Introduction to XTMv
Table of Contents






Virtualization and Network Security
XTMv Overview
Use Cases
VMware Deployment
XTMv Deployment
Resources
WatchGuard Training
2
Virtualization and
Network Security
WatchGuard Training
3
Computing Evolution: from Physical to Virtual …
From Physical
To Logical
To Virtual
…to Virtualized
Everything You Know About Network Security…
1) Everything on one system is in the same security domain
Everything You Know About Network Security…
2) Traffic crosses over wires and can be examined in motion
…Is Wrong.
Virtual Infrastructure
 Virtual infrastructure separates the physical hardware from the software
 CPU, memory, storage, and network resources are allocated to each VM
 Each virtual machine behaves as if it has dedicated hardware
Network
Security
XTMv Overview
10
WatchGuard Training
What is XTMv?
 XTMv is a WatchGuard XTM device that runs as a VM within a virtual
infrastructure.
 The initial deployment process is different from other XTM devices.
 Almost everything else is the same:
•
•
•
Fireware XTM OS
WatchGuard management tools (WSM, Web UI, and CLI)
Configuration file format
WatchGuard Training
11
XTMv Differences
 Fireware XTM features not supported on XTMv:
•
•
•
•
FireCluster
Hardware diagnostics (the CLI diagnose hardware command)
Ability to automatically save a support snapshot to a connected USB drive
No front panel buttons to start the device in safe mode or recovery mode
(Use the CLI command restore factory-default to start the device
with factory default settings)
 With XTMv, we cannot assume the hardware is known
•
The network administrator must allocate resources to the XTMv virtual
machine.




WatchGuard Training
Storage (XTMv requires ~ 3 GB disk space)
Virtual processors (CPUs)
Memory
Network adapters for each interface
12
XTMv Editions and Licensing
 WatchGuard sells four XTMv editions
•
•
Each edition has different recommended resource requirements
Each edition has different feature key limits
Product
CPU (Min rec)
Memory (Min rec)
Feature Key Limits
1 Core
1 GB
200 Mbps throughput
50 VPN Tunnels
30K Connections
10 Interfaces
Medium Office Edition
2 Cores
2 GB
2.5 Gbps throughput
600 VPN Tunnels
350K Connections
10 Interfaces
Large Office Edition
4 Cores
4 GB
5 Gbps throughput
6K VPN Tunnels
1M Connections
10 Interfaces
Datacenter Edition
8 or more Cores
4 GB or more
Unlimited throughput
10K VPN Tunnels
2.5M Connections
10 Interfaces
Small Office Edition
WatchGuard Training
13
Use Cases
14
WatchGuard Training
Use Cases
 Business Use Cases
•
•
•
•
IT pre-production testing
Multi-tenancy
Colocation
Office in a Box
 Networking Use Cases
•
•
•
Isolated network
VM gateway
Exposed
WatchGuard Training
15
Business Use Case: IT Pre-Production Testing
 Create a virtual duplicate of a production environment on an ESXi host:
•
•
•
Networks
Servers
Applications
 Test any upgrades or changes in the virtual environment first, before you
make a change in the production environment
WatchGuard Training
16
Business Use Case: Multi-Tenancy
Use XTMv to protect networks that belong to different organizations
Business Use Case: Colocation
Finance
Engineering
Use XTMv to protect the “internal edge” between users or applications
Business Use Case: Office in a Box
 A server can host VMs and virtual networks for all the servers needed to
run a business office.
•
•
•
Email servers
Web servers
Network application servers
Use XTMv to protect workloads/servers located on a single server
Networking Use Case: Isolated Virtual Network
 Deploy XTMv within virtual networks that do not connect to any physical
interface on the ESXi host.
ESXi Host
WatchGuard Training
20
Networking Use Case: Isolated Network
 Deploy XTMv within a virtual network with the firewall between one or
more virtual networks and a physical interface on the ESXi host.
Physical Network Interface
ESXi Host
WatchGuard Training
21
Networking Use Case: Exposed Network
 Deploy XTMv between virtual networks that connect to different physical
network interfaces on the ESXi host.
Physical Network Interface
ESXi Host
Physical
Network
Interface
WatchGuard Training
22
VMware
23
WatchGuard Training
VMware Hypervisor
 A hypervisor is a virtual machine manager (VMM).
•
•
•
The hypervisor allows multiple virtual machines
to run concurrently on a host computer.
Each VM runs its own guest OS and applications.
Examples of hypervisors:




VMware ESX
VMware ESXi
Microsoft Hyper-V Server
Citrix XenServer
 XTMv initially supports one hypervisor — VMware ESXi 4.1 or 5.0
 XTMv does not support vMotion for virtual machine migration between
ESXi hosts.
WatchGuard Training
24
VMware Software
 vSphere is a VMware suite of software for virtualization.
 Some of the main components of vSphere are:
•
ESXi host — the virtualization platform, or hypervisor that hosts virtual
machines

•
•

ESXi is installed on bare server hardware
ESXi 4.1 or 5.0 is required for XTMv
vCenter Server — An optional management server that provides centralized
administration of multiple ESXi hosts and their virtual machines.

vCenter Server is not required for XTMv
vSphere Client – a Windows client that is the primary management interface
used to deploy, manage, and monitor virtual machines on ESXi hosts.

WatchGuard Training
vSphere Client is required for XTMv deployment
25
vSphere Client
 The vSphere Client can connect to an ESXi host or to a vCenter Server.
•
•
This is similar to the way WSM can connect to an individual XTM device or
to a WatchGuard Management Server.
XTMv setup steps assume the vSphere Client connects to an ESXi host.
VMware
vCenter Server
WatchGuard Training
26
XTMv Deployment
27
WatchGuard Training
vSphere Client Installation
 The XTMv customer should already have an ESXi host and the vSphere
Client installed.
 To install the vSphere client:
•
•
In a web browser, connect to the VMware ESXi server.
Download and install the vSphere Client.
WatchGuard Training
28
vSphere Client
 To connect to the VMware ESXi host:
•
•
Launch the VMware vSphere Client.
Type the IP address, User name, and Password for the ESXi host.
WatchGuard Training
29
XTMv Installation Prerequisites
 To prepare for the XTMV installation, make sure you have these things:
•
VMware ESXi 4.1 or 5.0 host

•
•
•

3 GB of available disk space — required for each XTMv virtual machine
Two virtual networks — to map to the XTMv external and trusted interfaces
VMware vSphere 4.1 or 5.0 client installed on a Windows computer
XTMv device serial number
WatchGuard XTMv virtual appliance file
File name: xtmv_<version>.ova, where <version> is the Fireware XTM OS
version. (For example, xtmv_11_5_4.ova)
WatchGuard Training
30
Installation Overview
 Installation consists of three main procedures:
1. In the VMware vSphere client, deploy the XTMv virtual appliance to the
ESXi host; then power on the XTMv virtual machine.
2. Connect to the Web UI and use the Fireware XTM Web Setup Wizard to set
up a basic configuration.
3. Allocate additional resources to the XTMv virtual machine.
 This training and the XTMv Setup Guide describe how to use the Web
Setup Wizard to create the initial configuration.
•
You can also use the Quick Setup Wizard in WatchGuard System Manager, if
you can connect to the trusted network of the XTMv device.
WatchGuard Training
31
Deploy the XTMv Virtual Appliance
1. Launch the vSphere Client, and log in to the ESXi host with administrator
credentials.
2. Select File > Deploy OVF Template.
3. Browse to the location of the WatchGuard XTMv OVF template file,
xtmv_<version>.ova.
WatchGuard Training
32
Deploy XTMv – OVF Details
4. Verify the product and version on the OVF Template Details page.
The left side of the dialog box
shows the deployment steps,
and which step you are on.
WatchGuard Training
33
Deploy XTMv – Name the VM
5. Review and accept the EULA.
6. Type a name for the virtual machine — the name identifies this virtual
machine in the inventory on the ESXi host. It is not the same as the
device name in the Fireware XTM configuration.
WatchGuard Training
34
Deploy XTMv – Resource Pool
7. Select a resource pool (if the ESXi host has multiple resource pools).
This determines where the virtual machine appears in the hierarchy of
virtual machines on the ESXi host.
WatchGuard Training
35
Deploy XTMv – Disk Format
8. Select Thick provisioned format. (This is the default.)
WatchGuard Training
36
Deploy XTMv – Network Mapping
9. Select the destination network for Network 0 (Eth 0: External).
10. Select the destination network for Network 1 (Eth1: Trusted).
Available
networks
appear in
a dropdown list.
WatchGuard Training
37
Deploy XTMv – Verify and Finish
11. Review the deployment settings, and click Finish.
The deployment begins.
Deployment
can take a few
minutes
WatchGuard Training
38
XTMv After Deployment
 The XTMv virtual machine appears in the Inventory tree.
 The virtual machine is initially powered off. Click Power On to start it.
Click to power
on XTMv
WatchGuard Training
39
XTMv After Power On
 After you power on the device, you can see the IP addresses.
 The External IP address is assigned by a DHCP server (if there is one).
Click to see all
IP addresses.
Eth 0: External
Eth 1: Trusted
WatchGuard Training
40
XTMv Factory Default Settings
 When you power on the XTMv virtual machine for the first time, it starts
with factory default settings.
•
•
•
•
The XTMv device has two active interfaces, external, and trusted.
The external interface is configured to receive an IP address via DHCP.
The trusted interface has the IP address 10.0.1.1.
The account passphrases are admin/readwrite, and status/readonly.
 Differences in factory default settings for XTMv:
•
•
•
The trusted interface does not assign IP addresses via DHCP.
Both the trusted and external interfaces accept management connections.
The serial number for an unactivated XTMv device ends with “000000000”.
 To reset an XTMv to factory default settings:
•
Use the CLI command restore factory-default.
WatchGuard Training
41
Run the Web Setup Wizard
 Connect to the Web UI: https://<external IP address>:8080
 Log in with the default admin password: readwrite.
 The Web Setup Wizard
is the same as for any
other XTM device.
 For XTMv, you can
connect to the external
interface to run the
Web Setup Wizard.
WatchGuard Training
42
Web Setup Wizard




Accept the EULA.
Configure the external interface (DHCP, PPPoE, or Static).
Configure DNS and WINS servers.
Configure the trusted interface.
•
•
Before you run the wizard, the DHCP server is disabled on the trusted
interface.
In the wizard, the DHCP check box is selected by default. You might not want
to enable this, if the trusted network already has a DHCP server.
WatchGuard Training
43
Web Setup Wizard
 Create passphrases.
 Add contact information.
•
Default device name is “XTMv”. It is a good practice to change this to the
name you gave the XTMv virtual machine when you deployed it.
 Set the time zone.
 There is no step to enable remote management – it is enabled by default.
WatchGuard Training
44
Web Setup Wizard – Activation
 For XTMv you must type the Serial Number to use Online Activation.
•
This is different than for other XTM devices.
 Activation options in the Web Setup Wizard are the same as for any XTM
device.
•
•
•
Online activation
Paste feature key
Skip activation
 If you do not complete
online activation or paste
a feature key, the XTMv
device uses the default serial
number, that ends with
“000000000”.
•
A serial number that ends in
nine zeros indicates that
the XTMv is not activated.
WatchGuard Training
45
Manage XTMv
WSM
Web UI
CLI
To open a CLI console window, click
Open Console on the Summary tab
for this VM in the vSphere client .
WatchGuard Training
46
Some VMware Terminology
 In the VMware world, these terms all have different meanings:
•
•
•
Virtual appliance – the “virtual device image”” you deploy (the .ova file).
Virtual machine – the XTMv machine after you deploy it.
Virtual device – virtual hardware device, such as a network
WatchGuard Training
47
VMware Resources - Public
 VMware product support
•
http://www.vmware.com/support/product-support/vsphere/index.html
 VMware vSphere 5 Documentation:
•
http://pubs.vmware.com/vsphere-50/index.jsp
 ESXi and vSphere 4 documentation
•
http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp
 ESXi Networking
•
http://pubs.vmware.com/vsphere-4-esxi-installablevcenter/topic/com.vmware.vsphere.esxi_server_config.doc_41/esx_server
_config/c_networking.html
 VMware vSphere Glossary
•
http://pubs.vmware.com/vsphere-4-esxi-installablevcenter/index.jsp?topic=/com.vmware.vsphere.intro.doc_40/master_glossa
ry.html
 Glossary of Virtualization Terms
•
http://communities.vmware.com/docs/DOC-6277
WatchGuard Training
48
WatchGuard XTMv Resources
 XTMv Setup Guide
•
Available at www.watchguard.com/help/documentation
 Fireware XTM Student Guide and other Fireware XTM training
courseware
•
Available on the WatchGuard Portal > My Training tab
WatchGuard Training
49