PresenterDate

What’s New in WSM 10 and Fireware 10

2

What’s New in WSM/Fireware 10WSM 10 Overview

New in WSM 10

• New SQL-based logging and reporting architecture

• WatchGuard Management Server enhancements

• Firebox System Manager enhancements

• New help system with search and Table of Contents

3

What’s New in WSM/Fireware 10Fireware 10 Overview

New in Fireware 10

• Mobile VPN with SSL

• New proxies for VoIP support

• New TCP/UDP proxy for multiple protocol detection

• Enhancements to security subscriptions

• Single Sign-On

• More integration with LiveSecurity

• BOVPN and Mobile VPN with IPSec enhancements

• New notifications

• Networking enhancements

New in WSM 10

5

New Logging and Reporting Architecture

6

The new logging and reporting architecture includes:

• New SQL-based Log Server

• Totally redesigned LogViewer application

• New Report Server

• New Report Manager (replaces Historical Reports)

New Logging and Reporting ArchitectureOverview

One change to the WatchGuard Toolbar:

New Report Server icon

7

New Logging and Reporting ArchitectureAbout the SQL Database

Uses PostgreSQL

• Postgres is installed during either:

• Log Server Setup Wizard

• Report Server Setup Wizard

• The server you set up first (Report Server or Log Server) installs Postgres

• Because Postgres does not install over an RDP session, do not run the Log Server or Report Server Setup Wizard over RDP

• PostgreSQL installation creates the data directory and its structure

• There is no UI option to change the location of the data directory after Postgres is installed

• Installs a non-admin user account watchguard_pg_user

• Do not alter this account; it is for the Postgres service

• In this release, you must use command line for:

• Importing old XML log files into the database

• Restoring a backup of the database

8

Advantages to using SQL database for logs

• Much more scalable

• Logs from multiple appliances now stored in one database

• No more discrete XML log files

• Faster and more powerful log file search

• Faster report generation

• Report can be run on data stored in different Log Servers

Automatic maintenance jobs are user-configurable:

• Automatic daily deletion of old logs

• Automatic daily backup

New Log ServerSQL-based

9

New Log ServerLog Server Setup Wizard

Click once on the Log Server icon to start the Log Server Setup Wizard

10

New Log ServerSetup Wizard

PostgreSQL is installed and the database directory is created when you run either: •The Log Server Setup Wizard

or

•The Report Server Setup Wizard

11

New Log ServerSetup Wizard

Pay close attention to this screen of the Setup Wizard

• To change the log data directory after PostgreSQL is installed, you must run the Setup Wizard again.

12

New Log Server - Admin User InterfaceConfigure the Log Server

To configure the Log Server, left-click once on the Log Server icon in the WatchGuard toolbar.

Or, right-click and select Configure

13

New Log Server - Log Server ConfigurationServer Settings Tab

The Log Server can send notifications about itself to this

address.

Firebox Event Notifications also go to this address

14

New Log Server - Log Server ConfigurationExpiration Settings Tab

Automatically purge old logs

Automatically back up logs

Send appliance notifications

15

New Log Server - Log Server ConfigurationLogging/Monitoring Settings tab

All Firebox appliances that send logs show

here

Send log messages about the Log Server itself to:

• The Windows Event Viewer

• A text file

16

New LogViewerTotal Redesign for Maximum Usability

All-new enhanced LogViewer gives powerful new features

17

New LogViewerLaunch and Connect to a Log Server

Start LogViewer from the WatchGuard System Manager.

Then, connect to a Log Server.

18

New Log ViewerSelect the appliance or server to view logs

Select one or more devices to see their logs

All devices logging to this Log Server (including

other servers) show here

Report Server and Management Server can also send logs to Log Server!

19

New LogViewerArrange the windows for the different devices’ logs

Cascade the windows

Or tile them

20

New Log ViewerCategory View

View:

• All logs

•Only traffic logs

•Only alarms

•Only events

•Only debug logs

•Only bandwidth statistics messages

21

New LogViewerDate Range View

Select a preconfigured rangeOr make a custom time filter

22

New LogViewer – SearchString Search

Simple string search is very useful

Search for:

• An IP address

• Blocked sites / blocked ports

• All messages with a key word, for example:

• IKE

• Type of email or HTTP header

• A username

23

New Log Viewer – SearchPut context to the message

When Search finds an interesting log message, you can show the log messages before and after it.

Right-click the message and select Show Log Excerpt

Or press F5

You see 50 messages before and after the target log message

24

New LogViewer Preferences

Store general preferences

• Your primary Log Server

• How many messages before and after the target in Log Excerpt

• How many searches to remember

25

New LogViewer Preferences

Store viewing preferences

• Default log type

• Font size

• Which columns to display for the different log types

26

New LogViewerSearch Manager

Tools Search Manager

Create powerful searches and save them for later use

Advanced Search shows why a SQL database is better

27

New LogViewerMultiple export options

Export logs as:

• CSV (comma-separated value) file

• HTML page

• PDF

• XML file

Instantly email logs as:

• CSV file

• PDF

Select and copy as plain text

28

New Report Server - OverviewWhat it does

Collects and presents log data

• Periodic collection from Log Server

• Periodic generation of reports

• Provides reports to Report Manager via XMLRPC

• Reports are immediately viewable and automatically refresh

29

New Report Server - OverviewWhat It Does

Log Data

Log Server Consolidated Log Data

Reports

30

New Report Server – ConfigurationExpiration Settings tab

Server Settings tab is identical to same tab in Log Server

Expiration Settings tab:

• Automatically delete old reports

• Turn on notification of events about the Report Server itself

31

New Report Server – ConfigurationReport Generation tab

Tell the Report Server where to get data

This is the server management passphrase, not the log encryption key!

32

New Report ManagerOverview

Report Manager is the client application that connects to the Report Server

Replaces old Historical Reports

The left-hand pane shows the available reports

The right-hand pane is a browser (based on Internet Explorer) showing the selected report

33

New Report Manager Launch and Connect to a Report Server

Start Report Manager from WSM.

Then, connect to a Report Server.

34

Report ServerAvailable Reports

• Denied Packet Summary

• Denied Packet Detail

• Incoming

• Outgoing

• SMTP Summary

• SMTP Server Summary

• SMTP Detail

• SPAM Summary

• Firebox Statistics

• POP3 Summary

• POP3 Detail

• Alarms

• Packet Filter Host Summary

• Proxy Host Summary

• HTTP Most Popular Domain

• HTTP Summary

• HTTP URL Detail

• IPS Packet

• IPS Summary and its detail subreports:•Protocol

•Severity

•Source

•Signature

• AV Summary and its detail subreports:•Protocol

•Host

•Virus

•Sender

• WebBlocker Detail

Reports carried forward from earlier Historical Reports:

35

Report ServerAvailable Reports

New Reports in 10:

• HTTP Most Active Client

• Web Surfing

• External Interface Bandwidth Report

• Management Server Audit Trail

• Management Server Audit Trail Detail

• Management Server Authentication

• BUM “Boxes Under Management”

36

Management Server Enhancements

37

What’s New in WSM/Fireware 10Management Server Enhancements - Overview

Multi-user support

Record locking

Configuration passphrase caching

Force comments on Config Change

Folders with lockout

Notification enhancements

LiveSecurity Alerts

38

Management Server EnhancementsMulti-user support

Add users on new Users tab of Management Server Configuration

39

Management Server EnhancementsMulti-user support

Management Server user accounts:

• Admin privileges

• Can create new user accounts on the Management Server

• Can administer all devices under management with WSM connection to Management Server

• Read-Write privileges

• Can administer all devices under management with WSM connection to Management Server

• Read-Only privileges

• Can view all devices under management

• This user connects to the Management Server in Monitoring Mode

40

Management Server EnhancementsMulti-user support

Users must now provide username and passphrase when connecting

• Provides audit trail in Management Server report

Default account is admin

• This account uses the server management passphrase

• This is the same password you used before to connect to your Management Server from WSM

41

Management Server EnhancementsRecord locking and caching passphrases

When you bring up Policy Manager for a managed device:

• WSM prevents others from using Policy Manager for that device when they connect to the Management Server

• Reduces the chance that conflicting edits are made at the same time by different users

• Policy Manager automatically enters the device’s configuration passphrase when you save the configuration back to the Firebox

• No need to remember the configuration passphrases for all your managed devices

• No need to share managed devices’ configuration passphrases with others

For this to work:

• Firebox you manage must be running Fireware 10

• You must launch Policy Manager via a connection to the Management Server (not a connection to the device itself)

42

Management Server EnhancementsRecord locking

Connect to Management Server using WSM Launch Policy Manager for an appliance

• The device record is locked

When a different user connects to the Management Server at the same time:

• A “Maintenance Alert” shows for that device

• Policy Manager is not available for that device

43

Management Server EnhancementsConfiguration passphrase caching

When you use that instance of Policy Manager to save the configuration, Policy Manager automatically puts the appliance’s configuration passphrase into the entry field

When you close Policy Manager (or use it to File > Open a different Firebox) the lock is released

44

Management Server EnhancementsForce comments

Force comments on config change

• Turn this on in Management Server Configuration

Users must add comment when saving config via a connection to Management Server

45

Management Server EnhancementsFolders with lockout

Right-click Management Server and select Add New Folder

46

Management Server EnhancementsFolders with lockout

You can make a VPN between two devices inside the same locked folder

You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder

• Prevent “mistake” VPNs

• Those can cost the managed security provider $$ and reputation

Locked folder has a padlock on the folder’s icon

47

Management Server EnhancementsNotification enhancements

Get notified if a managed device does not contact the Management Server when its DVCP lease expires

From: mgt-server@your.business

Subject: Notice from Management Server

Host: dc01

Time: Fri Feb 08 09:15:34 2008

Process: 3848:3900

Message:

Information (8249), no contact from device with name Miami_X6500e, id 50.50.50.254, and IP address 50.50.50.254

48

Management Server EnhancementsLiveSecurity Alerts

WSM displays LiveSecurity broadcasts when you select the Management Server

Alerts that will appear:

• New software updates available

• WatchGuard vulnerabilities

49

Quarantine Server Enhancements

50

Quarantine Server EnhancementsQuarantine email based on virus classification

You can now send SMTP mail to the Quarantine Server based on whether Gateway AntiVirus detected a virus

51

Quarantine Server EnhancementsQuarantine mail based on virus classification

You can send SMTP mail to the Quarantine Server based on whether spamBlocker’s Virus Outbreak Detection detected a virus

52

Firebox System Manager Enhancements

53

What’s New in WSM/Fireware 10Firebox System Manager Enhancements - Overview

Front Panel tab updated for Mobile VPN with SSL

Search Traffic Monitor

Display logs by type of message

Multiple-line select (ctrl-click or shift-click) and copy

Select notifications from entire event catalog

Service Watch graph by bandwidth

54

Firebox System Manager EnhancementsFront Panel Tab

Mobile VPN with SSL sessions displayed on Front Panel tab

55

Firebox System Manager EnhancementsFront Panel Tab

Log off remote users from Front Panel tab

56

Firebox System Manager EnhancementsTraffic Monitor Tab

Search Traffic Monitor

57

Firebox System Manager EnhancementsTraffic Monitor Tab

View:

• All logs

•Only traffic logs

•Only alarms

•Only events

•Only debug logs

•Only bandwidth statistics messages

58

Firebox System Manager EnhancementsTraffic Monitor Tab

Multiple-line select (ctrl-click or shift-click) and copy

59

Firebox System Manager EnhancementsTraffic Monitor Tab

Select Notifications from Event Catalog

Right-click an event in Traffic Monitor

• Instantly set up notification for the next time that event happens

60

Firebox System Manager EnhancementsService Watch Tab

Use Service Watch to:

• Graph the traffic going through each policy by bandwidth

• See the number of sessions going through each policy

61

New Help System

62

New Help SystemSearchable, with Table of Contents

63

New in Fireware 10

64

Mobile VPN with SSL

65

Mobile VPN with SSLOverview

PC and Mac compatible – one download page for both

66

Mobile VPN with SSLURL for users to get the software

URL to authenticate and get the client software:

• https://[firebox.ip.address]:4100/sslvpn.html

• Note the /sslvpn.html at the end

URL to authenticate only remains the same

• https://[firebox.ip.address]:4100

67

Mobile VPN with SSLConfiguration in Policy Manager

Simple straightforward configuration

• Policy Manager:VPN Mobile VPN SSL

• Use any authentication server

• Specify which WAN users connect to first and second (failover)

• Allow granular access or access to all connected networks

68

New Proxies for VoIP Support

69

New Proxies for VoIPH.323 and SIP

These proxies work to allow some VoIP/Videoconferencing through the Firebox:

• SIP Proxy

• H.323 Proxy

H.323 proxy supports NAT-traversal for voice and video traffic

• H.323 Gatekeeper (“PBX” hosting/trunking) and T.120 multimedia support not in this release.

• H.323 support is limited to point-to-point connections

SIP proxy supports NAT-traversal for voice and video traffic

• Does not provide the PBX registration capabilities of a typical standalone SIP Registrar-Proxy

• Must have your own Registrar-Proxy server to route these connections

• SIP proxy has only been tested with PBX’s located on the external segment of the Firebox (hosted scenario, no trunking).

70

New Proxies for VoIPH.323 and SIP

Simple to configure

SIPH323

71

New Proxies for VoIPTFTP

Trivial File Transfer Protocol

• For more than just VoIP

Typically for:

• Sending updates to VoIP devices under management

• Sending configuration files

• Sending ROM images or firmware updates

TFTP Proxy lets you allow or deny content by matching file name patterns for:

• Downloads

• Uploads

72

New TCP-UDP ProxyMultiple Protocol Detection

TCP-UDP Proxy detects what protocol the traffic is:

• HTTP

• HTTPS

• SIP

• FTP

73

New HTTPS ProxyWhat it can do

HTTPS Proxy

Block objectionable HTTPS sites using WebBlocker

Allow or deny access to web sites based on Domain Names

• Fireware matches Domain Name patterns against the Subject field in the web site’s SSL certificate

74

Enhancements to Security Subscriptions

75

What’s New in WSM/Fireware 10Enhancements to Security Subscriptions

Intrusion Prevention (IPS) Enhancements

• New signature set

• Broader range of signatures

• Botnet protection for servers

• Updated signature scanning engine

• Approximately 40% increase in IPS performance

• Simpler IPS Configuration

• P2P and IM now integral part of Fireware (no IPS license required)

WebBlocker Enhancements

• Expanded Category List

• WebBlocker for HTTPS

spamBlocker Enhancements

• Virus Outbreak Detection

76

WebBlocker Enhancements40 Category to 54 Category Mapping

40-Category List name

54-Category List name

Arts & Entertainment Arts Entertainment

Drugs, Alcohol, Tobacco Illegal Drugs Alcohol & Tobacco

Violence Violence Tasteless & Offensive

Hacking Hacking Spyware

Computing & Internet Computing & Internet Downloads Ringtones / Mobile Phone Downloads

Criminal Skills Criminal Activity Phishing & Fraud

Glamour & Intimate Apparel Intimate Apparel & Swimwear

Fashion & Beauty

Government & Politics Government Politics

Lifestyle & Culture Society & Culture Philanthropic & Professional Organizations

Remote Proxies Proxies & Translators Peer-to-Peer

NOT REPRESENTED Spam URLs

NOT REPRESENTED Infrastructure

NOT REPRESENTED Business

77

Single Sign-On

78

Single Sign-OnRequirements

Only for Active Directory domains

• Install WatchGuard Authentication Gateway software on a domain computer

• This computer called the SSO Agent

• The domain account under which the agent software runs must:

• Have “Log on as a service” permission granted (for the service to run automatically)

• Be a member of Domain Admins group (to query PCs running Vista)

• All domain PCs must allow connections over 139 and 445

• Add exceptions to Windows Firewall for File and Printer Sharing, or turn off Windows Firewall

79

Single Sign-OnSettings

• IP address of the PC running WatchGuard Authentication Gateway software (the SSO agent)

• How long the SSO agent should cache responses it gets from PCs it queries

• IP addresses that the Firebox will not ask about

Policy Manager:

Setup Authentication Authentication Settings

80

Single Sign-OnHow it works 1

• Firebox sees traffic come from a trusted or optional or VLAN interface

• SSO does not work for traffic coming from an external interface

• Firebox sends query to SSO agent (PC running WatchGuard Authentication Gateway software)

• This is a port 4114 connection. Command is get user <ip.address>

• SSO agent checks its cache.

• If it has an entry for this IP address, it returns an answer to the Firebox

• If not in cache, SSO agent queries that IP address

• Uses Windows NetWkstaUserEnum() call

• Windows Networking connection over port 139 and/or 445

• If SSO agent PC gets no reply, send error message to Firebox

• The IP address is not added to authentication list

81

Single Sign-OnHow it works 2

• SSO agent sends query to Active Directory server to find what groups the user is a member of

• PC returns answer to SSO agent. There can be more than one answer

• SSO agent uses only the first answer it gets from the PC

• Firebox puts <IP address>, <user name>, and <groups of which the user is a member> in its internal list of authenticated users

• Authentication List tab of Firebox System Manager displays the IP address and user name of authenticated users

• Active Directory returns all values of memberOf attribute tied to that user object

• SSO agent PC returns answer to Firebox

•User name logged in to that PC and groups of which the user is a member

82

Single Sign-OnHow it works 3

Use user names and Active Directory groups in your policies to restrict access

83

BOVPN and

Mobile VPN with IPSec Enhancements

84

What’s New in WSM/Fireware 10VPN Enhancements

Selective Auto-start of BOVPN Tunnels

Dead Peer Detection

Mobile VPN with IPSec Policies More Configurable

Notification of BOVPN Events

85

VPN EnhancementsSelective auto-start of BOVPN tunnels

At the bottom of the General Settings tab of the Gateway

86

VPN EnhancementsMobile VPN with IPSec more configurable

You can now edit the Mobile VPN/IPSec policy to change the allowed access.

The policy is no longer tied to the “allowed resources” assigned to the Mobile VPN/IPSec Group

87

VPN EnhancementsDead Peer Detection

On the Phase 1 Settings tab of the Gateway

88

VPN EnhancementsNotification of BOVPN events

VPN > VPN Settings > BOVPN Notification button

89

New Notification Options

90

New Logging and Reporting ArchitectureNotification enhancements

SNMPv3 Support

New WebBlocker Alarm Options

The Firebox can now send notifications for:

• Multi-WAN Events

• BOVPN Down

• Lost contact with WebBlocker Server

91

Networking Enhancements

92

What’s New in WSM/Fireware 10Networking Enhancements

Static MAC/IP Address Binding

• Edit an interface Advanced tab

• Select Only allow traffic sent from or to these MAC/IP Addresses to lock out all other traffic on this interface

• Keep the box cleared to add only Static ARP entries

93

More Integration with LiveSecurity®

94

What’s New in WSM/Fireware 10LiveSecurity Integration

Quick Setup Wizard pulls feature key from LiveSecurity

• Appliance must be registered before you can use the QSW to get the Feature Key

• If the appliance is not registered, you can get to the Internet during the Quick Setup Wizard to register it

• You can skip this step of the Wizard if you have not registered the device yet

• If there is no Feature Key, one user can get to the Internet after it is configured

95

What’s New in WSM/Fireware 10LiveSecurity Integration

Updated feature key display

• Easier to understand

• Easier to see when features expire

Old

New

96

Thank You!