Brochures & Datasheets

Frequently Asked Questions

Network Security Education Center

Product Demos

Microsoft® Visio® Icons

White Papers

Case Studies

Network Security Glossary

Certifications

End-of-Life Policy

Frequently Asked Questions
WatchGuard® System Manager

General Questions

• What is WatchGuard® System Manager 8.2?
• What appliances can WSM 8.2 manage?

What's New in WSM 8.2?

• What's New in WSM 8.2?
• What makes WSM 8.2 easy to use?
• Will using WSM 8.2 be different from using my previous version of WSM?
• Is WSM 8.2 required in order to use Fireware® Pro?
• The logging looks somewhat different in Fireware Pro. Why?
• The configuration of the HTTP and SMTP proxies is very different from what I'm used to in WatchGuard Firebox System (WFS). Why is this?
• I am running a mixed environment of WFS and Fireware Pro appliances. What if I forget which version of Policy Manager to open? Will I send the wrong image to the Firebox?
• Where did service-based Network Address Translation (NAT) go in Policy Manager for Fireware Pro?

Configuration and Management

• How do I take advantage of the new centralized management for Firebox X Edge?
• What is the management interface for the new centralized management features?
• Does WSM 8.2 allow me to make centralized configuration and firmware updates to Firebox X Core or Peak, or Firebox III appliances?
• How do Firebox X Edge aliases work in WSM 8.2?
• If I'm running WFS, can I manage my appliances with WSM?
• Is there a conversion utility to convert my WFS 7.x configuration to a Fireware Pro configuration?
• Is there a conversion utility to convert my Firebox Vclass configuration to a Fireware Pro configuration?
• Does WSM 8.2 include a Policy Checker tool?
• Does WSM allow me to configure authentication via Microsoft® Windows® Active Directory®?
• Does WSM allow me to configure more than one authentication server simultaneously?
• Does the WSM Management Server Certificate Authority (CA) server function provide certificate management for third-party devices?
• Does the WSM Policy Manager for Fireware Pro allow me to make configuration changes offline and then save them to the Firebox at a time of my choosing?
• Do I need to create a dedicated VPN tunnel to send logs securely from a Firebox to a WatchGuard Log Server over the Internet?
• Does WSM provide a wizard for creating Mobile User VPN tunnels? Does it provide an end-user profile to streamline configuration of the Mobile User VPN Client?
• What appliances does WSM manage?
• Can I install WSM 8.2 on the same PC as previous versions?
• Will my old VPN Manager licenses work with WSM 8.2?
• Who can upgrade to WSM 8.2?
• Can I use WSM to manage VPN tunnels in a Firebox X Edge/SOHO-only environment, or must I have at least one Firebox III, or Firebox X Core or Peak?
• What NAT actions are available for Branch Office VPN tunnels?
• Must I run the Management Server on the same PC as the WSM software? What about the Log Server or the WebBlocker Server?
• How do I move the VPN Management files from the Firebox-based DVCP server to the new Management Server?
• Will WFS 7.4 (which is included as part of the WSM 8.2 download) be available as a WFS upgrade for current v7.3 and Firebox III customers?
• Does WSM 8.2 allow a Firebox to log to more than one log host simultaneously?
• What are the meanings of the different "Action" color codes in HostWatch?
• What kind of backup is available for the WatchGuard Management Server? Can I run two Management Servers in a high availability configuration?
• Why are IPSec routes not included in the routing table in Status Report?

General Questions

Q: What is WatchGuard® System Manager 8.2?
A: WatchGuard System Manager (WSM) 8.2 is the software running on your PC that is used to configure and manage Firebox® X security appliances and services such as Gateway AntiVirus/Intrusion Prevention System (AV/IPS), spamBlocker, and WebBlocker URL filtering. It provides indispensable ease-of-use for novice network administrators, while granular controls and flexible configuration options empower IT experts. WSM also includes centralized configuration and firmware management for Firebox X Edge endpoint appliances, allowing the administrator to update groups of Firebox X Edge appliances in a single management operation.

Smart defaults are pre-defined in WSM, ensuring strong security from the start, and saving valuable configuration time. WSM then makes it easy to tailor configurations to meet specific business requirements, with features such as drag-and-drop VPN creation, intuitive wizards, and flexible administrative choices, for more security with less effort. Finally, with the interactive real-time monitoring and comprehensive reporting in WSM, the administrator gains a deep understanding of security and network activity.

Q: What appliances can WSM 8.2 manage?
A: WSM 8.2 can manage Firebox X models running Fireware® Pro, as well as Firebox III or X models running WatchGuard Firebox System (WFS) 7.x. WSM 8.2 also provides new centralized configuration and firmware update features for groups of Firebox X Edge endpoints running Firebox X Edge version 7.5 or higher. The WSM 8.2 download package includes WFS 7.4 components. Firebox III or Firebox X Core™ customers running WFS 7.x can upgrade to the WFS 7.4 operating system while taking advantage of many of the new management capabilities built into WSM 8.2.

What's New in WSM 8.2?

Q: What's New in WSM 8.2?
A: WatchGuard System Manager 8.2 introduces enhanced functionality in two key areas: Centralized configuration and firmware updates for Firebox X Edge, and streamlined configuration for security services on Fireboxes running Fireware Pro. These enhancements are consistent with the traditional advantages of the WatchGuard solution: ease of use, logic of presentation, and strengthening of available security by leading the user to better security practices.

• Centralized Configuration and Firmware updates for Firebox X Edge - Using simple drag-and-drop actions, configure and update one Edge - or a hundred - in a single management action. WSM 8.2 builds on the proven technology that has powered WatchGuard's drag-and-drop VPN management, giving you fast, reliable, granular control over your Edge appliances. As with drag-and-drop VPN management, remote Edges with dynamic IP addresses pose no problem for WSM's centralized configuration and firmware update capabilities.
• Streamlined Configuration for Security Services on Fireboxes Running Fireware Pro - Policy Manager for Fireware Pro has been updated to make it easy to set up and manage services such as Gateway AV/IPS, WebBlocker, and the all-new spamBlocker. Each service features a new setup wizard and single-window configuration - no need to jump to separate windows to configure these important services.

Q: What makes WSM 8.2 easy to use?
A: No major competitor offers this type of centralized management functionality in the base product. WatchGuard System Manager is bundled with Firebox X Core and Peak™ appliances, suitable for a headquarters/branch office deployment.

• Simple - Template-based management for groups of Firebox X Edge appliances lets you update firewall or VPN configurations, update firmware, and upgrade features on groups of Firebox X Edge endpoint appliances from within WSM
• Fast - Manage groups of Firebox X Edge endpoints simultaneously, rather than separately
• Centralized - Build a single template, and deploy it to as many Firebox X Edge appliances as desired
• Flexible - Update devices instantly, or when the DVCP lease expires, as desired; with WSM 8.2 you can also update firmware on all Firebox X Edge endpoint appliances in a single management action - instantly or on a schedule (such as during an off-hours maintenance window).

WSM also features new drag-and-drop management features for Firebox X Edge that enable network administrators to manage multiple appliances from a central location, simplifying the task of globally defining and deploying a full range of specific or group security policies, services and upgrades. WSM provides great peace of mind to the administrator who must deploy a uniform security policy across a distributed enterprise.

• Appliance Software Updates - Send a new appliance software version to groups of Edge appliances, rather than upgrading them separately
• Configuration Updates - Send a security policy to groups of Edge appliances rather than separately
• Scheduler - Schedule Edge firmware updates to occur unattended during off hours

Q: Will using WSM 8.2 be different from using my previous version of WSM?
A: You will notice some changes to the WSM main screen - these changes facilitate the new centralized configuration and firmware management capabilities for Firebox X Edge. However, the single-appliance user will have no difficulty navigating the interface, as the familiar toolbars and icons remain in place. WSM 8.2 combines an intuitive, graphical user interface with the power to manage the advanced features of Fireware Pro. WatchGuard customers gain the best of powerful networking and granular policy control, along with the rich monitoring and intelligent, clear policy configuration of WSM. WSM can manage mixed environments of appliances running WFS and Fireware Pro, and provides VPN management for all Firebox X models, as well as Firebox III and Firebox SOHO models.

Q: Is WSM 8.2 required in order to use Fireware® Pro?
A: You need WSM 8.0 or later in order to manage an appliance running Fireware Pro. WSM and Fireware Pro are included in the purchase of a Firebox X Peak. Firebox X Core customers who want to upgrade to Fireware Pro must also upgrade to WSM 8.0 or later.

Q: The logging looks somewhat different in Fireware Pro. Why?
A: "Under the hood," Fireware Pro is very different from WatchGuard Firebox System (WFS). This has many advantages. The Fireware Pro architecture is what makes the important new features possible, as well as the cut-through routing that maximizes processing efficiency for packet streams with established security state, Intelligent Layered Security (ILS), and more. This new architecture comprises several modules, each of which generates log files. The combined logging output of these modules forms the log stream you see in Traffic Monitor or in Log Viewer.

Q: The configuration of the HTTP and SMTP proxies is very different from what I'm used to in WatchGuard Firebox System (WFS). Why is this?
A: Our deep application inspection took a quantum leap forward with Fireware Pro. Policy Manager for Fireware Pro gives the user much more granular control of proxy actions, allowing fine-tuning of the handling of data to meet the user's objectives. The default settings are very similar to WFS, in order to provide effective proxy action "out of the box" and to ease the transition to the new controls. After spending some time with the new proxies, you will become quite comfortable with their configuration controls.

Q: I am running a mixed environment of WFS and Fireware Pro appliances. What if I forget which version of Policy Manager to open? Will I send the wrong image to the Firebox?
A: Because WSM already has a connection to the Fireboxes, it is able to launch the appropriate Policy Manager for the appliance in question. You simply highlight the desired Firebox, click the Policy Manager icon, and WSM does the rest.

Q: Where did service-based Network Address Translation (NAT) go in Policy Manager for Fireware Pro?
A: Policy Manager for Fireware Pro allows the same functionality as service-based NAT, without the confusing terminology. NAT preferences can, as a matter of course, be configured individually for all services. Smart defaults for NAT mean that, in most cases, the administrator will not have to take any specific configuration action for Internet-bound traffic to be appropriately address-translated.

Configuration and Management

Q: How do I take advantage of the new centralized management for Firebox X Edge?
A: The same licenses that enabled drag-and-drop VPN management prior to WSM 8.2 now unlock the new centralized configuration and firmware update features for your Firebox X Edge devices. Be sure that you have the correct licensing on your Management Server (which took the place of the DVCP server beginning with WSM 8.0) for the number of appliances you wish to manage. Several different formats of licenses will be accepted by WSM to increase the number of appliances you can manage via the Management Server; these are VPNMGR, VPNUPGRADE, WSM MGR, and WSM UPGRADE licenses. All copies of WSM come with an initial 4-device WSM MGR, WSM UPGRADE, or VPNMGR license (the particular format varies depending on when you initially bought WSM, but all are functionally equivalent). If, for example, you own three Firebox X Edge appliances in addition to a Firebox III or Firebox X Core or Peak, you can use the new centralized management features immediately, thanks to the 4-device license that came with WSM. You may purchase and add WSM UPGRADE licenses to add more devices for management.

Q: What is the management interface for the new centralized management features?
A: WSM 8.2 includes several changes to the interface to help you manage your Firebox X Edge appliances. These include:

• New Device Management and Device Status tabs in the left-hand navigation pane - These tabs function very similarly to the Device, Server, and VPN tabs in prior versions of WSM, but allow more flexible use of the right-hand pane in the WSM window. The content of the right-hand pane varies depending on which tab is selected in the left-hand pane.
• New Configuration Template editor - This is the heart of the Firebox X Edge centralized management functionality. From this editor, you configure firewall, wireless, WebBlocker, firewall options, and other familiar Firebox X Edge features to build a Managed Firebox X Edge configuration template; you can then apply this configuration template to as many Firebox X Edge appliances as you wish, in a single management action.
• New Firmware Update interface - This interface allows you to send a firmware update to single or multiple Firebox X Edge devices in one management action. It includes a scheduler so that you can send the firmware update during an off-hours maintenance window if desired.
• Flexible use of folders and new sorting options to keep track of your appliances - When you have many appliances under centralized management, you need an easy way to organize them and to find an individual appliance quickly. WSM 8.2 allows you to create folders for your appliances, and also allows you to sort them in different ways (such as by appliance name, appliance type, IP address, or firmware version).
• Ability to disable the Web Manager for Firebox X Edge appliances under central management - When you place an appliance under central management, you need to know that the appliance won't be inadvertently re-configured by another administrator using the Web Manager. The Firebox X Edge 7.5 release allows you to disable the management (but not the monitoring) functions of the Web Manager for a Firebox X Edge that is under centralized WSM management.

Q: Does WSM 8.2 allow me to make centralized configuration and firmware updates to Firebox X Core or Peak, or Firebox III appliances?
A: No. You still manage VPN tunnels among any WatchGuard devices using WSM, just as before, and configuration and firmware updates to Firebox III or Firebox X Core and Peak models are still conducted via Policy Manager on a box-by-box basis, just as before.

Q: How do Firebox X Edge aliases work in WSM 8.2?
A: Firebox X Edge Aliases handle the tricky problem of creating a firewall policy within a centralized Firebox X Edge configuration, while at the same time respecting the unique properties of each device (such as its network settings).

Example: An alias called "Web_Server" could be used in a policy that is common to a group of Firebox X Edge appliances to allow HTTP requests in to Web servers protected by the Firebox X Edge devices. Since the actual Web server address will be different for each appliance's network, you configure an individual mapping for that device:

Q: If I'm running WFS, can I manage my appliances with WSM?
A: Yes. You can manage any Firebox III or Firebox X running WFS 7.0 or later. You can also manage a "mixed environment" of Fireboxes running WFS or Fireware Pro. When you open Policy Manager in WSM against a WFS 7.x Firebox III or X, Policy Manager will convert the configuration to WFS 7.4, and, upon saving to the Firebox, will upgrade the Firebox flash image to 7.4.

Q: Is there a conversion utility to convert my WFS 7.x configuration to a Fireware Pro configuration?
A: There is no utility for converting a WFS 7.x configuration to a Fireware Pro configuration at this time. Because Fireware Pro is a fundamentally different operating system from WFS, the process should be considered a migration rather than a simple conversion. WatchGuard will provide a migration utility in an upcoming release.

Q: Is there a conversion utility to convert my Firebox Vclass configuration to a Fireware Pro configuration?
A: No. Because the Firebox X line is a fundamentally different architecture from the Firebox Vclass line, there is no configuration conversion utility.

Q: Does WSM 8.2 include a Policy Checker tool?
A: No, this functionality is not currently included in WSM; however, it is under consideration as an enhancement for future releases.

Q: Does WSM allow me to configure authentication via Microsoft® Windows® Active Directory®?
A: Yes. For LDAP/Kerberos authentication to a Microsoft® Windows® Active Directory® server, the Firebox in question must run Fireware Pro. A Firebox running WFS 7.3 or 7.4 (WFS 7.4 is included with the WSM package) can forward authentication requests to a Windows 2000/2003 Domain Controller, but not via LDAP.

Q: Does WSM allow me to configure more than one authentication server simultaneously?
A: Yes. For Fireboxes running Fireware Pro it is possible to configure more than one authentication server simultaneously, offering considerable flexibility.

Q: Does the WSM Management Server Certificate Authority (CA) server function provide certificate management for third-party devices?
A: No. The CA is supported only for certificate management on WatchGuard devices.

Q: Does the WSM Policy Manager for Fireware Pro allow me to make configuration changes offline and then save them to the Firebox at a time of my choosing?
A: Yes. As with WFS in the past, WSM Policy Manager for both Fireware Pro and for WFS allows configuration changes to be made offline. Then, at the time of your choosing, you upload the configuration to the Firebox to implement the changes.

Q: Do I need to create a dedicated VPN tunnel to send logs securely from a Firebox to a WatchGuard Log Server over the Internet?
A: No. The WatchGuard proprietary log formats (XML for Fireware Pro and WSEP for WFS and Firebox X Edge/SOHO) are encrypted, so it is safe to send these logs directly over the Internet. WatchGuard also offers Syslog logging, but because Syslog is not encrypted, WatchGuard recommends that Syslog format logs not be sent in the clear.

Q: Does WSM provide a wizard for creating Mobile User VPN tunnels? Does it provide an end-user profile to streamline configuration of the Mobile User VPN Client?
A: Yes to both. Policy Manager for Fireware Pro, as well as for WFS, includes a helpful wizard to guide you in creating Mobile User VPN tunnel policies. And, when the wizard completes, WSM creates an end-user profile, encrypted for secure transfer. The mobile user simply double-clicks this profile, provides a password, and the software performs all further configuration of the client.

Q: What appliances does WSM manage?
A: WSM 8.2 manages Firebox X Peak and Core, and Firebox III models. It also provides central VPN management for those models plus the Firebox X Edge, SOHO 6, and SOHO models. Version 8.2 also provides centralized configuration and firmware updates for Firebox X Edge appliances.

Q: Can I install WSM 8.2 on the same PC as previous versions?
A: Yes. However, it is recommended that you remove previous versions if you do not have a specific need for earlier versions. WSM 8.2 can manage Firebox III models via WFS 7.4, which is included in WSM 8.2.

Q: Will my old VPN Manager licenses work with WSM 8.2?
A: Yes. WSM 8.2 is backward-compatible with the VPN Manager licenses - and what is more, these licenses unlock the WSM 8.2 new centralized Firebox X Edge management features.

Q: Who can upgrade to WSM 8.2?
A: Any customer with a current LiveSecurity® Service subscription for a Firebox III or Firebox X Core or Peak is entitled to download WSM 8.2. For Firebox III and Firebox X Core customers, WSM 8.2 includes a WFS 7.4 component. Firebox X Core customers may upgrade the Firebox operating system to Fireware Pro if desired, as a separate purchase.

Q: Can I use WSM to manage VPN tunnels in a Firebox X Edge/SOHO-only environment, or must I have at least one Firebox III, or Firebox X Core or Peak?
A: WSM is not officially supported to manage VPN tunnels in a Firebox X Edge-only environment, but the new WatchGuard Management Server function will make such a deployment possible in a future release.

Q: What NAT actions are available for Branch Office VPN tunnels?
A: 1:1 NAT and Dynamic NAT may be applied to Branch Office VPN traffic with Fireware Pro

Q: Must I run the Management Server on the same PC as the WSM software? What about the Log Server or the WebBlocker Server?
A: The servers may be installed on the same PC as the management components, or you may set up a distributed architecture with these components running on two or more separate machines.

Q: How do I move the VPN Management files from the Firebox-based DVCP server to the new Management Server?
A: WSM 8.2 includes a Migration Utility as well as a Migration Guide to assist in making this process as easy as possible.

Q: Will WFS 7.4 (which is included as part of the WSM 8.2 download) be available as a WFS upgrade for current v7.3 and Firebox III customers?
A: Yes. Any Firebox III or Firebox X customer with a current LiveSecurity Service subscription will be entitled to upgrade to WFS 7.4, included with the WSM 8.2 package, and will then be able to take advantage of new management functionality available in WSM 8.2.

Q: Does WSM 8.2 allow a Firebox to log to more than one log host simultaneously?
A: Yes, provided that the Firebox logs to one log host with XML or WSEP logging (depending on whether the Firebox is running Fireware Pro or WFS), and logs to the other log host with Syslog. There is no provision for simultaneously sending XML or WSEP logs to more than one log host.

Q: What are the meanings of the different "Action" color codes in HostWatch?
A: These color codes indicate whether a connection was allowed, denied, translated (NAT), or handled by deep application inspection.

Q: What kind of backup is available for the WatchGuard Management Server? Can I run two Management Servers in a high availability configuration?
A: There is no WatchGuard utility as of yet for backing up the Management Server; however, the documentation provides information on how to back up these files manually. There is no provision at this time for running two Management Servers in a high availability cluster. Both the backup and the high availability options for the Management Server are under consideration for a future release.

Q: Why are IPSec routes not included in the routing table in Status Report?
A: IPSec routing information is held in a separate table, while Status Report pulls its information directly from the kernel routing table.