3.2. Procedure – Configuring PSM with the Welcome Wizard


The Welcome Wizard guides you through the basic configuration steps of PSM. All parameters can be modified before the last step by using the Back button of the wizard, or later via the web interface of PSM.


  1. Open the https://<IP-address-of-PSM-interface> page in your browser and accept the displayed certificate. The Welcome Wizard of PSM appears.


    The PSM console displays the IP address the interface is listening on. PSM either receives an IP address automatically via DHCP, or if a DHCP server is not available, listens on the IP address.

  2. When configuring PSM for the first time, click Next.

    Figure 3.6. The Welcome Wizard

    The Welcome Wizard

    You can import an existing configuration from a backup file. Use this feature to restore a backup configuration after a recovery, or to migrate an existing PSM configuration to a new device.


    Do not export or import configuration between a physical PSM deployment and a virtual one. Because of the differences and limitations between physical and virtual appliances, configure the virtual appliance from scratch to ensure proper functionality. When you migrate a virtual PSM to another one, you can export and import the configuration.

    1. Click Browse and select the configuration file to import.


      It is not possible to directly import a GPG-encrypted configuration into PSM, it has to be decrypted locally first.

    2. Enter the passphrase used when the configuration was exported into the Encryption passphrase field.

      For details on restoring configuration from a configuration backup, see Procedure 23.9, Restoring PSM configuration and data

    3. Click Import.


      If you use the Import function to copy a configuration from one PSM to another, do not forget to configure the IP addresses of the second PSM. Having two devices with identical IP addresses on the same network leads to errors.

  3. Accept the End User License Agreement and install the PSM license

    Figure 3.7. The EULA and the license key

    The EULA and the license key
    1. Read the End User License Agreement and select I have read and agree with the terms and conditions. The License Agreement covers both the traditional license, and subscription-based licensing as well. Clicking I have read and agree with the terms and conditions means that you accept the agreement that corresponds to the license you purchased (for details on subscription-based licensing, see Section 2.20, Licenses). After the installation is complete, you can read the End User License Agreement at Basic Settings > System > License.

    2. Click Browse, select the PSM license file received with PSM, then click Upload.


      It is not required to manually decompress the license file. Compressed licenses (for example .zip archives) can also be uploaded.

    3. Click Next.

  4. Configure networking. All settings can be modified later using the web interface of PSM.

    Figure 3.8. Initial networking configuration

    Initial networking configuration
    1. Physical interface EXT or 1 — IP address: The IP address of interface 1 (or EXT, for older hardware) of PSM (for example, The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect to this interface, therefore it must be accessible to them.

      Use an IPv4 address.


      Do not use IP addresses that fall into the following ranges:

      • (reserved for communication between PSM cluster nodes)

      • (localhost IP addresses)

    2. Physical interface EXT or 1 — Prefix: The IP prefix of the given range. For example, general class C networks have the /24 prefix.

    3. Physical interface EXT or 1 — VLAN ID: The VLAN ID of interface 1 (or EXT). Optional.


      Do not set the VLAN ID unless your network environment is already configured to use this VLAN. Otherwise, your PSM appliance will be unavailable using this interface.

    4. Default GW: IP address of the default gateway.

      Use an IPv4 address.

    5. Hostname: Name of the machine running PSM (for example, PSM).

    6. Domainname: Name of the domain used on the network.

    7. DNS server: The IP address of the name server used for domain name resolution.

      Use an IPv4 address.

    8. NTP server: The IP address or the hostname of the NTP server.

      Use an IPv4 address.

    9. Syslog server: The IP address or the hostname of the syslog server.

      Use an IPv4 address.

    10. SMTP server: The IP address or the hostname of the SMTP server used to deliver e-mails.

      Use an IPv4 address.

    11. Administrator's email: E-mail address of the PSM administrator.

    12. Timezone: The timezone where the PSM is located.

    13. HA address: The IP address of the high availability (HA) interface. Leave this field on auto unless specifically requested by the support team.

    14. Click Next.

  5. Enter the passwords used to access PSM.

    Figure 3.9. Passwords


    PSM accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    1. Admin password: The password of the admin user who can access the web interface of PSM.

    2. Root password: The password of the root user, required to access PSM via SSH or from the local console.


      Accessing PSM using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.

    3. If you want to prevent users from accessing PSM remotely via SSH or changing the root password of PSM, select the Seal the box checkbox. Sealed mode can be activated later from the web interface as well. For details, see Section 6.6, Sealed mode.

    4. Click Next.

  6. Upload or create a certificate for the PSM web interface. This SSL certificate will be displayed by PSM to authenticate HTTPS connections to the web and the REST interface.

    Figure 3.10. Creating a certificate for PSM

    Creating a certificate for PSM

    To create a self-signed certificate, fill the fields of the Generate new self-signed certificate section and click Generate certificate. The certificate will be self-signed by the PSM appliance. The hostname of PSM will be used as the issuer and common name.

    1. Country: Select the country where PSM is located (for example, HU-Hungary).

    2. Locality name: The city where PSM is located (for example, Budapest).

    3. Organization name: The company who owns PSM (for example, Example Inc.).

    4. Organizational unit name: The division of the company who owns PSM (for example, IT Security Department).

    5. State or Province name: The state or province where PSM is located.

    6. Click Generate certificate.

    If you want to use a certificate that is signed by an external Certificate Authority, in the Server X.509 certificate field, click to upload the certificate.

    Figure 3.11. Uploading a certificate for PSM

    Uploading a certificate for PSM

    Then in the Server private key field click , upload the private key, and enter the password protecting the private key.

    Figure 3.12. Uploading a private key

    Uploading a private key

    PSM accepts private keys in PEM (RSA and DSA), and PUTTY format. Password-protected private keys are also supported.

    Balabit recommends using 2048-bit RSA keys (or stronger).


    PSM accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  7. Review the data entered in the previous steps. This page also displays the certificate generated in the last step, the SSH RSA key of PSM, and information about the license file.

    Figure 3.13. Review configuration data

    Review configuration data

    If all information is correct, click Finish.


    The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render PSM unaccessible.

    PSM is now accessible from the regular web interface via the IP address of interface 1 (or EXT).

  8. Your browser is automatically redirected to the IP address set for interface 1 (or EXT) of PSM, where you can login to the web interface of PSM using the admin username and the password you set for this user in the Welcome Wizard.