keys. (If this option is left active, this policy uses new key material every time it generates a replacement key.)

5 (If you enabled Perfect Forward Secrecy) From the PFS

Key Group menu, select one of the two available

Diffie-Hellman group options to be applied to PFS.

Diffie-Hellman groups enable two peer systems who have no prior knowledge of one another to publicly exchange and agree on a shared secret key.

Customizing an IPSec proposal using a single transform

You can add a new proposal to this action that incorporates a single transform, either ESP or AH, as described in this section:

1 Click the Proposal tab.



2 In the SA Life fields (minutes and Kbytes), enter the appropriate values.

3 If this proposal will use ESP transforms (the default), from each of the two Algorithm menus ( Encrypt Alg and Hash Alg ), select the appropriate options.

4 If you want to apply AH transforms, select the checkbox marked Authentication Protocol . From the

Hash Alg menu, select the appropriate option.

5 If you want replay detection to be active, select the checkbox marked Enable Reply Detection and select the value you want from the Window Size menu.

6 Click OK to save this IPSec action.

You can now use this action in security policies.

Customizing an IPSec proposal with more than one transform

You can add an all-new proposal to this action that incorporates two or more transforms that apply both ESP and

AH algorithms:




2 Change the values in the SA Life fields (minutes and

Kbytes) to values of your preference.

3 To enter two or more transforms (using a combination of ESP and AH algorithms), click to select the checkbox marked Use Multiple Transforms .

The transform options are replaced by a new set of features, as shown here. The Transform table lists a single default transform:

ESP, using DES/SHA-1 and with an SA life of 480 minutes (or

50,000 kilobytes).

238

4 To add a second transform, click Add .

The Transform dialog box appears, as shown here.



5 If this proposal will use ESP transforms (the default), from each of the two Algorithm menus ( Encrypt Alg and Hash Alg ), select the appropriate options.

6 If you want to apply AH transforms, click to select the checkbox marked Authentication Protocol . From the

Hash Alg menu, select the appropriate option.

7 (Optional) Enter appropriate values in the SA Life fields (Minutes and Kbytes).

8 Click OK to close this dialog box.

When the Proposal tab reappears, the new transform appears.

9 Repeat this process to enter more transforms if you choose.

10 When you are finished, use the Up/Down arrow buttons to the right to move selected transforms into the correct sort order in the Transforms table.

11 If you want replay detection to be active, select the checkbox marked Enable Reply Detection and select the value you want from the Window Size menu.

12 Click OK to save this IPSec action.

You can now use this action in security policies.



Customizing multiple IPSec proposals with one or more transforms


2 (Optional) Enter new values in the SA Life fields

(Minutes and Kbytes).

3 Make the required transform entries, using either ESP or AH .

If you prefer, click the checkbox marked Use Multiple

Transforms and use the resulting features to enter and sort a number of transforms for future use by this proposal.

4 If you want replay detection to be active, you can open the Window Size menu and choose the preferred value. If you don’t want replay detection to be active, click to clear the Enable Replay Detection checkbox.

5 To add a second proposal, from the Actions menu, select Add a Proposal .



6 Fill in this proposal’s settings (using multiple transforms, if you prefer). You can add more proposals to the action after completing this one, if you choose.

7 When you are finished, click OK to save this IPSec action.

The action appears in the IPSec Action tab. You can now use this action in security policies.




CHAPTER 12

Creating Remote

Access VPN Policies

Telecommuters working from home and traveling employees who need corporate network access are common fixtures in today’s business environment.

Using CPM, you can create an IPSec tunnel between an unsecured remote host and your trusted and optional networks using a standard Internet dial-up or broadband connection without compromising security.

Creating a Policy for a Firebox V10

This section describes how to set up RAS connections in which the client is a Firebox 10 security appliance.

Creating the Addresses entries

1 Make sure you have created appliance entries for each client appliance.

2 Create a new address group (such as

V10_RAS_use ) with no entries. For more


CHAPTER 12: Creating Remote Access VPN Policies information on creating address groups, see Chapter 7,

“Defining Security Policies in CPM.”

3 From the Configuration Editor, right-click the target gateway appliance, select New => New Address, and create a new address entry (such as pvt_net ) to represent the internal/trusted network behind interface 0 (private).

4 Right-click each V10 entry and create a new address entry representing the subnet behind interface 0

(private).

5 Drag the V10-specific entries you created in step 3 onto the address group you created in step 2.

Creating the RAS security policy

1 From the Configuration Editor, create a new policy row and rename the policy (for example, V10_RAS ).

2 Drag the V10_RAS_use address entry into the Source cell.

3 Drag the Corporate_Network address entry into the

Destination cell.

4 Drag ANY or your own service preferences into the

Service cell.

5 Drag the IPSec Action tab’s Maximum Security entry into the Action cell.

6 Make this policy bidirectional.

Confirming the IKE settings

1 Click the IKE Pairs tab.

2 Select each of the new entries automatically generated by the new “V10-RAS” policy.

3 Open the Authentication dialog box to make sure the authentication protocols are set properly.

4 If you want your external users to enter user-specific authentication when they log in, change Default to

Default with Xauth .



Generating and deploying profiles

1 From the Profiles tab, generate or update the profiles.

2 Deploy the profiles to the relevant appliances (client and gateway).

3 Power down and disconnect the appliances.

4 Distribute the appliances to their assigned locations.

5 Have the remote users power up and connect the appliances. You can then use CPM to establish contact with each appliance.


The following procedure shows how to set up RAS connections through a gateway appliance in which the client is an

MUVPN application. The process requires that you enter the required address entries, complete the policy, and verify the related IKE pair and Remote Access entries.

Creating the RAS address group

This procedure results in an appliance-specific pool of IP addresses to be temporarily assigned to incoming RAS user connections:

1 From the Configuration Editor window, click the

Appliance/Address tab.

2 Locate the specific gateway Firebox Vclass appliance that will be used to manage connections from a group of local RAS client users. Right-click that appliance entry and select New => New RAS Address from the popup menu.

CPM alerts you if the selected appliance doesn’t have RAS management features.

3 In the Name field, type a name for the address entry.

4 Next to IP Type , click either IP Subnet or IP Range .


CHAPTER 12: Creating Remote Access VPN Policies

5 If you selected IP Subnet , type the IP address representing the subnet in which the IP addresses are located. This must be a subnet that is not already in use within your network.

If you selected IP Range , type the first and last numbers in the range.

6 In the Netmask field, type the mask of this subnet.

7 Click OK .

Creating the security policy

1 From the Policies tab, create a new policy row.

2 Rename the policy (such as IRE_RAS).

3 Drag the IRE-RAS—pool address entry into the Source cell.

4 Drag the Corporate_Network address entry for the relevant appliance into the Destination cell.

5 Drag ANY or your individual service preferences into the Service cell.

6 Drag the IPSec Action tab’s “Maximum Security” option into the Action cell.

7 Make this policy bi-directional.

Confirming the IKE pair settings

1 Click the IKE Pair tab.

2 Verify the accuracy of the new entries generated by the

“RAS_clients-RAS_8000” policy.

3 Select the new IKE rows and click Edit/View IKE

Auth .

The Edit/View IKE Authentication dialog box appears.

4 In the Edit Authentication dialog box, verify the default authentication protocols.

Confirming the authentication method

1 Click the Remote Access tab.



2 Click New (in the tab header).

The Add Remote Access dialog box appears, listing any existing

RAS address groups.

3 Select the appropriate address group from those listed below the menu. Click OK .

A new entry appears in the Remote Access tab.

4 Select the new listing and click Edit/View User Group in the tab header.

The Edit User Group dialog box appears.



248

5 From the Address Management menu, select either

None or Appliance . If you want the gateway appliance to assign the IP address for the clients, select

Appliance . This will prompt the gateway appliance to use the address pool you designated earlier.

6 From the Session Time Limit menu, select Hours or

Minutes . Enter the proper increment in the associated text field.

7 From the Idle Timeout menu, select either Hours or

Minutes . Enter the proper increment in the associated text field.

8 If you want to permit the users in this group more than one concurrent RAS connection to the network, change the Max Concurrent Logins number (currently “1” by default).

9 Leave the Enable DNS checkbox selected if you want this appliance to use DNS.

If you don’t want this appliance to use DNS, click to clear the checkbox.



10 (If you are using DNS) Specify whether you want to use DNS settings or specify a local DNS server by IP address or domain name.

11 Click OK .

The Remote Access table reappears.

12 Select the listing. Click Edit/View User Auth in the tab header.

The Remote User Authentication dialog box appears.

Though two options are listed, only the RADIUS Server supported by CPM.

13 From the RADIUS server authentication method menu, select SecurID .



250

14 In thePrimary Server IP Address field, type the IP address of the local RADIUS server (local to the gateway appliance).

15 If you need to enter a different port number for the

RADIUS server, type the correct port number.

16 In the Secret and Confirm Secret text fields, type the password used to establish secure connections between the appliance and the RADIUS server.

17 If you have a secondary (backup) RADIUS server, click the Enabled checkbox next to Secondary Server, and type the values for the secondary server.

18 Click OK to save the entries and close this dialog box.

19 Deploy this profile (from the Profiles tab) to the relevant appliances (client and gateway).

The profile is now ready for use.

If you have not already done so, you should use your IRE client administrative software to prepare the individual clients for use, reflecting the settings and entries already made in CPM. Be careful to coordinate the data in both policies–appliance and client software.


CHAPTER 13

Establishing Tunnel

Switching

Maintaining and managing VPN tunnels established between a main corporate office and one or more branch offices can become an overwhelming task.

CPM provides tunnel switching to centralize all intersite communication, which preserves network performance and simplifies maintenance.

To see a case study on tunnel switching between remote sites, see the CPM Applications Guide .

About Tunnel Switching

In a fully meshed topology, all servers are interconnected to form a web, or mesh, with only one hop to any VPN member. Because every device in the network must communicate with every other device, the number of tunnels required quickly becomes immense.

In a hub-and-spoke configuration, all VPN tunnels terminate at one end of a centrally located and managed


CHAPTER 13: Establishing Tunnel Switching security appliance. The master server is the central hub of this topology, with all communications radiating outward to other servers and returning to the master server. Huband-spoke is far more scalable than meshed with a much more manageable number of tunnels.

Tunnel switching allows branch offices in a hub-and-spoke configuration to communicate with each other by way of the central site. For example, Branch Office A can communicate with Branch Office B by sending traffic to the central office, which switches this traffic from one tunnel (Branch

Office A to central office) to another (Branch Office B to central office).

Activating Tunnel Switching on the Central

Appliance


2 Click the Appliance/Address tab.

3 Right-click the appliance on which you want to enable tunnel switching and select Edit/View .

The System Configuration dialog box appears.

4 Click the Tunnel Switch tab.

5 Click the Enable Tunnel Switch checkbox. Click

Apply . Click OK .


To enable data exchange between two sites by way of the central site:

1 If you have not already done so, open the Appliance

Manager window and add each remote device.



2 Open the Configuration Editor window. Click the

Appliance/Address tab.

3 In the Appliances/Addresses list, select the central site.

Create a new address entry for this appliance for tunnel-switching use only. For more information on creating address entries, see Chapter 7, “Defining

Security Policies in CPM.”

4 Create address entries for the network at each remote site.

5 Click the Policies tab and create a single new policy that includes all the tunneling appliances.

6 Save this policy and move it such that it is the last policy in the Policy table.

7 Deploy the policy.


CHAPTER 13: Establishing Tunnel Switching


CHAPTER 14

Monitoring

Appliances

An important part of an effective network security policy is the monitoring of network events. Monitoring enables you to recognize patterns, identify potential attacks, and take appropriate action. If an attack occurs, the records kept by CPM can help you reconstruct what happened.

How CPM Monitors Appliances

CPM reports the status of registered appliances using two processes:

• Periodic network polling of all appliances

• Responding to event notifications from appliances

About network polling

Network polling queries, also known as handshaking , are automatically transmitted every 10 minutes from

CPM Server to every registered appliance (this value can be changed in the cpm_server.conf configuration


CHAPTER 14: Monitoring Appliances file). The responses reflect the appliance’s state. You can also prompt a handshake from CPM Server to any appliance from either the Appliance Manager window or the

Appliance Detail dialog box.

About event notification

Appliances must send frequent event notifications to the

CPM Server to keep it up-to-date between handshakes.

Two types of notifications are sent to the CPM server:

Status/Event notifications

These notifications are sent to CPM Server when the appliance changes its state or status; for example, an interface failure or restoration.

Periodic pulses

Heartbeats are automatically sent by the appliance to CPM Server once every minute. After one missed heartbeat, the appliance goes into

“heartbeat missed” status. After 3 consecutive missed heartbeats, CPM Server attempts a handshake with the appliance. If the handshake is succesful, the appliance returns to “initial contact” status. If the handshake is unsuccessful, the appliance switches to “out of contact” status.

In addition to the periodic and on-demand handshakes, the following conditions also trigger CPM Server to send handshakes to an appliance:

• Indications of a system reboot

• Out-of-sequence notification numbers indicating some notifications have been lost in the network

• Three heartbeats missed in a row

• CPM Server receives a heartbeat from an unregistered security appliance not in contact with CPM server




CPM Server monitors the following general indicators of a security appliance’s status:

Appliance Availability

This general indicator is determined using outgoing handshakes and incoming heartbeats.

Interface/Port Status

Records the IP address of an interface and uses color to indicate the status: red means the interface is down and green means it is up. If an interface is not present, no number is displayed and the color is gray.

HA Status

Notes the status (on or off) of High Availability, which is available on certain RapidStream and

Firebox Vclass appliance models. This indicator checks for operating software and a physical interface dedicated to High Availability use.

Alarm Status

Lists all open alarms and notes the alarms’ severity as well as triggering conditions.

Configuration Mismatch

Compares information obtained from the appliance in real time to the initial appliance configuration stored in CPM Server. You can assess whether or not a mismatch exists in the appliance model, operating software versions, or profile version.

About Appliance Availability

The successful handshake and reception of heartbeat pulses by CPM Server indicates the immediate availability of each appliance. Appliance availability is represented by one of the following six values.


CHAPTER 14: Monitoring Appliances

Never Contacted

CPM Server has never successfully sent any requests to the appliance. The appliance may not exist, or may not be in a network that is reachable from CPM.

Not CPM-ready

CPM Server has successfully sent requests to the appliance but has failed to establish handshaking.

The password to the appliance may not be correct, or the appliance may be running a version of software that does not support CPM.

Initial contact

CPM Server has successfully completed a handshake with the appliance but has not yet received any heartbeats from the appliance. If the appliance stays in this state for more than one minute, the appliance might not be configured to send heartbeats to this CPM server. Network problems can also prevent the appliance from sending heartbeats and notification.

Contacted

CPM Server has successfully completed a handshake with the appliance and received a heartbeat from the appliance in the last minute.

Heartbeat Missed

CPM Server has successfully completed a handshake with the appliance and received heartbeats initially but has recently not received the expected heartbeat for more than one minute.

Out-of-Contact

CPM Server successfully completed a handshake with the appliance and received heartbeats initially, but has since failed to communicate with the appliance.

If CPM Server misses three heartbeats in a row from an appliance, then the server sends a handshake to the appliance in an attempt to contact


Reorganizing Appliance Manager Window Columns the appliance. If this handshake fails to generate a response from the appliance, the appliance is considered Out-of-Contact.

About Interface Status

The data interface status of an appliance is obtained by handshaking or as a status notification. The three ports are considered individual component statuses: interfaces 0

(private), 1 (public), 2 and 3 (DMZ). Each of these can have three possible values.

blank

CPM does not know the status (usually the appliance is not in contact) or the appliance does not have this port.

Green

The port is up.

Red

The port is down.

Reorganizing Appliance Manager Window

Columns

CPM allows you to view or hide columns in the Appliance

Manager depending on your preferences:

1 Open the Appliance Manager window.

2 From the View menu, select Table Columns .

The Appliance Columns dialog box appears. This dialog box lists all of the possible columns you might want to view in the

Appliance Manager window. All items under Basic Information are initially selected.



260

3 You can hide any Basic Information columns by clicking the checkboxes to clear the selections.

4 If you want to display more information in an appliance row, click the checkbox by Configuration

Information or Detailed Information .

5 If you don’t want a particular column heading under

Configuration Information or Detailed Information to appear, click the checkbox to clear the selection.

6 Click Close .

When the Appliance Manager reappears, it displays your reorganized columns.


Working with Appliance Groups Folders

Working with Appliance Groups Folders

You can perform a number of operations on the Appliance

Groups folders on the left side of the Appliance Manager window:

• Select the folder to view appliances in the folder.

• Drag and drop folders or appliances from one folder to another.

• Press the Show Appliances button (shown at right) to view all appliances in the selected folder and its subfolders.

The number of appliances in a folder and all its subfolders appears in parentheses after the name of the folder. Also, the color indicating the most severe status out of all appliances in a folder and its subfolder is displayed in the small circle depicted on the folder, as shown in the top folder in the figure below.

Reorganizing the Appliance Manager window

You can reorganize the listing of appliances in the Appliance Manager window:

1 Click any appliance.

2 Click any of the column headers.

The appliances are listed according to the column selected.

In some instances, you can click the same column header again to reverse the order.



Filtering Appliance Manager Window Entries

The Appliance Manager window provides a filtering option. You can view only the appliances that match a characteristic that you define using the CPM Table Filter dialog box. This dialog box supports the following wildcards:

*

0 or more wildcard characters. For example, if you enter rs* , the window displays the alarms rs , rs1 , rs12 , and rsxxx .

?

1 or more wildcard characters. For example, if you enter rs?

, the window displays the alarms rs1 , rs12, and rsxxx .

Characters within square brackets represent exact single characters the filter should match. For example, if you enter rs[123], the window displays the alarms rs1 , rs2 , and rs3 , but not rs12 or rs23 .

1 Right-click the header of the column you want to filter.

Select Filter .

The Filter Rows dialog box appears, as shown in the following figure.

2 Type the text you want to match in the Filter by field. Click

OK .

The column turns blue to indicate that filtering is enabled.

3 To disable filtering, right-click the column header. Click to clear the checkbox marked Filter .




Both the Appliance Manager and the Appliance Detail dialog box display rows and fields in different colors to help you quickly determine the status of an appliance:

Gray: The appliance is out-of-contact or has an invalid management IP address.

Green: The appliance is operating normally.

Pink: The appliance is in contact with CPM Server but some information is mismatched.

Yellow: The appliance is working, but a component needs investigation. This color would also appear if a low-level alarm condition was triggered.

Orange: The appliance is working but a component has a problem. This color also appears if a medium-level alarm condition is triggered.

Red: The appliance or one of its components is not working correctly. This color indicates a situation requiring immediate attention and may have been triggered by a highlevel alarm condition.

White: An administrator changes the report status for the appliance to Ignore .

Changing Appliance Manager Row Colors

If you want to change the colors used for appliance status reporting, CPM provides an easy way to replace one color with another. These changes apply only to your CPM Client application, and not to the CPM Server database:

1 If you have not already done so, open the Appliance

Manager window.



2 From the View menu, select Customize Colors .

The Customize Colors dialog box appears with the default colors set, as shown below.

264

3 Click the severity level you want to change. Select a color from the palette in the lower portion of the screen.

The color appears in the Sample Text field next to the severity level you selected.

4 To save any color changes you make, click Apply . To return to the color selections in effect before you started this session, click Defaults .

The HSB and RGB tabs offer complex color management options. You can use them in the same way you use the

Swatches tab.




When your network has a large number of appliances to monitor, you may want to prompt CPM to ignore all lowlevel problems. You can either ignore a specific component or an entire appliance. You may want to ignore a specific appliance if, for example, you know that one of the appliance’s data interfaces is out of commission but is not in use in that network.

Ignoring a specific component

To ignore a component, right-click the appropriate field in the Appliance Manager window and select Ignore

“NAME .“Note that the menu appears only on Basic Configuration table cells.

As a result, the component status report is disabled or noted as “NA” (not available) in all the appropriate tabs of the appliance’s System Configuration dialog box.

Note that you cannot ignore the components Appliance

Availability and Alarm Status.

Ignoring an entire appliance

You can prompt CPM to ignore all status reports for a specific appliance, which masks it from all reporting. This is useful if you already know an appliance is not available.

When an appliance is being ignored by CPM, the ignored appliance row and all its component status reports appear white.

To prompt CPM to ignore an appliance:

1 Right-click the appliance row in the Appliance

Manager window and select Ignore Appliance from the menu.

2 Open the Appliance Detail dialog box. From the

Action menu, select Ignore Appliance Status .



Using the Appliance Detail Dialog Box

The Appliance Detail dialog box contains a considerable amount of information about a specific appliance and its status. To open the Appliance Detail dialog box, from the

Appliance Manager, double-click the icon or row for the appliance you want to monitor.

266

The information in the Appliance Detail dialog box is organized into the following tabs:

• Basic info: Includes contact name, model, operating system version, serial number, and profile revision date.


Using the Performance Graph

• Contact log: Dynamically records the most recent handshake attempts and the result.

• Interfaces: Lists all available accelerated data interfaces, along with their status, IP address, subnet address, and MAC address.

• VPN Peers: Summarizes all currently active VPN peers, including the appliance’s peer ip address, the number of tunnels, and a basic summary of the traffic, both in and out.

• Policies: Catalogs all the appliance’s security policies, notes the number of tunnels per policy, and provides a snapshot of the traffic in bytes and packets.

• Client Grade (V10 appliances only) Notes the type of network addressing used by this appliance: static IP,

DHCP, or PPPoE. This tab also notes the use of this appliance as a server for local Internet access, plus the current users.

• Routing Table: Duplicates the Route table set up for this appliance.

• ARP Table: Displays an ARP table, including hardware address and associated appliance interface.

• Diagnostics: Enables you to ping an IP address to help you determine the source of network connectivity problems. This ping originates at the appliance, not at the CPM server.

• System Statistics: Provides a snapshot view of network traffic managed by this appliance.

The Appliance Detail dialog box uses the same color-cod-

ing as the Appliance Manager, as described in “Color-Coding in the Appliance Manager” on page 263.


Using CPM, you can view the real-time activity of a Firebox Vclass appliance by way of the Performance Graph.



Opening the Performance Graph

1 Open the CPM Appliance Manager window.

2 Right-click any Firebox Vclass appliance record in the

Appliances table, and select Performance Console from the shortcut menu. Or, click the Performance

Console button in the toolbar at the bottom of the window.

The Performance Console window appears.

268

Setting up the Performance Graph

Whether you selected an active appliance or simply opened the Console window, you can set up an appliance


Using the Performance Graph and the dynamic counters for real-time viewing by following these steps.

1 Open the Current Appliances menu and make sure the correct appliance has been chosen.

2 In the Available Counters area (listing a variety of default counters), click the toggles by the various levels of folders to view their specific counter contents. You can activate one or more counters, in any combination.



3 Click any listed counter. The Counter Configuration area to the right becomes active.

4 If you want, you can change the polling interval.

270

5 You can choose the type of polling results.



6 After you make your configuration changes, click Add

Chart .

The newly configured counter appears in the Active Counters list below.

7 You can review all your active counters in this list, and do the following in this space:

- Change the polling interval.

- Start the actual graph.

- Remove the counter from current use.

8 To start the graphing of this counter, click Apply in the

Active Counters area.

A Performance Graph window appears, displaying the counter.

After a short interval, you can see the activity as shown in this example (depending upon your polling interval selection).



272

9 To stop this counter and close the window, click Stop

Monitoring . Click Close .

A Confirmation dialog box appears.

10 Click Yes to proceed.

Viewing several counters at once

If you want, you can open two or more counters in a single window (or in separate windows), including counters from different appliances:

1 Assuming you have at least one graph window already on-screen, make your next series of counter choices:

- The same appliance? Or another appliance?

- The counter?

- The counter configuration?

- The same window as the currently active counter? Or in a separate window?

2 With one graph window already open, from the

Available Appliances menu, select a new appliance.

3 Select and configure a counter.

4 Select the target window; either a new one or an existing one.



5 Apply the counter to start the graphing.

This example is from the same probe applied to two different appliances—in the same graph window.




CHAPTER 15

Responding to

Alarms

An alarm is a mechanism for alerting you when a predefined condition or a given threshold has been exceeded. For example, CPM might be configured to trigger an alarm when memory utilitization exceeds

90 percent.

This chapter describes how to view and respond to alarms. For information on defining alarms, see the

CPM Applications Guide .

Viewing new alarms

You can be notified of new alarms in several ways:

• Appliance Manager window

• Illuminated Alarm LED on an appliance

• Email message

• SNMP trap

When a new alarm has been triggered, you can investigate the alarm using the following procedure:

1 Open the Appliance Manager window.


CHAPTER 15: Responding to Alarms

2 Review the listing of WatchGuard appliances and look for a row or cell color change that indicates a triggering condition. Right-click the appliance record and select

Show Alarms . The Alarm Console window appears, as described in the next section.

Using the Alarm Console window

The Alarm Console window shows information about new alarms.

The Status level and row color provide these indicators of an alarm’s level:

Status

Informational

Low

Medium

High

Row Color

Purple

Yellow

Orange

Red

Level

None, informational only

Warning—check the conditions now

Error—data traffic may be affected

Critical—an appliance, or the entire network is in danger

The Alarm Console window shows the following information on each alarm:

CPM Time

The time and date that the alarm was recorded by

CPM Server.

From

Security appliance name

Severity

Severity level or validation of the alarm condition:

Low, Medium, or High

Alarm Name

Name of the alarm


Description

Description of the alarm

State

Alarm state: Opened, Acked (Acknowledged), or

Cleared

Viewing details on alarms

To view details about an alarm, click the Alarm Detail button (fifth from left). Or, double-click an alarm entry. The

Alarm Details dialog box appears, as shown below.

Acknowledging alarms

1 In the Alarm Console window, select the alarm you want to acknowledge.

2 Click the Acknowledge button (sixth from left).

The alarm row changes to white and the string “Acked” appears in the State column.

Reopening acknowledged alarms

If you have questions about an acknowledged alarm or find that the problem indicated by the alarm has not been resolved, you can change the alarm back to an Open state:

1 In the Alarm Console window, select the alarm you want to reopen.



2 Click the Reopen button (second from right).

The alarm row changes to the color reflecting the original severity level and the string “Opened” appears in the State column.

Clearing alarms

When you clear an acknowledged alarm, it moves from the

Opened Alarms tab to the Cleared Alarms tab:

1 In the Alarm Console window, select the alarm you want to clear.

2 Click the Clear button (third from right).


Reopening cleared alarms

To move an alarm from the Cleared Alarms tab back to the

Opened Alarms tab:

1 On the Cleared Alarms tab, select the alarm you want to reopen.

2 Click the Reopen button (second from right).


Purging cleared alarms

Purging an alarm completely removes it from the CPM

Server database:

1 Click the Cleared Alarms tab.

2 To remove a single alarm, select it and click the Purge

All Cleared Alarms button (far right).

To remove all alarms, click the Purge All Cleared

Alarms button without selecting any alarms.

Purging an alarm is irreversible; you cannot undo it. If you want to keep a record of cleared alarms, you can archive the Alarm log file on a regular basis, as described in the

CPM Applications Guide .


Reorganizing the list of alarms

You can reorganize the listing of alarms in either the

Opened Alarms or Cleared Alarms tabs:

1 Click any alarm.

2 Click any of the column headers.

The alarms are listed according to the column selected. You can click the same column header again to reverse the order. For example, if you click the Time header, the more recent alarm is listed at the top. If you click Time again, the order is reversed with the oldest alarm at the top.

Filtering alarms

You can filter the Opened Alarms tab and Cleared Alarms tabs such that only qualifying alarms appear on the display. You use the CPM Table Filter dialog box to enter alphanumeric strings you want to search for. This dialog box supports the following wildcards:

*

0 or more wildcard characters. For example, if you enter ind* , the window displays the alarms ind , ind1 , ind12 , and indxxx .

?

1 or more wildcard characters. For example, if you enter ind?

, the window displays the alarms ind1 , ind12, and indxxx .

Characters within square brackets represent the exact characters the filter should match. For example, if you enter ind[12] , the window displays the alarms ind1 and ind12 .

1 On either the Opened Alarms or Cleared Alarms tab, right-click the header of the column you want to filter.

Select Set Filter .

The Filter Rows dialog box appears, as shown in the following figure.



2 Type the text you want to match in the Filter by field.

Click OK .

The column turns blue to indicate that filtering is enabled.

Disabling alarm filtering

To disable filtering, right-click the column header. Click to clear the checkbox marked Filtered .


Index

Symbols

.NET Passport 1.4

193

A access-privilege roles

52

accounts, administrator

51, 56 actions. See policy actions

Active Features dialog box

74, 137

Active/Active

121

Active/Standby

121

Add Address dialog box

85

Add Appliance dialog box 69

Add Group dialog box

57

Add Remote Access dialog box

247

Add Route dialog box

110

Address dialog box

144

address groups described

142

entering new 145

addresses

cataloging for use in policies 144

creating required

85

entering new RAS

146

Addresses dialog box

146

Admin Account Properties dialog box

56, 58

Admin Role Properties dialog box

54

Administrative Access dialog box 56

administrator accounts

creating new 56

described

51

Administrator Accounts dialog box

53

administrators, seeing which are online

59

Advanced HA Settings dialog box

124

AH

224

Alarm Console window

276

described

276

Alarm Details dialog box

277

alarms acknowledging

277

clearing

278

defining

90

described 275

disabling filtering 280

filtering

279

investigating cause of 275

purging cleared

278 reopening cleared 278

reopening previously acknowledged

277

reorganizing list of

279

responding to

275–280 viewing 275

viewing details on

277

viewing information on 276

All Session Info dialog box

60

Allow

180

Allow all ICMP errors 135

Allow Specified ICMP errors

135

Appliance Columns dialog boxes

259

Appliance Detail dialog box

93, 266–

267

Appliance Detail dialog box, colors

used in 263

Appliance Manager window changing colors in

263

colors used in

263

filtering entries in

262

reorganizing 259, 261

appliances activating tunnel switching hardware

125

activating tunnel switching on

252

adding to CPM 65

availability 257

configuring for network use

63–94

configuring hardware for

78

configuring local DNS server connections

111

configuring local SNMP

workstation connections 113

configuring new

65–76

configuring routes 109

creating records for

68

discovering

65

enabling connection to NTP

servers 129

enabling logging for 115

entering records for

64

ignoring a specific component

265

ignoring an entire appliance

265

ignoring status reports of

265

installing

64

interface status 259

model and version number 97


monitoring. See monitoring

relocating 92

restoring to factory default

78

specifying contact for

97

specifying location of

97

specifying name of

96

types managed by CPM

12

Authentication dialog box

233

Authentication Header

224

automatic key mode

223

automatic key VPN policies

229–241

B backing up CPM

35

Backup Connection enabling

103

Enter Server IPs 103

polling interval

103

polling timeout 104

Backup/Restore dialog box

35

bandwidth, setting for ports 107

Basic

192

Block

180

blocked sites

130

global

133

bulk license 76

C

Central Policy Manager. See CPM

Certificate Request Wizard

70

certificates

importing 70, 71 obtaining 70

Certificates dialog box 70

colors changing in Appliance

Manager

263 used in Appliance Manager 263

CPM adding appliances to

65

and security policies 141

appliances managed by

12

backing up

35

components 2

described

1

installation requirements for

20

network scope of

10

obtaining site license for

24

upgrading from previous

versions 34

CPM Client changing your CPM Client login password

41

described 3

installing

29

installing on a server 20

installing on a workstation 19

starting

37–49

system requirements for 22

uninstalling

36

CPM login dialog box

38

CPM Server

described 2

installing on a server 20

installing on a workstation 19

restarting 49

starting

37–49

stopping 46

system requirements for 21

uninstalling

36

upgrading the license

44

CPM Server Information dialog

box 42, 45

CPM sessions, viewing snapshot of current

58

CPM Table Filter dialog box

262, 279

CPM windows, locking

60

creating a Proxy Action 173

Customize Colors dialog box

264

D

Default Policy Wizard

running

80–84

Denial-of-Service Prevention options

118

Deny

180

Device Discovery dialog box

65

DHCP

enabling on Interface 0 102

enabling on Interface 1 104

dialog boxes

Active Features

74, 137

Add Address

85

Add Appliance 69

Add Group 57

Add Remote Access 247

Add Route 110

Address 144

Addresses 146


Admin Account Properties

56, 58

Admin Role Properties

54

Administrative Access 56

Administrator Accounts 53

Advanced HA Settings

124

Alarm Details

277

All Session Info 60

Appliance Columns

259

Appliance Detail

93, 266–267

Authentication

233

Backup/Restore

35

Certificates 70

CPM login 38

CPM Server Information

42, 45

CPM Server Information (General

tab) 48

CPM Table Filter 262, 279

Customize Colors

264

Device Discovery

65

DNS Server

112

Edit User Group 247

Edit/View IKE Authentication

246

Filter Rows

262

IKE Proposal 232

Import Certificate

71

Import Certificate/CRL 71

Import New License

72

IPSec Action

235

License Details

75, 137

Load Balancing

163

Local Admin Password 97

My Session Info

59

Pre-Shared Key

234

Protocol/Port

153

QoS Action

166

Remote Access Authentication

249

Remote Log Detail

116

Schedule

154

Select the CRL file 73

Service-Object Details

151, 152

Set Password

41, 43, 57, 67

SNMP Management Station 113

Specify Port Bandwidth 106

System Configuration

76, 95–138,

252

TOS Marking

167

Transform 238

Upgrade License

39, 45

Digest

192

Distributed Denial-of-Service

Prevention options 119

DNS Server dialog box

112

DNS servers cataloging

111

configuring local network connections

111

dot NET (.NET) Passport 1.4

193

Drop

180

E

Edit User Group dialog box

247

Edit/View IKE Authentication dialog

box 246

editing a Proxy Action

175

email

screening with SMTP proxy 171

Encapsulating Security Payload

225

encryption

225

ESP

224

event notification 256

events, monitoring

255

Exact Match 178

exceptions list 130

F

Filter Rows dialog box

262

Firebox V10, creating a RAS policy for

243

fully meshed topology

251

G

global blocked sites 133

H handshaking

255

hardware configuration 78

High Availability

Active/Active 121

Active/Standby 121

configuring 120 described 120

HTTP Proxy

170

hub-and-spoke configuration

252


I

ICMP flood attacks

119

IKE pairs

232

IKE Proposal dialog box 232

Import Certificate dialog box

71

Import Certificate/CRL dialog box 71

Import New License dialog box

72

install multiple licenses

76

installation requirements

20

interface promiscuous

16

Interface 0, enabling DHCP on 102

Interface 1 behind a firewall

104

Interface 1, IP addressing on

104

IP source routes

119

IPSec Action dialog box

235

IPSec actions, customizing

235

IPSec pass through

135

J

Java 2, version required for CPM 23

Local Admin Password dialog box 97

locked windows

60

logging

enabling 115

enabling remote

116

M manual key mode

223

maximum segment size

136

meshed topology 251

Mobile User VPN. See MUVPN

monitoring appliance availability

257

CPM and 255 described 255

event notification

256

general indicators

257

interface status 259

network polling queries

255

using the performance graph 267

MTU end link speed, specifying

109

MUVPN creating policy for

245

described 13

My Session Info dialog box 59

K key management

226

key selection modes

223

L

Least Connection

163

license

install multiple 76

License Detail dialog box

75, 137

license package 76

licenses

deleting 76

importing 70

importing for extended features 72

obtaining 24

reviewing current

74, 137

upgrading the CPM Server license

44

load balancing 161

Load Balancing dialog box

163

N

NAT

described 159

dynamic

activating

159

described

159 static 159

NAT pass through

135

Network Address Translation. See

NAT

network addresses, creating 85

network polling queries

255

network topology fully meshed

251

hub-and-spoke

252

NTLM

192

NTP servers, enabling connection to

129


P passwords changing the Client login password

41

for administrator accounts

58

for local administrator

97

Pattern Match 179

Per Client Quota

120

Per Server Quota

120

Perfect Forward Secrecy

236

performance graph described

267

opening

268 setting up 268

viewing multiple counters

272

Ping of Death

119

policies. See security policies

policy actions defining

157–168

described

140

policy schedules

applying to policies 155

creating new 154

port shaping activating

166

described

165

enabling

105

PPPoE, enabling on Interface 1 104

Pre-Shared Key dialog box

234

profiles

compiling 90

deploying

90–92

described

3

promiscuous interface

16

protocol

adding new 151

Protocol/Port dialog box

153

proxies configuration

173 creating a Proxy Action 173

editing a Proxy Action

175

HTTP 170

SMTP 171

proxy

169

Proxy Action add a rule

178

Allow 180

Block 180

configuring

173

configuring Rules

177

creating

173

Q

Deny

180

Drop

180

edit a rule

178

editing

175

ordering Rules 180

Rule matching options 178

Strip 180

QoS action

applying 166

customizing

166

QoS Action dialog box 166

QoS policies 165

Quality-of-Service policies. See QoS policies

R

Random (load-balancing option) 163

RAS addresses, entering new

146

RAS policies for Firebox V10 243

Regular Expression

179

Remote Access Authentication dialog

box 249

Remote Log Detail dialog box 116

roles

creating new 52 default 52

Round Robin 163

routable IP

104

Router Mode

14

routes, setting up

109

Rule

add 178

edit

178

Exact Match 178 matching options 178

Pattern Match

179

Regular Expression

179

Rule sets

ordering Rules 180

Rules

171

configuring 177

ordering 180

processing order 172

Rulesets 172


S

Schedule dialog box

154

schedules

applying to policies 155

creating new 154

security policies actions

140

and address groups

142

assembling from components

88

cataloging services for use in

150

components of

139, 157

creating

86

creating new

147–150

described

139

for MUVPN clients 245

in CPM 141

schedules. See policy schedules

scope of

141

traffic specifications. See also traffic specifications

140

with multiple actions 157

Service-Object Details dialog box

151, 152

services

adding new 150 cataloging for use in policies 150

combining in a group 153

session, viewing snapshot of current

58

Set Password dialog box

41, 43, 57,

67

SMTP Proxy

171

SNMP Management Station dialog box

113

SNMP traps 113

Specify Port Bandwidth dialog box

106

SSL connection

21

static NAT. See NAT

status reports, ignoring 265

Strip

180

syn checking on TCP/IP packets 135

SYN flood attacks 119

System Configuration dialog box 95–

138, 252

Advanced tab

134

DNS tab

111

General tab,

96

Hacker Prevention tab

117

High Availability tab 120

Interfaces tab

98

Log Settings tab 114

NTP tab 129

Routing tab

109

SNMP tab

113

Tunnel Switch tab 125

using

95

VLAN Forwarding tab

127

System Modes

Router Mode

14

Transparent Mode 16

T

TCP maximum segment size 136

TCP MSS

136

TOS marking

activating 167

described 165

TOS Marking dialog box

167

traffic specifications, components

of 140

traffic, blocking or rejecting 158

Transform dialog box

238

Transparent Mode

16

tunnel switching activating between sites

253

activating on central appliance

252

described 251

enabling 125

Type of Service marking

165

U

UDP flood attacks

119

unidirectional VPN policies creating

232

Upgrade License dialog box

39, 45

upgrading CPM

34

V

VLAN forwarding

127

VPN policies

and IPSec actions 224

automatic key

229–241

automatic key management restrictions

226

described 223


encryption/authentication 224

key management

224

overview of

229

transport mode

224 tunnel mode 224

VPNs creating

225

described

222

W

WAN Interface Failover enabling

103

Enter Serve IPs 103

polling interval

103

polling timeout 104

weighted fair queuing

165

Weighted Least Connection

163

Weighted Random

163

Weighted Round Robin 163

WFQ algorithm 165

windows, locked

60


No results