what’s new in fireware xtm v11.9.1 watchguard training ©2014 watchguard technologies, inc
TRANSCRIPT
What’s New in What’s New in Fireware XTM v11.9.1Fireware XTM v11.9.1
WatchGuard Training
©2014 WatchGuard Technologies, Inc.
What’s New in v11.9.1What’s New in v11.9.1
Web UI Feature Key Alert and Feature Key Wizard [80913, 80914] Improved XTM Configuration Report Mobile VPN with SSL Mac client Remember password option
[80194] Additional supported 3G/4G USB modem — Sprint u301 [80175] Support for default gateway on different subnet [79589] IPSec VPN License Limit Warnings [71380] Fireware XTM OS version includes the build number (WSM & FSM)
[65052] SSO Agent and Event Log Monitor run as a domain user [77480] Branch Office VPN enhancement [80609] Bug fixes New RapidDeploy Methods (does not require Fireware XTM
v11.9.1)
WatchGuard Training 22
Feature Key Alert and Feature Key WizardFeature Key Alert and Feature Key Wizard
Fireware XTM Web UI now shows a warning if the device does not have a feature key.
Click Add a feature key now to start the Feature Key Wizard.
WatchGuard Training 33
Feature Key WizardFeature Key Wizard
The Feature Key Wizard has three options.
WatchGuard Training 44
Feature Key WizardFeature Key Wizard
Select one of these options to install your feature key:• Yes, download and install the feature key now
Select this option if the device has already been activated. If the device has Internet access, the wizard downloads and installs the
feature key.
• Yes, I have a local copy of the feature key Select this option if the device has already been activated, and you have a
copy of the feature key in a text file. Paste the feature key text into the wizard. The wizard validates the feature key and installs it on the device.
• No, I have not activated the device yet Select this option if your device has not yet been activated. If the device has Internet access, the wizard helps you activate it and
downloads the feature key. The online activation steps are the same as in the Web Setup Wizard. To activate your device, you must type the credentials you use to log in to
the WatchGuard web site. If you do not already have an account, the wizard help you create one.
WatchGuard Training 55
Improved XTM Configuration ReportImproved XTM Configuration Report
The XTM Configuration Report, available in the Web UI, now contains more complete information about the device configuration, including: • QoS and Traffic Management actions
• Multi-WAN
• Global settings — TCP SYN checking
• Bridge interface settings
• VLAN interface settings
• Dynamic routing
• Policy details
• Secondary interface IP addresses
• IPv6 interface settings
• MAC access control To run the XTM Configuration Report in the Fireware XTM Web UI.
• Select System > Configuration File.
• Click XTM Configuration Report.WatchGuard Training 66
Mobile VPN with SSL Client Password OptionMobile VPN with SSL Client Password Option
WatchGuard Training 77
The Mobile VPN with SSL client for Mac now has the Remember password option.• Previously this option was
available only in the Windows client.
• When Remember password is selected, the client remembers the password used for the previous connection.
This option is available in the client only if the Allow the Mobile SSL with VPN client to remember the password option is selected in the Mobile VPN with SSL settings on the Firebox or XTM device.
3G/4G USB Modem Support3G/4G USB Modem Support
Sprint u301 3G/4G USB modem is now supported For a full list of supported 3G/4G modems, see the Knowledge
Basehttp://customers.watchguard.com/articles/Article/Supported-3G-4G-USB-devices/
WatchGuard Training 88
Configure the Default Gateway on a Different Configure the Default Gateway on a Different SubnetSubnet On an external interface, you can now specify the default gateway
on a different subnet than the interface IP address.• This applies only to physical external interfaces.
• It is not allowed on VLAN or other external interfaces. In most networks, the default gateway is on the same subnet as
the external interface. If the default gateway is on a different subnet than the interface IP
address, you must confirm that this is what you want to do.
• When you click Yes, the default route is added.
WatchGuard Training 99
IPSec VPN License Limit WarningsIPSec VPN License Limit Warnings
Firebox System Manager and Fireware XTM Web UI now display warning messages when the active Branch Office VPN tunnel count or current Mobile VPN with IPSec user count reach the licensed maximum. • In Firebox System Manager, the warnings appear on the Front Panel.
• In the Web UI, the warnings appear on the VPN Statistics System Status page.
License limit warning text *• The maximum allowed number of active BOVPN tunnels has been reached
(Maximum: nn)
• The maximum allowed number of active MUVPN user connections has been reached (Maximum: nn)
* Default VPN tunnel license maximums vary by Firebox or XTM device model You can also select VPN > VPN Settings > BOVPN Notifications to
get notifications about BOVPN license limit events. (This is not new.)
WatchGuard Training 1010
Fireware XTM OS Version with Build NumberFireware XTM OS Version with Build Number
WatchGuard Training 1111
In WSM and FSM, when you connect to a device, the build number is appended to the Fireware XTM OS version.
In WSM, select the Device Status tab.
In FSM, select the Front Panel tab.
SSO Agent and Event Log Monitor Run as Domain SSO Agent and Event Log Monitor Run as Domain UserUser You can now run the SSO Agent and Event Log Monitor as a user
account that is a member of either the Domain Users or Domain Admin group.
WatchGuard Training 1212
Branch Office VPN EnhancementBranch Office VPN Enhancement
A branch office VPN tunnel no longer appears to be down after a Phase 1 rekey until traffic is sent through the tunnel [80609]• After a Phase 1 security association (SA) rekey, the device now
automatically triggers a Phase 2 SA rekey instead of deleting the Phase 2 SA.
• Tunnel status now remains active after a rekey, even if there is no traffic through the tunnel since the rekey.
WatchGuard Training 1313
Resolved IssuesResolved Issues
This release resolves a number of issues reported in previous releases.• See the Fireware XTM v11.9.1 Release Notes for details.
WatchGuard Training 1414
RapidDeployRapidDeploy
WatchGuard Training 1515
New RapidDeploy MethodsNew RapidDeploy Methods
RapidDeploy was updated on 8 July 2014, shortly after the release of v11.9.1.• This is a change to the Product Details page on the WatchGuard website.
• It does not involve any change to Fireware XTM OS or the management software.
• You do not need Fireware XTM v11.9.1 to use RapidDeploy. RapidDeploy enables you to configure a remote Firebox or XTM
device. • When a device that supports RapidDeploy starts with factory-default
settings, it automatically contacts the WatchGuard website to download a configuration file, if one is available.
Summary of changes:• A new RapidDeploy QuickStart method is available for Firebox T10
devices.
• The deployment method previously called RemoteConfig is being rebranded as a RapidDeploy method.
• The existing RapidDeploy from the Management Server is unchanged.WatchGuard Training 1616
New RapidDeploy MethodsNew RapidDeploy Methods
With this change, there are three RapidDeploy methods:• RapidDeploy QuickStart
For Firebox T10 devices only Uses a configuration file created by WatchGuard.
– Enables the HTTP and HTTPS proxies with recommended settings.– Enables WebBlocker, Gateway AV, and RED, if services are licensed to the device.
Enable it when you activate the device, or on the Product Details page.
• Upload a configuration file to the website for RapidDeploy For Firebox and XTM devices manufactured with Fireware XTM v11.6.3 or
higher. Upload the configuration file for RapidDeploy to the Product Details page. This method was previously called RemoteConfig. Any configuration file
previously uploaded for RemoteConfig is now used for RapidDeploy.
• Configure RapidDeploy on your Management Server For Firebox and XTM devices manufactured with Fireware XTM v11.6.3 or
higher. Enable this RapidDeploy method on your Management Server.
WatchGuard Training 1717
RapidDeploy QuickStart in the Activation WizardRapidDeploy QuickStart in the Activation Wizard
WatchGuard Training 1818
Firebox T10 Activation Wizard steps:• Type the device serial number.
• Assign a device friendly name.
• Select free trials (if the device does not already have services as part of a UTM bundle).
• Accept the End-User License Agreement.
• Select the RapidDeploy configuration option.
RapidDeploy QuickStart in the Activation WizardRapidDeploy QuickStart in the Activation Wizard
WatchGuard Training 1919
RapidDeploy QuickStart • This option is selected by default.
• Set the Device Management passphrases for this device.
• WatchGuard creates a configuration file with recommended settings.
If the device has licensed services or trials, the RapidDeploy configuration enables some services.
If the device does not have licensed services, services are not enabled.
Classic Activation • Select this option if you want to
use the Web Setup Wizard to create the initial device configuration.
After ActivationAfter Activation
After the Firebox T10 activation is complete, the Product Details page shows that RapidDeploy QuickStart is enabled.
It also shows whether the device has contacted WatchGuard to request the configuration file.
Product details page includes link to online Help for products portion of website
WatchGuard Training 2020
RapidDeploy StatusRapidDeploy Status
The RapidDeploy section of the Product Details page shows the status.
• Line 1 shows whether RapidDeploy is configured.
• Line 2 shows which RapidDeploy option is configured. – RapidDeploy QuickStart enabled on <date and time> — for RapidDeploy QuickStart on a T10– Configuration uploaded on <date and time> — for a configuration file uploaded to the
website– RapidDeploy from the Management Server enabled on <date and time>
• Line 3 shows whether the device contacted the server to request the configuration file, when the device requested the file, and the device IP address.
WatchGuard Training 2121
1
2
3
RapidDeploy — Change ConfigurationRapidDeploy — Change Configuration
Click Change Configuration on the Product Details page to select a RapidDeploy option:• Do not use RapidDeploy
Disable all RapidDeploy methods, including RapidDeploy from the Management Server.
• RapidDeploy QuickStart (for T10 only) Use a configuration file created by
WatchGuard with recommended settings.
• Upload a configuration file to the website for RapidDeploy
Upload a configuration file that you created..
If you select Do not use RapidDeploy on the Product Details page, and later enable RapidDeploy on the Management Server, RapidDeploy is enabled again.
WatchGuard Training 2222
Thank You!Thank You!
WatchGuard Training 2323