Scribd
Upload
207 views

Watchguard Cyberark Integration Guide

This document provides instructions for integrating CyberArk Enterprise Password Vault (EPV) with WatchGuard Firebox devices. Key steps include deploying the CyberArk software, creating a safe in the vault to store the Firebox admin account, adding the account with the customized WatchGuard plugin, and configuring a policy to automatically change the Firebox admin passphrase on a regular basis (every 2 days by default). Once configured, an RDP connection can be made from CyberArk to the Firebox to test the integration.

Uploaded by

Vincenzo Petrucci
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
207 views

Watchguard Cyberark Integration Guide

This document provides instructions for integrating CyberArk Enterprise Password Vault (EPV) with WatchGuard Firebox devices. Key steps include deploying the CyberArk software, creating a safe in the vault to store the Firebox admin account, adding the account with the customized WatchGuard plugin, and configuring a policy to automatically change the Firebox admin passphrase on a regular basis (every 2 days by default). Once configured, an RDP connection can be made from CyberArk to the Firebox to test the integration.

Uploaded by

Vincenzo Petrucci
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Integration Guide

CyberArk Enterprise Password Vault (EPV)

Revised: 26 February 2016


About This Guide

Guide Type
Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating
integration

Guide Details
WatchGuard provides integration instructions to help our customers configure WatchGuard products to work
with products created by other organizations. If you need more information or technical support about how to
configure a third-party product, see the documentation and support resources for that product.

2 CyberArk EPV Integration Guide


CyberArk EPV Integration Overview

This document describes the steps to integrate CyberArk Enterprise Password Vault (EPV) with your
WatchGuard Firebox. With a custom SSH plug-in from CyberArk, the CyberArk administrator can periodically
change the passphrase of the Firebox Admin user.

Platform and Software


The hardware and software used to complete the steps outlined in this document include:

Firebox or WatchGuard XTM device installed with Fireware v11.10.x


CyberArk Vault server installed on a Windows 2012 R2 computer
PrivateArk Administrative Client installed on a Windows 2012 R2 computer
Central Policy Manager installed a Windows 2012 R2 computer
Privileged Session Manager installed on a Windows 2012 R2 computer
Customized WatchGuard plug-in that you must request from CyberArk
NOTE: At this time, it is only possible to change the passphrase of the default Firebox administrator user
admin. You cannot change the passphrase of other user roles to which you have assigned administrator
privileges.

Configuration

To complete this integration, you must first deploy CyberArk software (see the Platform and Software section
above). CyberArk software deployment requires knowledge of Windows server, WCF, and IIS. Make sure
Central Policy Manager and Password Vault web access are hosted on the same server, while Privileged
Session Manager and Vault Server are each on a dedicated server.

CyberArk EPV Integration Guide 3


To set up the CyberArk Vault environment, please refer to the CyberArk Privileged Account Security
Installation Guide. In this document, we describe the procedure to create an account to change the Firebox
Admin passphrase and show how it works.

Set Up an Account on CyberArk

1. On the server where Password Vault Web Access is installed, connect to


http://<host_name>/passwordvault. Sign in with the user name and password you set when you
configured your CyberArk Vault server.

4 CyberArk EPV Integration Guide


2. Go to Policies > Access Control. Click Add Safe. Type the name of the safe. In our example, we
used the name safe 1. Save the configuration.

3. On the Accounts tab, click Add Accounts. Note that, to successfully add an account, you must first
request and receive a customized plug-in from CyberArk. Once you have this plug-in and it is correctly
installed, you can complete the account information as described below.

CyberArk EPV Integration Guide 5


4. From the Store in Safe drop-down list, select safe1.
5. From the Device Type drop-down list, select Imported Platforms.
6. From the Platform Name drop-down list, select WatchGuard via SSH. If you do not have the custom
plug-in from CyberArk, you will not see the WatchGuard via SSH option that is required for this
integration to work.
7. In the Address text box, type the Trusted or Optional interface IP address of your Firebox.
8. In the Username text box, type the user name of your Firebox administrator user.
9. Select the port check box, and type 4118 in the adjacent text box.
10. Type and confirm your Firebox admin passphrase.
11. Save the configuration changes.

If the account has been set up correctly, it will look like this:

6 CyberArk EPV Integration Guide


Test the Connection from CyberArk to the Firebox

1. Double-click the user name to open the Account Details page for your account.

CyberArk EPV Integration Guide 7


2. Click Connect to open an RDP connection.

3. An RDP connection to the Firebox is made. If the connection is successful, you will see this:

Automatically Change the Firebox Admin Passphrase

1. Select Policy by Platform.

8 CyberArk EPV Integration Guide


2. In the Policy by Platform dialog box, select WatchGuard via SSH.

3. In Password Management, you can select how often to change the passphrase. The default is 2 days.

CyberArk EPV Integration Guide 9


4. To see the current passphrase for the Admin user, click Show User Password.

10 CyberArk EPV Integration Guide

You might also like