CyberArk EPV Integration Guide

This document describes the steps to integrate CyberArk Enterprise Password Vault (EPV) with your WatchGuard Firebox. With a custom SSH plug-in from CyberArk, the CyberArk administrator can periodically change the passphrase of the Firebox Admin user.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware v11.10.x
  • CyberArk Vault server installed on a Windows 2012 R2 computer
  • PrivateArk Administrative Client installed on a Windows 2012 R2 computer
  • Central Policy Manager installed a Windows 2012 R2 computer
  • Privileged Session Manager installed on a Windows 2012 R2 computer
  • Customized WatchGuard plug-in that you must request from CyberArk

At this time, it is only possible to change the passphrase of the default Firebox administrator user admin. You cannot change the passphrase of other user roles to which you have assigned administrator privileges.


To complete this integration, you must first deploy CyberArk software (see the Platform and Software section above). CyberArk software deployment requires knowledge of Windows server, WCF, and IIS. Make sure Central Policy Manager and Password Vault web access are hosted on the same server, while Privileged Session Manager and Vault Server are each on a dedicated server.

To set up the CyberArk Vault environment, please refer to the CyberArk Privileged Account Security Installation Guide. In this document, we describe the procedure to create an account to change the Firebox Admin passphrase and show how it works.

Set Up an Account on CyberArk

  1. On the server where Password Vault Web Access is installed, connect to http://<host_name>/passwordvault. Sign in with the user name and password you set when you configured your CyberArk Vault server.

  1. Go to Policies > Access Control. Click Add Safe. Type the name of the safe. In our example, we used the name safe 1. Save the configuration.

  1. On the Accounts tab, click Add Accounts. Note that, to successfully add an account, you must first request and receive a customized plug-in from CyberArk. Once you have this plug-in and it is correctly installed, you can complete the account information as described below.

  1. From the Store in Safe drop-down list, select safe1.
  2. From the Device Type drop-down list, select Imported Platforms.
  3. From the Platform Name drop-down list, select WatchGuard via SSH. If you do not have the custom plug-in from CyberArk, you will not see the WatchGuard via SSH option that is required for this integration to work.
  4. In the Address text box, type the Trusted or Optional interface IP address of your Firebox.
  5. In the Username text box, type the user name of your Firebox administrator user.
  6. Select the port check box, and type 4118 in the adjacent text box.
  7. Type and confirm your Firebox admin passphrase.
  8. Save the configuration changes.
    If the account has been set up correctly, it will look like this:

Test the Connection from CyberArk to the Firebox

  1. Double-click the user name to open the Account Details page for your account.
  2. Click Connect to open an RDP connection.

  1. An RDP connection to the Firebox is made. If the connection is successful, you will see this:

Automatically Change the Firebox Admin Passphrase

  1. Select Policy by Platform.
  2. In the Policy by Platform dialog box, select WatchGuard via SSH.

  1. In Password Management, you can select how often to change the passphrase. The default is 2 days.

  1. To see the current passphrase for the Admin user, click Show User Password.