presenter date what’s new in wsm 10 and fireware 10
TRANSCRIPT
PresenterDate
What’s New in WSM 10 and Fireware 10
2
What’s New in WSM/Fireware 10WSM 10 Overview
New in WSM 10
• New SQL-based logging and reporting architecture
• WatchGuard Management Server enhancements
• Firebox System Manager enhancements
• New help system with search and Table of Contents
3
What’s New in WSM/Fireware 10Fireware 10 Overview
New in Fireware 10
• Mobile VPN with SSL
• New proxies for VoIP support
• New TCP/UDP proxy for multiple protocol detection
• Enhancements to security subscriptions
• Single Sign-On
• More integration with LiveSecurity
• BOVPN and Mobile VPN with IPSec enhancements
• New notifications
• Networking enhancements
New in WSM 10
5
New Logging and Reporting Architecture
6
The new logging and reporting architecture includes:
• New SQL-based Log Server
• Totally redesigned LogViewer application
• New Report Server
• New Report Manager (replaces Historical Reports)
New Logging and Reporting ArchitectureOverview
One change to the WatchGuard Toolbar:
New Report Server icon
7
New Logging and Reporting ArchitectureAbout the SQL Database
Uses PostgreSQL
• Postgres is installed during either:
• Log Server Setup Wizard
• Report Server Setup Wizard
• The server you set up first (Report Server or Log Server) installs Postgres
• Because Postgres does not install over an RDP session, do not run the Log Server or Report Server Setup Wizard over RDP
• PostgreSQL installation creates the data directory and its structure
• There is no UI option to change the location of the data directory after Postgres is installed
• Installs a non-admin user account watchguard_pg_user
• Do not alter this account; it is for the Postgres service
• In this release, you must use command line for:
• Importing old XML log files into the database
• Restoring a backup of the database
8
Advantages to using SQL database for logs
• Much more scalable
• Logs from multiple appliances now stored in one database
• No more discrete XML log files
• Faster and more powerful log file search
• Faster report generation
• Report can be run on data stored in different Log Servers
Automatic maintenance jobs are user-configurable:
• Automatic daily deletion of old logs
• Automatic daily backup
New Log ServerSQL-based
9
New Log ServerLog Server Setup Wizard
Click once on the Log Server icon to start the Log Server Setup Wizard
10
New Log ServerSetup Wizard
PostgreSQL is installed and the database directory is created when you run either: •The Log Server Setup Wizard
or
•The Report Server Setup Wizard
11
New Log ServerSetup Wizard
Pay close attention to this screen of the Setup Wizard
• To change the log data directory after PostgreSQL is installed, you must run the Setup Wizard again.
12
New Log Server - Admin User InterfaceConfigure the Log Server
To configure the Log Server, left-click once on the Log Server icon in the WatchGuard toolbar.
Or, right-click and select Configure
13
New Log Server - Log Server ConfigurationServer Settings Tab
The Log Server can send notifications about itself to this
address.
Firebox Event Notifications also go to this address
14
New Log Server - Log Server ConfigurationExpiration Settings Tab
Automatically purge old logs
Automatically back up logs
Send appliance notifications
15
New Log Server - Log Server ConfigurationLogging/Monitoring Settings tab
All Firebox appliances that send logs show
here
Send log messages about the Log Server itself to:
• The Windows Event Viewer
• A text file
16
New LogViewerTotal Redesign for Maximum Usability
All-new enhanced LogViewer gives powerful new features
17
New LogViewerLaunch and Connect to a Log Server
Start LogViewer from the WatchGuard System Manager.
Then, connect to a Log Server.
18
New Log ViewerSelect the appliance or server to view logs
Select one or more devices to see their logs
All devices logging to this Log Server (including
other servers) show here
Report Server and Management Server can also send logs to Log Server!
19
New LogViewerArrange the windows for the different devices’ logs
Cascade the windows
Or tile them
20
New Log ViewerCategory View
View:
• All logs
•Only traffic logs
•Only alarms
•Only events
•Only debug logs
•Only bandwidth statistics messages
21
New LogViewerDate Range View
Select a preconfigured rangeOr make a custom time filter
22
New LogViewer – SearchString Search
Simple string search is very useful
Search for:
• An IP address
• Blocked sites / blocked ports
• All messages with a key word, for example:
• IKE
• Type of email or HTTP header
• A username
23
New Log Viewer – SearchPut context to the message
When Search finds an interesting log message, you can show the log messages before and after it.
Right-click the message and select Show Log Excerpt
Or press F5
You see 50 messages before and after the target log message
24
New LogViewer Preferences
Store general preferences
• Your primary Log Server
• How many messages before and after the target in Log Excerpt
• How many searches to remember
25
New LogViewer Preferences
Store viewing preferences
• Default log type
• Font size
• Which columns to display for the different log types
26
New LogViewerSearch Manager
Tools Search Manager
Create powerful searches and save them for later use
Advanced Search shows why a SQL database is better
27
New LogViewerMultiple export options
Export logs as:
• CSV (comma-separated value) file
• HTML page
• XML file
Instantly email logs as:
• CSV file
Select and copy as plain text
28
New Report Server - OverviewWhat it does
Collects and presents log data
• Periodic collection from Log Server
• Periodic generation of reports
• Provides reports to Report Manager via XMLRPC
• Reports are immediately viewable and automatically refresh
29
New Report Server - OverviewWhat It Does
Log Data
Log Server Consolidated Log Data
Reports
30
New Report Server – ConfigurationExpiration Settings tab
Server Settings tab is identical to same tab in Log Server
Expiration Settings tab:
• Automatically delete old reports
• Turn on notification of events about the Report Server itself
31
New Report Server – ConfigurationReport Generation tab
Tell the Report Server where to get data
This is the server management passphrase, not the log encryption key!
32
New Report ManagerOverview
Report Manager is the client application that connects to the Report Server
Replaces old Historical Reports
The left-hand pane shows the available reports
The right-hand pane is a browser (based on Internet Explorer) showing the selected report
33
New Report Manager Launch and Connect to a Report Server
Start Report Manager from WSM.
Then, connect to a Report Server.
34
Report ServerAvailable Reports
• Denied Packet Summary
• Denied Packet Detail
• Incoming
• Outgoing
• SMTP Summary
• SMTP Server Summary
• SMTP Detail
• SPAM Summary
• Firebox Statistics
• POP3 Summary
• POP3 Detail
• Alarms
• Packet Filter Host Summary
• Proxy Host Summary
• HTTP Most Popular Domain
• HTTP Summary
• HTTP URL Detail
• IPS Packet
• IPS Summary and its detail subreports:•Protocol
•Severity
•Source
•Signature
• AV Summary and its detail subreports:•Protocol
•Host
•Virus
•Sender
• WebBlocker Detail
Reports carried forward from earlier Historical Reports:
35
Report ServerAvailable Reports
New Reports in 10:
• HTTP Most Active Client
• Web Surfing
• External Interface Bandwidth Report
• Management Server Audit Trail
• Management Server Audit Trail Detail
• Management Server Authentication
• BUM “Boxes Under Management”
36
Management Server Enhancements
37
What’s New in WSM/Fireware 10Management Server Enhancements - Overview
Multi-user support
Record locking
Configuration passphrase caching
Force comments on Config Change
Folders with lockout
Notification enhancements
LiveSecurity Alerts
38
Management Server EnhancementsMulti-user support
Add users on new Users tab of Management Server Configuration
39
Management Server EnhancementsMulti-user support
Management Server user accounts:
• Admin privileges
• Can create new user accounts on the Management Server
• Can administer all devices under management with WSM connection to Management Server
• Read-Write privileges
• Can administer all devices under management with WSM connection to Management Server
• Read-Only privileges
• Can view all devices under management
• This user connects to the Management Server in Monitoring Mode
40
Management Server EnhancementsMulti-user support
Users must now provide username and passphrase when connecting
• Provides audit trail in Management Server report
Default account is admin
• This account uses the server management passphrase
• This is the same password you used before to connect to your Management Server from WSM
41
Management Server EnhancementsRecord locking and caching passphrases
When you bring up Policy Manager for a managed device:
• WSM prevents others from using Policy Manager for that device when they connect to the Management Server
• Reduces the chance that conflicting edits are made at the same time by different users
• Policy Manager automatically enters the device’s configuration passphrase when you save the configuration back to the Firebox
• No need to remember the configuration passphrases for all your managed devices
• No need to share managed devices’ configuration passphrases with others
For this to work:
• Firebox you manage must be running Fireware 10
• You must launch Policy Manager via a connection to the Management Server (not a connection to the device itself)
42
Management Server EnhancementsRecord locking
Connect to Management Server using WSM Launch Policy Manager for an appliance
• The device record is locked
When a different user connects to the Management Server at the same time:
• A “Maintenance Alert” shows for that device
• Policy Manager is not available for that device
43
Management Server EnhancementsConfiguration passphrase caching
When you use that instance of Policy Manager to save the configuration, Policy Manager automatically puts the appliance’s configuration passphrase into the entry field
When you close Policy Manager (or use it to File > Open a different Firebox) the lock is released
44
Management Server EnhancementsForce comments
Force comments on config change
• Turn this on in Management Server Configuration
Users must add comment when saving config via a connection to Management Server
45
Management Server EnhancementsFolders with lockout
Right-click Management Server and select Add New Folder
46
Management Server EnhancementsFolders with lockout
You can make a VPN between two devices inside the same locked folder
You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder
• Prevent “mistake” VPNs
• Those can cost the managed security provider $$ and reputation
Locked folder has a padlock on the folder’s icon
47
Management Server EnhancementsNotification enhancements
Get notified if a managed device does not contact the Management Server when its DVCP lease expires
From: [email protected]
Subject: Notice from Management Server
Host: dc01
Time: Fri Feb 08 09:15:34 2008
Process: 3848:3900
Message:
Information (8249), no contact from device with name Miami_X6500e, id 50.50.50.254, and IP address 50.50.50.254
48
Management Server EnhancementsLiveSecurity Alerts
WSM displays LiveSecurity broadcasts when you select the Management Server
Alerts that will appear:
• New software updates available
• WatchGuard vulnerabilities
49
Quarantine Server Enhancements
50
Quarantine Server EnhancementsQuarantine email based on virus classification
You can now send SMTP mail to the Quarantine Server based on whether Gateway AntiVirus detected a virus
51
Quarantine Server EnhancementsQuarantine mail based on virus classification
You can send SMTP mail to the Quarantine Server based on whether spamBlocker’s Virus Outbreak Detection detected a virus
52
Firebox System Manager Enhancements
53
What’s New in WSM/Fireware 10Firebox System Manager Enhancements - Overview
Front Panel tab updated for Mobile VPN with SSL
Search Traffic Monitor
Display logs by type of message
Multiple-line select (ctrl-click or shift-click) and copy
Select notifications from entire event catalog
Service Watch graph by bandwidth
54
Firebox System Manager EnhancementsFront Panel Tab
Mobile VPN with SSL sessions displayed on Front Panel tab
55
Firebox System Manager EnhancementsFront Panel Tab
Log off remote users from Front Panel tab
56
Firebox System Manager EnhancementsTraffic Monitor Tab
Search Traffic Monitor
57
Firebox System Manager EnhancementsTraffic Monitor Tab
View:
• All logs
•Only traffic logs
•Only alarms
•Only events
•Only debug logs
•Only bandwidth statistics messages
58
Firebox System Manager EnhancementsTraffic Monitor Tab
Multiple-line select (ctrl-click or shift-click) and copy
59
Firebox System Manager EnhancementsTraffic Monitor Tab
Select Notifications from Event Catalog
Right-click an event in Traffic Monitor
• Instantly set up notification for the next time that event happens
60
Firebox System Manager EnhancementsService Watch Tab
Use Service Watch to:
• Graph the traffic going through each policy by bandwidth
• See the number of sessions going through each policy
61
New Help System
62
New Help SystemSearchable, with Table of Contents
63
New in Fireware 10
64
Mobile VPN with SSL
65
Mobile VPN with SSLOverview
PC and Mac compatible – one download page for both
66
Mobile VPN with SSLURL for users to get the software
URL to authenticate and get the client software:
• https://[firebox.ip.address]:4100/sslvpn.html
• Note the /sslvpn.html at the end
URL to authenticate only remains the same
• https://[firebox.ip.address]:4100
67
Mobile VPN with SSLConfiguration in Policy Manager
Simple straightforward configuration
• Policy Manager:VPN Mobile VPN SSL
• Use any authentication server
• Specify which WAN users connect to first and second (failover)
• Allow granular access or access to all connected networks
68
New Proxies for VoIP Support
69
New Proxies for VoIPH.323 and SIP
These proxies work to allow some VoIP/Videoconferencing through the Firebox:
• SIP Proxy
• H.323 Proxy
H.323 proxy supports NAT-traversal for voice and video traffic
• H.323 Gatekeeper (“PBX” hosting/trunking) and T.120 multimedia support not in this release.
• H.323 support is limited to point-to-point connections
SIP proxy supports NAT-traversal for voice and video traffic
• Does not provide the PBX registration capabilities of a typical standalone SIP Registrar-Proxy
• Must have your own Registrar-Proxy server to route these connections
• SIP proxy has only been tested with PBX’s located on the external segment of the Firebox (hosted scenario, no trunking).
70
New Proxies for VoIPH.323 and SIP
Simple to configure
SIPH323
71
New Proxies for VoIPTFTP
Trivial File Transfer Protocol
• For more than just VoIP
Typically for:
• Sending updates to VoIP devices under management
• Sending configuration files
• Sending ROM images or firmware updates
TFTP Proxy lets you allow or deny content by matching file name patterns for:
• Downloads
• Uploads
72
New TCP-UDP ProxyMultiple Protocol Detection
TCP-UDP Proxy detects what protocol the traffic is:
• HTTP
• HTTPS
• SIP
• FTP
73
New HTTPS ProxyWhat it can do
HTTPS Proxy
Block objectionable HTTPS sites using WebBlocker
Allow or deny access to web sites based on Domain Names
• Fireware matches Domain Name patterns against the Subject field in the web site’s SSL certificate
74
Enhancements to Security Subscriptions
75
What’s New in WSM/Fireware 10Enhancements to Security Subscriptions
Intrusion Prevention (IPS) Enhancements
• New signature set
• Broader range of signatures
• Botnet protection for servers
• Updated signature scanning engine
• Approximately 40% increase in IPS performance
• Simpler IPS Configuration
• P2P and IM now integral part of Fireware (no IPS license required)
WebBlocker Enhancements
• Expanded Category List
• WebBlocker for HTTPS
spamBlocker Enhancements
• Virus Outbreak Detection
76
WebBlocker Enhancements40 Category to 54 Category Mapping
40-Category List name
54-Category List name
Arts & Entertainment Arts Entertainment
Drugs, Alcohol, Tobacco Illegal Drugs Alcohol & Tobacco
Violence Violence Tasteless & Offensive
Hacking Hacking Spyware
Computing & Internet Computing & Internet Downloads Ringtones / Mobile Phone Downloads
Criminal Skills Criminal Activity Phishing & Fraud
Glamour & Intimate Apparel Intimate Apparel & Swimwear
Fashion & Beauty
Government & Politics Government Politics
Lifestyle & Culture Society & Culture Philanthropic & Professional Organizations
Remote Proxies Proxies & Translators Peer-to-Peer
NOT REPRESENTED Spam URLs
NOT REPRESENTED Infrastructure
NOT REPRESENTED Business
77
Single Sign-On
78
Single Sign-OnRequirements
Only for Active Directory domains
• Install WatchGuard Authentication Gateway software on a domain computer
• This computer called the SSO Agent
• The domain account under which the agent software runs must:
• Have “Log on as a service” permission granted (for the service to run automatically)
• Be a member of Domain Admins group (to query PCs running Vista)
• All domain PCs must allow connections over 139 and 445
• Add exceptions to Windows Firewall for File and Printer Sharing, or turn off Windows Firewall
79
Single Sign-OnSettings
• IP address of the PC running WatchGuard Authentication Gateway software (the SSO agent)
• How long the SSO agent should cache responses it gets from PCs it queries
• IP addresses that the Firebox will not ask about
Policy Manager:
Setup Authentication Authentication Settings
80
Single Sign-OnHow it works 1
• Firebox sees traffic come from a trusted or optional or VLAN interface
• SSO does not work for traffic coming from an external interface
• Firebox sends query to SSO agent (PC running WatchGuard Authentication Gateway software)
• This is a port 4114 connection. Command is get user <ip.address>
• SSO agent checks its cache.
• If it has an entry for this IP address, it returns an answer to the Firebox
• If not in cache, SSO agent queries that IP address
• Uses Windows NetWkstaUserEnum() call
• Windows Networking connection over port 139 and/or 445
• If SSO agent PC gets no reply, send error message to Firebox
• The IP address is not added to authentication list
81
Single Sign-OnHow it works 2
• SSO agent sends query to Active Directory server to find what groups the user is a member of
• PC returns answer to SSO agent. There can be more than one answer
• SSO agent uses only the first answer it gets from the PC
• Firebox puts <IP address>, <user name>, and <groups of which the user is a member> in its internal list of authenticated users
• Authentication List tab of Firebox System Manager displays the IP address and user name of authenticated users
• Active Directory returns all values of memberOf attribute tied to that user object
• SSO agent PC returns answer to Firebox
•User name logged in to that PC and groups of which the user is a member
82
Single Sign-OnHow it works 3
Use user names and Active Directory groups in your policies to restrict access
83
BOVPN and
Mobile VPN with IPSec Enhancements
84
What’s New in WSM/Fireware 10VPN Enhancements
Selective Auto-start of BOVPN Tunnels
Dead Peer Detection
Mobile VPN with IPSec Policies More Configurable
Notification of BOVPN Events
85
VPN EnhancementsSelective auto-start of BOVPN tunnels
At the bottom of the General Settings tab of the Gateway
86
VPN EnhancementsMobile VPN with IPSec more configurable
You can now edit the Mobile VPN/IPSec policy to change the allowed access.
The policy is no longer tied to the “allowed resources” assigned to the Mobile VPN/IPSec Group
87
VPN EnhancementsDead Peer Detection
On the Phase 1 Settings tab of the Gateway
88
VPN EnhancementsNotification of BOVPN events
VPN > VPN Settings > BOVPN Notification button
89
New Notification Options
90
New Logging and Reporting ArchitectureNotification enhancements
SNMPv3 Support
New WebBlocker Alarm Options
The Firebox can now send notifications for:
• Multi-WAN Events
• BOVPN Down
• Lost contact with WebBlocker Server
91
Networking Enhancements
92
What’s New in WSM/Fireware 10Networking Enhancements
Static MAC/IP Address Binding
• Edit an interface Advanced tab
• Select Only allow traffic sent from or to these MAC/IP Addresses to lock out all other traffic on this interface
• Keep the box cleared to add only Static ARP entries
93
More Integration with LiveSecurity®
94
What’s New in WSM/Fireware 10LiveSecurity Integration
Quick Setup Wizard pulls feature key from LiveSecurity
• Appliance must be registered before you can use the QSW to get the Feature Key
• If the appliance is not registered, you can get to the Internet during the Quick Setup Wizard to register it
• You can skip this step of the Wizard if you have not registered the device yet
• If there is no Feature Key, one user can get to the Internet after it is configured
95
What’s New in WSM/Fireware 10LiveSecurity Integration
Updated feature key display
• Easier to understand
• Easier to see when features expire
Old
New
96
Thank You!