Add a Firebox to Dimension for Management
Before you can manage a Firebox with Dimension, you must add it to Dimension and import the management (.WGD) file to the Firebox. If the Firebox is already connected to Dimension to send log messages, you can edit the Firebox to establish a management connection to Dimension. If the Firebox is not already connected to Dimension, you can add it to Dimension to establish a management connection.
Before you can manage a Firebox with Dimension, the Firebox must have a feature key with the LiveSecurity Service and Dimension Command features enabled Tip!
If your Firebox meets these conditions, you can add the Firebox to Dimension and import the Dimension management file (.WGD file) to the Firebox to establish a management connection to Dimension.
If your instance of Dimension is behind a firewall (gateway Firebox or another NAT device), before you add your Firebox to Dimension for management, make sure the firewall is set for correct port-forwarding to Dimension, and then make sure your Dimension instance is configured to use the IP address of the firewall in the Public Accessibility settings. For more information about how to configure Public Accessibility settings for Dimension, go to Configure General Server Settings.
After you have added your Firebox to Dimension, it appears on the Devices page, where you can see information about the Firebox and connect to the Firebox for management. For more information, go to View Devices.
If you previously managed a Firebox with the WSM Management Server, you can add that Firebox to Dimension for management. There is not a process available to import the management settings from the WSM Management Server. Instead, you must manually complete the process to add the Firebox to Dimension for management, as described in the Add a New Firebox and Enable Management section.
Add a New Firebox and Enable Management
To add a Firebox or FireCluster to Dimension and enable a management connection, you complete the Add Managed Device wizard and download the management settings file (.WGD file) for the Firebox or FireCluster from Dimension. The management settings file includes all the information you specified in the Add Managed Device wizard, as well as Dimension system information, to enable your Firebox or FireCluster to establish a management connection to Dimension. You then import the management settings file to the Firebox or FireCluster configuration with Fireware Web UI or Policy Manager.
If the Dimension web server certificate is generated by a third-party certificate authority, you must import the certificate before you download the .WGD file to import to your Firebox. For more information about how to import a certificate to Dimension, go to Manage Dimension Certificates
You can also use the Add Managed Device wizard to add a Firebox or FireCluster to Dimension with only a logging connection. If you only want to enable the Firebox or FireCluster to send log messages to Dimension, make sure to select the Enable logging option, but do not download the .WGD file and import it to the Firebox or FireCluster.
You can add a Firebox or FireCluster from the List, Health, or License tabs on the Devices page.
Add a Firebox for Management
When you add a Firebox to Dimension, you must specify a name for the Firebox and the serial number of the Firebox. If you add a FireCluster to Dimension, you must specify a name for the FireCluster, specify the cluster member names, and the cluster member serial numbers. You can only add two members for any FireCluster.
Before you add a FireCluster to Dimension for management, make sure Dimension Command is enabled in the feature key. If your FireCluster is in Active/Active mode, the feature keys on both cluster members must include Dimension Command. If the FireCluster is in Active/Passive mode, only one Firebox in the cluster must include Dimension Command in the feature key.
Make sure that the names you specify in Dimension for your Firebox or FireCluster are the same names specified in the device configuration files for the Firebox for FireCluster members. For a FireCluster, the default cluster member names are Member1 and Member2.
From the Devices page:
- Click Add.
The Add Managed Device wizard opens. - Review the information message. Click Next.
The Select provisioning method page opens.
- Select a method to provision the managed device:
- Add online device
- Manually enter an existing device
- Click Next.
- To add an online device:
- In the IP Address text box, type the IP address of the Firebox.
- In the Username text box, type the user name for a user account with Device Administrator privileges.
- In the Passphrase text box, type the passphrase for the Device Administrator user account.
- From the Authentication Server drop-down list, select the server where the Device Administrator user account credentials are stored.
- To manually add a single Firebox or a FireCluster, from the Type drop-down list, select an option:
- In the Device Name text box, type the friendly name of the Firebox. Tip!
- In the Serial Number text box, type the serial number of the Firebox.
- To enable the Firebox to send log messages to Dimension, select the Enable logging check box.
- In the Cluster Name text box, type the friendly name of the FireCluster. Tip!
- Adjacent to the Member Names list, click .
The Add Managed Device dialog box opens. - In the Member Name text box, type the name of the first cluster member. Tip!
- In the Member ID text box, type the serial number of the first cluster member.
- Click OK.
- Repeat Steps b–e for the second cluster member.
- To enable the FireCluster to send log messages to Dimension, select the Enable logging check box.
- Click Next.
Dimension saves the information you specified about the Firebox or FireCluster. - To download the management settings file (.WGD file) to import to your Firebox or FireCluster, click Download.
Dimension saves the management settings file to your management computer. - Click Finish.
The Firebox or FireCluster you added appears on all the Devices page tabs.
To add a Firebox or FireCluster to Dimension for logging only, make sure to select the Enable logging check box and do not download and import the management settings file to the Firebox or FireCluster.
Enable Management
After you have added your Firebox to Dimension and downloaded the management settings file (.WGD file), you can import the management file to the Firebox or FireCluster and enable it to be managed by Dimension. You can configure the Managed Device settings for your Firebox or FireCluster from Fireware Web UI or Policy Manager.
This topic includes instructions to enable management from Fireware Web UI. For instructions to configure the Managed Device settings from Policy Manager, go to Configure a Firebox as a Managed Device.
When your Firebox is managed by Dimension, it makes a secure WebSocket connection to Dimension over HTTPS (TCP port 443). This connection uses TLS v1.2 and is negotiated with TLS_DHE_RSA_WITH_AES_256_CBC_SHA encryption. This requires Dimension to have a certificate the Firebox can validate. The Firebox is authenticated based on the credentials in the management settings file that you import to the Firebox when you enable it to be managed by Dimension.
For more information about Dimension certificates, go to Manage Dimension Certificates.
To configure the Managed Device settings for your Firebox, from Fireware Web UI:
- Select System > Managed Device.
The Managed Device page opens. - To unlock the configuration so you can make changes, click .
For more information about how to unlock and lock the Dimension configuration, go to Lock and Unlock the Dimension Configuration. - To enable your Firebox to be a managed device, select the Enable Centralized Management check box.
- From the Manage Device With drop-down list, select Dimension Command.
The Managed Device settings for Dimension Command appear.
- Browse to locate the management settings file (.WGD file) you downloaded for this Firebox from Dimension. Click Import.
- In the Dimension Command Address(es) text box, type the public IP address of Dimension. Click Add.
If Dimension is behind a gateway Firebox or other firewall NAT device, select the public IP address of the gateway Firebox or firewall device. - In the Dimension Command Port text box, type the port used to communicate with Dimension. The default value is port 443.
If you change the command port to a different port number, Dimension will instruct client Fireboxes to connect on this port number, but will still continue to listen on TCP port 443. If you change this value, you must configure the gateway Firewall or router through which Dimension connects to the Internet to forward Firebox management connections to Dimension on TCP port 443.
- To import the Dimension certificate, browse to locate the certificate file. Click Import.
When you save the configuration changes to the Firebox or FireCluster, the Firebox or FireCluster is enabled as a managed device.
Manage Your Gateway Firebox with Dimension
If you want to manage your gateway Firebox Tip! for Dimension with your instance of Dimension, you must modify the Dimension Command Address(es) list in the Managed Device settings to include the private address of Dimension. Because Dimension is behind the gateway Firebox, the address for Dimension that is included in the .WGD file is the public address of the gateway Firebox. The gateway Firebox cannot use its own public address to connect to Dimension. Instead, it must use the private address for Dimension.
After you import the .WGD file to the gateway Firebox to enable management and configure the management settings for the gateway Firebox, you must change the address specified for Dimension in the Managed Device settings.
This procedure is only necessary for a gateway Firebox that is managed by the same instance of Dimension that it protects from the Internet.
To modify the Managed Device settings for your gateway Firebox, from Fireware Web UI:
- Select System > Managed Device.
The Managed Device page opens. - To unlock the configuration so you can make changes, click .
For more information about how to unlock and lock the Dimension configuration, go to Lock and Unlock the Dimension Configuration. - In the Dimension Command Address(es) list, select the check box for the public IP address of the gateway Firebox. Click Remove.
- In the Dimension Command Address(es) text box, type the private IP address of Dimension. Click Add.
- Save the configuration changes to the gateway Firebox.
Edit a Firebox or FireCluster
If your Firebox or FireCluster has already been added to Dimension, but does not have a management connection to Dimension, you can edit the Firebox or FireCluster settings in Dimension to download the management settings file (.WGD file). You can then follow the steps in the previous section to enable Dimension to manage the Firebox or FireCluster.
When you edit the Managed Device settings, you can also change the logging setting and the location specified for your Firebox or FireCluster.
You can edit a Firebox or FireCluster from the List, Health, or License tabs on the Devices page.
From the Devices page:
- Select the row of the Firebox or FireCluster. Do not select the Firebox or FireCluster Name.
- Click Edit.
The Edit Managed Device dialog box opens.
- To enable logging, adjacent to Logging is currently, click Disabled.
- To disable logging, adjacent to Logging is currently, click Enabled
- To specify the location of your Firebox, in the Latitude and Longitude text boxes, type the latitude and longitude for the location of your Firebox.
- To download the management settings file, click Download.
- Click Close.
- To enable management, follow the instructions in the Enable Management section.