About WatchGuard Passphrases and Keys
As part of your network security solution, you use passphrases, authentication keys, encryption keys, and shared keys. This topic includes information about most of the passphrases and keys you use for WatchGuard products. It does not include information about third-party passwords or passphrases. Information about restrictions for passphrases and keys is also included in the related procedures.
Create a Secure Passphrase or Key
To create a secure passphrase, authentication key, encryption key, or shared key, we recommend that you:
- Use a combination of uppercase and lowercase ASCII characters, numbers, and special characters (for example, [email protected]).
- Do not use a word from standard dictionaries, even if you use it in a different sequence or in a different language.
- Do not use a name. It is easy for an attacker to find a business name, familiar name, or the name of a famous person.
As an additional security measure, we recommend that you change your passphrases, encryption keys, and shared keys at regular intervals.
Device Default Account Passphrases
A Firebox has two built-in Device Management user accounts and passphrases:
The built-in read-only password or passphrase that allows access to the device with the status Device Management user account. The status user account is assigned the Device Monitor role. When you log in with the status user account, you can review your configuration, but you cannot save changes to the Firebox.
The built-in read-write password or passphrase that allows an administrator full access to the device with the admin Device Management user account. The admin user account is assigned the Device Administrator role. You must use this passphrase to save configuration changes to your device, or to change your device passphrases, if you do not create additional Device Administrator user accounts.
Each of these passphrases must be at least 8 characters.
You can create user names and passphrases to use with Firebox authentication and role-based administration.
User Passphrases for Firebox authentication
After you set this user passphrase, the characters are masked and it does not appear in simple text again. If the passphrase is lost, you must set a new passphrase. The allowed range for this passphrase is 8–32 characters.
User Passphrases for role-based administration
After you set a passphrase for a Device Management user account that you create on your device, the passphrase does not appear again in the User and Group Properties dialog box. If the passphrase is lost, you must set a new passphrase. This passphrase must be at least 8 characters.
The Administrator passphrase is used to control access to the WatchGuard Server Center. You also use this passphrase when you connect to your Management Server from WatchGuard System Manager (WSM). This passphrase must be at least 8 characters. The Administrator passphrase is associated with the user name admin.
Authentication server shared secret
The shared secret is the key the Firebox and the authentication server use to secure the authentication information that passes between them. The shared secret is case-sensitive and must be the same on the Firebox and the authentication server. RADIUS, SecurID, and VASCO authentication servers all use a shared key.
Authentication Keys, Encryption Keys, and Shared Keys
Log Server authentication key
The authentication key is used to create a secure connection between the Firebox and the Log Servers, and to avoid man-in-the-middle attacks. The allowed range for the authentication key is 8–32 characters. You can use all characters except spaces and slashes (/ or \).
Backup/Restore encryption key
This is the encryption key you create to encrypt a backup file of your Firebox configuration. When you restore a backup file, you must use the encryption key you selected when you created the configuration backup file. If you lose or forget this encryption key, you cannot restore the backup file. The encryption key must be at least 8 characters, and cannot be more than 15 characters.
VPN pre-shared key
The pre-shared key is a passphrase used by two devices to encrypt and decrypt the data that goes through the tunnel. The two devices use the same passphrase. If the devices do not have the same passphrase, they cannot encrypt and decrypt the data correctly.