Introduction to XTMv

Introduction to XTMvIntroduction to XTMv

Table of Contents

Virtualization and Network Security XTMv Overview Use Cases VMware Deployment XTMv Deployment Resources

22WatchGuard Training

Virtualization and Network Security

WatchGuard Training 33

Computing Evolution: from Physical to Virtual …

From Physical To Logical To Virtual

…to Virtualized

Everything You Know About Network Security…

1) Everything on one system is in the same security domain

Everything You Know About Network Security…

2) Traffic crosses over wires and can be examined in motion

…Is Wrong.

Virtual Infrastructure

Network Security

Virtual infrastructure separates the physical hardware from the software CPU, memory, storage, and network resources are allocated to each VM Each virtual machine behaves as if it has dedicated hardware

XTMv Overview

WatchGuard TrainingWatchGuard Training10

What is XTMv?

XTMv is a WatchGuard XTM device that runs as a VM within a virtual infrastructure.

The initial deployment process is different from other XTM devices. Almost everything else is the same:

• Fireware XTM OS

• WatchGuard management tools (WSM, Web UI, and CLI)

• Configuration file format


XTMv Differences

Fireware XTM features not supported on XTMv:

• FireCluster

• Hardware diagnostics (the CLI diagnose hardware command)

• Ability to automatically save a support snapshot to a connected USB drive

• No front panel buttons to start the device in safe mode or recovery mode(Use the CLI command restore factory-default to start the device with factory default settings)

With XTMv, we cannot assume the hardware is known

• The network administrator must allocate resources to the XTMv virtual machine.

Storage (XTMv requires ~ 3 GB disk space) Virtual processors (CPUs) Memory Network adapters for each interface


Product CPU (Min rec) Memory (Min rec) Feature Key Limits

Small Office Edition 1 Core 1 GB 200 Mbps throughput50 VPN Tunnels30K Connections

10 Interfaces

Medium Office Edition 2 Cores 2 GB 2.5 Gbps throughput600 VPN Tunnels350K Connections

10 Interfaces

Large Office Edition 4 Cores 4 GB 5 Gbps throughput6K VPN Tunnels1M Connections 10 Interfaces

Datacenter Edition 8 or more Cores 4 GB or more Unlimited throughput10K VPN Tunnels2.5M Connections

10 Interfaces

XTMv Editions and Licensing

WatchGuard sells four XTMv editions

• Each edition has different recommended resource requirements

• Each edition has different feature key limits


Use Cases


Use Cases

Business Use Cases

• IT pre-production testing

• Multi-tenancy

• Colocation

• Office in a Box

Networking Use Cases

• Isolated network

• VM gateway

• Exposed


Business Use Case: IT Pre-Production Testing

Create a virtual duplicate of a production environment on an ESXi host:

• Networks

• Servers

• Applications

Test any upgrades or changes in the virtual environment first, before you make a change in the production environment


Business Use Case: Multi-Tenancy

Use XTMv to protect networks that belong to different organizations

Business Use Case: Colocation

Finance

Engineering

Use XTMv to protect the “internal edge” between users or applications

Business Use Case: Office in a Box

Use XTMv to protect workloads/servers located on a single server

A server can host VMs and virtual networks for all the servers needed to run a business office.

• Email servers

• Web servers

• Network application servers

Networking Use Case: Isolated Virtual Network

Deploy XTMv within virtual networks that do not connect to any physical interface on the ESXi host.


ESXi Host

Networking Use Case: Isolated Network

Deploy XTMv within a virtual network with the firewall between one or more virtual networks and a physical interface on the ESXi host.


ESXi Host

Physical Network Interface

Networking Use Case: Exposed Network

Deploy XTMv between virtual networks that connect to different physical network interfaces on the ESXi host.


ESXi Host



VMware


VMware Hypervisor

A hypervisor is a virtual machine manager (VMM).

• The hypervisor allows multiple virtual machines to run concurrently on a host computer.

• Each VM runs its own guest OS and applications.

• Examples of hypervisors: VMware ESX VMware ESXi Microsoft Hyper-V Server Citrix XenServer

XTMv initially supports one hypervisor — VMware ESXi 4.1 or 5.0

XTMv does not support vMotion for virtual machine migration between ESXi hosts.


VMware Software

vSphere is a VMware suite of software for virtualization. Some of the main components of vSphere are:

• ESXi host — the virtualization platform, or hypervisor that hosts virtual machines

ESXi is installed on bare server hardware ESXi 4.1 or 5.0 is required for XTMv

• vCenter Server — An optional management server that provides centralized administration of multiple ESXi hosts and their virtual machines.

vCenter Server is not required for XTMv

• vSphere Client – a Windows client that is the primary management interface used to deploy, manage, and monitor virtual machines on ESXi hosts.

vSphere Client is required for XTMv deployment


vSphere Client

The vSphere Client can connect to an ESXi host or to a vCenter Server.

• This is similar to the way WSM can connect to an individual XTM device or to a WatchGuard Management Server.

• XTMv setup steps assume the vSphere Client connects to an ESXi host.


VMware

vCenter Server

XTMv Deployment


vSphere Client Installation

The XTMv customer should already have an ESXi host and the vSphere Client installed.

To install the vSphere client:

• In a web browser, connect to the VMware ESXi server.

• Download and install the vSphere Client.


vSphere Client

To connect to the VMware ESXi host:

• Launch the VMware vSphere Client.

• Type the IP address, User name, and Password for the ESXi host.


XTMv Installation Prerequisites

To prepare for the XTMV installation, make sure you have these things:

• VMware ESXi 4.1 or 5.0 host 3 GB of available disk space — required for each XTMv virtual machine Two virtual networks — to map to the XTMv external and trusted interfaces

• VMware vSphere 4.1 or 5.0 client installed on a Windows computer

• XTMv device serial number

• WatchGuard XTMv virtual appliance fileFile name: xtmv_<version>.ova, where <version> is the Fireware XTM OS version. (For example, xtmv_11_5_4.ova)


Installation Overview

Installation consists of three main procedures:1. In the VMware vSphere client, deploy the XTMv virtual appliance to the

ESXi host; then power on the XTMv virtual machine.

2. Connect to the Web UI and use the Fireware XTM Web Setup Wizard to set up a basic configuration.

3. Allocate additional resources to the XTMv virtual machine.

This training and the XTMv Setup Guide describe how to use the Web Setup Wizard to create the initial configuration.

• You can also use the Quick Setup Wizard in WatchGuard System Manager, if you can connect to the trusted network of the XTMv device.


Deploy the XTMv Virtual Appliance

1. Launch the vSphere Client, and log in to the ESXi host with administrator credentials.

2. Select File > Deploy OVF Template.

3. Browse to the location of the WatchGuard XTMv OVF template file, xtmv_<version>.ova.


Deploy XTMv – OVF Details

4. Verify the product and version on the OVF Template Details page.


The left side of the dialog box shows the deployment steps, and which step you are on.

Deploy XTMv – Name the VM

5. Review and accept the EULA.

6. Type a name for the virtual machine — the name identifies this virtual machine in the inventory on the ESXi host. It is not the same as the device name in the Fireware XTM configuration.


Deploy XTMv – Resource Pool

7. Select a resource pool (if the ESXi host has multiple resource pools).This determines where the virtual machine appears in the hierarchy of virtual machines on the ESXi host.


Deploy XTMv – Disk Format

8. Select Thick provisioned format. (This is the default.)


Deploy XTMv – Network Mapping

9. Select the destination network for Network 0 (Eth 0: External).

10.Select the destination network for Network 1 (Eth1: Trusted).


Available networks appear in a drop-

down list.

Deploy XTMv – Verify and Finish

11. Review the deployment settings, and click Finish.The deployment begins.


Deployment can take a few minutes

XTMv After Deployment

The XTMv virtual machine appears in the Inventory tree. The virtual machine is initially powered off. Click Power On to start it.


Click to power on XTMv

XTMv After Power On


After you power on the device, you can see the IP addresses. The External IP address is assigned by a DHCP server (if there is one).

Click to see all IP addresses.

Eth 0: ExternalEth 1: Trusted

XTMv Factory Default Settings

When you power on the XTMv virtual machine for the first time, it starts with factory default settings.

• The XTMv device has two active interfaces, external, and trusted.

• The external interface is configured to receive an IP address via DHCP.

• The trusted interface has the IP address 10.0.1.1.

• The account passphrases are admin/readwrite, and status/readonly.

Differences in factory default settings for XTMv:

• The trusted interface does not assign IP addresses via DHCP.

• Both the trusted and external interfaces accept management connections.

• The serial number for an unactivated XTMv device ends with “000000000”.

To reset an XTMv to factory default settings:

• Use the CLI command restore factory-default.


Run the Web Setup Wizard

Connect to the Web UI: https://<external IP address>:8080 Log in with the default admin password: readwrite. The Web Setup Wizard

is the same as for any other XTM device.

For XTMv, you can connect to the externalinterface to run the Web Setup Wizard.


Web Setup Wizard

Accept the EULA. Configure the external interface (DHCP, PPPoE, or Static). Configure DNS and WINS servers. Configure the trusted interface.

• Before you run the wizard, the DHCP server is disabled on the trusted interface.

• In the wizard, the DHCP check box is selected by default. You might not want to enable this, if the trusted network already has a DHCP server.


Web Setup Wizard

Create passphrases. Add contact information.

• Default device name is “XTMv”. It is a good practice to change this to the name you gave the XTMv virtual machine when you deployed it.

Set the time zone. There is no step to enable remote management – it is enabled by default.


For XTMv you must type the Serial Number to use Online Activation.

• This is different than for other XTM devices.

Activation options in the Web Setup Wizard are the same as for any XTM device.

• Online activation

• Paste feature key

• Skip activation

If you do not complete online activation or pastea feature key, the XTMv device uses the default serialnumber, that ends with “000000000”.

• A serial number that ends in nine zeros indicates thatthe XTMv is not activated.

Web Setup Wizard – Activation


Manage XTMv


CLI

WSM

Web UI

To open a CLI console window, click Open Console on the Summary tab for this VM in the vSphere client .

Some VMware Terminology

In the VMware world, these terms all have different meanings:

• Virtual appliance – the “virtual device image”” you deploy (the .ova file).

• Virtual machine – the XTMv machine after you deploy it.

• Virtual device – virtual hardware device, such as a network


VMware Resources - Public

VMware product support

• http://www.vmware.com/support/product-support/vsphere/index.html

VMware vSphere 5 Documentation:

• http://pubs.vmware.com/vsphere-50/index.jsp

ESXi and vSphere 4 documentation

• http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp

ESXi Networking

• http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/topic/com.vmware.vsphere.esxi_server_config.doc_41/esx_server_config/c_networking.html

VMware vSphere Glossary

• http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.intro.doc_40/master_glossary.html

Glossary of Virtualization Terms

• http://communities.vmware.com/docs/DOC-6277


WatchGuard XTMv Resources

XTMv Setup Guide

• Available at www.watchguard.com/help/documentation

Fireware XTM Student Guide and other Fireware XTM training courseware

• Available on the WatchGuard Portal > My Training tab


Introduction to XTMv

Documents

Transcript of Introduction to XTMv