WatchGuard Technologies Firebox X manual Managing the Certificate Authority

Page 66

Managing the Certificate Authority

authenticates to the Management Server. The CA makes sure that the managed Firebox clients are authenticated and then gives a certificate to each client. The two managed Firebox clients use the certif- icates to authenticate the VPN tunnel being created between them.

MUVPN and certificates

Because MUVPN clients are not clients of the Management Server, they authenticate to the Firebox. Use the MUVPN Wizard from Policy Manager to contact the CA and create a certificate for the MUVPN client. Policy Manager creates a package that includes this certificate and two other files.

The Firebox administrator gives each MUVPN user a package of files. Together, these files are the MUVPN end-user profile. Users who authenticate with shared keys receive one .wgx file. Users who authenticate with certificates receive a .wgx file, a .p12 file (which is the client certificate), and a cacert.pem file (which contains the root certificate).

The MUVPN user who authenticates with certificates then opens the .wgx file. The root and client certif- icates contained in the cacert.pem and the .p12 files are automatically loaded.

For more information on MUVPN, see the MUVPN Administrator Guide.

Managing the Certificate Authority

You can control different parameters of the Certificate Authority with the Web-based CA Manager.

1From WatchGuard System Manager, connect to the Management Server.

You must type the configuration passphrase to connect.

1Select Resources > CA Manager.

or

Click the CA Manager icon on the WatchGuard System Manager toolbar. The icon is shown at left.

The menu of the Certificate Authority Settings pages appears.

2From the menu, select the correct page:

Certificate Authority CA Certificate

Print a copy of the CA (root) certificate to the screen. You can then manually save it to the client.

60

WatchGuard System Manager

Image 66
Contents WatchGuardSystem Manager User Guide Address Contents Setting Up Logging and Notification Copy the online help system to more computersLogViewer Settings Importing Certificates Microsoft Internet Explorer 5.5Apache Software License, Version 2.0, January WatchGuard Management Server Getting StartedAbout WatchGuard System Manager Log ServerInstalling WatchGuard System Manager About Hardware and Appliance SoftwareLicense Keys Network addressesTrusted interface 1Network IP Addresses Without the FireboxExternal interface Optional interfacesUses 40-bit encryption Software encryption levelsBase StrongSetting Up Your Management Server Putting the Firebox into operation on your networkMaster password Admin passwordAfter Your Installation Installation TopicsWFS appliance software configuration modes Routed configurationDrop-in configuration Use the Quick Setup Wizard during installation Adding secondary networks to your configurationTo add a secondary networks, do one of these procedures Dynamic IP support on the external interfaceEntering IP addresses About slash notationInstalling the Firebox cables Installation Topics Threat responses, alerts, and expert advice Service and SupportLiveSecurity Service Solutions Easy software updatesLiveSecurity Service Broadcasts LiveSecurity Service Self Help Tools Basic FAQsNew from WatchGuard Interactive Support Forum Advanced FAQsKnown Issues Online TrainingWatchGuard Users Group Using the WatchGuard Users ForumWatchGuard Users Forum Online HelpCopy the online help system to more computers Product DocumentationTechnical Support Software requirementsType of Service Web Site Service TimeWe try to supply a solution in a maximum time of four hours HoursTraining and Certification About the WatchGuard System Manager Window Monitoring Your NetworkStarting WatchGuard System Manager From the Windows DesktopDevice Connecting to a FireboxDisconnecting from a Firebox LogDisconnecting from a Server Connecting to a ServerType the password for the Management Server Seeing Information about DevicesFirebox Status CertificatesBranch Office VPN Tunnels Pptp user VPN tunnels Seeing Information on Log ServersMobile user VPN tunnels No exclamation pointMonitoring VPNs Policy Manager About the WatchGuard ToolbarStarting Security Applications Firebox ManagerLog Viewer Quick Setup WizardHostWatch Historical ReportsSetting Up Logging and Notification Setting Up the Log ServerLog Server collects logs from each WatchGuard Firebox WatchGuard Log Server Configuration dialog box appears Configuration Guide for your version of appliance softwareSetting Global Logging and Notification Preferences Type the new log encryption key two times Click OKClick Save Changes or Close Click Save Changes Setting Global Logging and Notification Preferences Types of Log Messages Traffic Alarm Event DiagnosticReviewing and Working with Log Files Traffic log messagesLog File Names and Locations Alarm log messagesDiagnostic log messages Starting LogViewerBrowse to find the log file and click Open LogViewer Settings Changing LogViewer settings with WFS appliance software Click to set the format of the logs to the default colorsUsing LogViewer Select Edit FindPaste the data into any text editor Click File Merge log files Click Browse to find the files to put together Click MergeUsing LogViewer Using LogViewer Generating Reports of Network Activity Creating and Editing ReportsFrom Historical Reports, click Add Type the report nameSelect the filter Specifying a Report Time Interval Type the Firebox IP address or host name. Click AddChange the report definition Specifying Report Sections Setting Report Properties To consolidate report sectionsType the number of items to put in the table Exporting Reports Using Report Filters Complete the Filter tabsReport Sections and Consolidated Sections When finished, click OKRunning Reports Change the filter propertiesReport Sections and Consolidated Sections Session Summary Proxied Traffic Consolidated sections Report Sections and Consolidated Sections Managing Certificates Certificate Authority Public Key Cryptography and Digital CertificatesPKI in a WatchGuard VPN Managing the Certificate Authority From the menu, select the correctCertificate Authority CA Certificate GWvpn gateway name Management Server CA CertificateGenerate a New Certificate Find and Manage CertificatesPuts back a certificate that was revoked before RevokeReinstate DestroyManaging the Firebox X Edge Firebox Soho Importing CertificatesNetscape Communicator NetscapeManaging the Firebox X Edge or Soho Device Troubleshooting ideasAdministration System StatusFirewall Removing CertificatesSystem security and remote management LoggingSelect File Soho Management Clean up on PC Removing Certificates Appendix a Copyright and Licensing WatchGuard Firebox Software End-User License AgreementWatchGuard System Manager Copyright and Trademarks Licenses OpenSSL LicenseOriginal SSLeay License Apache Software License, Version 2.0, January Licenses Pcre License GNU Lesser General Public License Licenses Licenses Licenses GNU General Public License Licenses Licenses Licenses Sleepycat License Licenses Appendix B WatchGuard File Locations General File LocationsDefault File Locations Quick Setup WizardFirebox System Manager for Fireware Appliance Software HostWatch for Fireware Appliance SoftwarePolicy Manager for Fireware Appliance Software WatchGuard System Manager Policy Manager for WFS Appliance SoftwareFlash Disk Management for WFS Appliance Software Firebox System Manager for WFS Appliance SoftwareHostWatch for WFS Appliance Software LogViewerManagement Server WebBlocker ServerLog Server User Interface Log Server for Fireware Appliance Software Log Server for WFS Appliance SoftwareHistorical Reports Management Server Setup Wizard Log MergeManagement Server User Interface WatchGuard Certificate Authority Default File Locations Index Muvpn Wctp 100