What’s New in What’s New in Fireware v11.9.5Fireware v11.9.5

WatchGuard Training

©2015 WatchGuard Technologies, Inc.

What’s New in v11.9.5

Fireware now supports a maximum of 255 Active Directory user groups for authentication. [82846]

AP device firmware update — AP firmware v1.2.9.3 B150226 [84203]

Gateway Wireless Controller shows the AP firmware build number on the AP device [83289]

Global setting to enable support for TCP MTU probing. [77129] For Management Tunnels over SSL, managed Firebox devices can

reconnect to the first Distribution IP Address for the Management Server [81377]

IPSec VPN Client Updates

WatchGuard Training 22

Increased Maximum Number of AD User Groups Fireware now supports a maximum of 255 Active Directory user

groups for authentication.• Supported for Firebox-DB authentication, Single Sign-On, and Terminal

Services authentication. Previously, the maximum number of supported Active Directory

user groups was 64.

WatchGuard Training 33

AP Firmware & Gateway Wireless Controller Updates A new version of AP firmware is now available for WatchGuard AP

devices: version 1.2.9.3 B150226. The AP firmware version and build number that runs on each AP

device now appears in the Gateway Wireless Controller.

WatchGuard Training 44

TCP MTU Probing

In the Global Settings for your Firebox, there is a new Networking setting to enable support for TCP MTU probing.

You can now enable TCP MTU Probing to allow VPN traffic to pass through proxy policies on a central site when traffic was generated from a remote site through a zero route VPN tunnel, even when your Firebox has received an ICMP unreachable packet for the traffic sent through the BOVPN tunnel.

From Fireware XTM Web UI and Policy Manager, you can configure this feature to always be enabled or to be enabled automatically when ICMP fails.

WatchGuard Training 55

TCP MTU Probing

WatchGuard Training 66

TCP MTU Probing

From the Fireware Command Line Interface, you can configure this feature to always be enabled or to be enabled automatically. • global-setting tcp-mtu-probing (dynamic-enable | enable)

• You cannot disable this feature from the CLI.

WatchGuard Training 77

Management Tunnel Enhancements

If more than one IP address is specified for the Management Server for a Firebox at the end of a Management Tunnel over SSL, and the Firebox has connected to an IP address other than the first IP address in the Distribution IP Address list, the Firebox can now reconnect to the Management Server with the first IP address in the list.

The Firebox reconnection occurs when the Lease Time on the Firebox expires.

This restores full management capabilities through a Management Tunnel over SSL when communication to the private IP address (first address in the list) in the tunnel is lost.

WatchGuard Training 88

IPSec VPN Client Updates

Shrew Soft VPN Client 2.2.2 WatchGuard IPSec VPN Client v12.00 • Windows XP is not supported.

• The new client has separate installers for Windows 32-bit and 64-bit platforms.

• You must uninstall the older client, before you install the new one. When you uninstall, do not select the option to remove personal data. This

preserves the existing client profile so the new client can use it.

• There is no update to the WatchGuard IPSec VPN Client for Mac OS X.

WatchGuard Training 99

WatchGuard IPSec VPN Client Updates

WatchGuard IPSec VPN Client v12.00 has these updates:• The updated client uses OpenSSL 1.0.1j, which resolves security

deficiencies in prior versions of OpenSSL.

• The client firewall settings include a new option: “Reject Outgoing Traffic”. When you select this check box, the client rejects outgoing traffic and returns an acknowledgement message to the sending application.

WatchGuard Training 1010

Thank You!

WatchGuard Training 1111