what’s new in fireware xtm v11.9.4 watchguard training ©2014 watchguard technologies, inc
TRANSCRIPT
What’s New in What’s New in Fireware XTM v11.9.4Fireware XTM v11.9.4
WatchGuard Training
©2014 WatchGuard Technologies, Inc.
What’s New in v11.9.4
Authentication Enhancements• Hotspot Enhancements
Create custom hotspot page settings & manage Guest Administrator accounts Support for Guest Administrators to manage guest user accounts and create
custom vouchers
• Single Sign-On Event Log Monitor Enhancements HTTPS Proxy Content Inspection based on SNI or WebBlocker
Category• Supports SNI (Server Name Indication) to more accurately configure the
domains you want to allow, block, or inspect.
• More control over the HTTPS sites you want to inspect and the sites you want to bypass.
• You can select the WebBlocker categories you want to inspect. Branch Office VPN enhancements
• A BOVPN Virtual Interface now supports any interface as the local gateway
• New BOVPN Configuration Reports for easier VPN troubleshooting
• Renamed “Enable IPSec Pass-through” VPN setting
WatchGuard Training 22
What’s New in v11.9.4
Enable/Disable SSLv3 Option in HTTPS and SMTP Proxy Actions Offline Signature Updates Support for /31 and /32 subnet masks Management Server Enhancements
• Change the order of IP addresses in the Distribution IP Address list Monitoring Enhancements
• Web UI VPN Statistics page includes statistics for Mobile VPN types on one tab
• Clear the WebBlocker cache from Firebox System ManagerSupport for NAT connections through the SNMP application layer gateway
Other Enhancements Support for new Firebox models
• Firebox M400
• Firebox M500
• Fireware XTM OS update for Firebox M440 and FireboxT10-D What Else is New?
WatchGuard Training 33
Authentication Enhancements
WatchGuard Training 44
Hotspot Enhancements
The Hotspot feature now includes these new features: • Customize guest user authentication options for a hotspot
• Create and manage Guest Administrator user accounts
• New Wireless Guest Administration web portal for Guest Administrators to:
Manage guest user accounts Configure guest user account settings Customize vouchers with guest user account information
WatchGuard Training 55
Customize Guest User Authentication for Hotspots Configure the Hotspot Connections settings for a custom hotspot
page and manage Guest Administrator accounts.• In Fireware XTM Web UI, select Authentication > Hotspot.
• In Policy Manager, select Setup > Authentication > Hotspot.
WatchGuard Training 66
Customize Guest User Authentication for Hotspots On the new Hotspot Connections tab:
• Select whether guest users must use credentials to connect.
• Set the number of user account the Guest Administrator can add.
• Add Guest Administrator user accounts. Guest Administrator user accounts are added to the default Firebox-DB
authentication server. You can add and remove accounts, or edit them to disable the account or
change the passphrase.
WatchGuard Training 77
Customize Guest User Authentication for Hotspots To add Guest Administrator user accounts:
• In Policy Manager, click Manage Guest Administrator Accounts.
WatchGuard Training 88
Customize Guest User Authentication for Hotspots
• In Fireware XTM Web UI, add Guest Administrators in the Wireless Guest Administrators section.
WatchGuard Training 99
Customize Guest User Authentication for Hotspots Guest Administrator user accounts also appear in the Firebox or
XTM device Users and Roles list, with the Guest Administrator role:• In Policy Manager, select File > Manage Users and Roles.
• In Fireware XTM Web UI, select System > Users and Roles.
WatchGuard Training 1010
Customize Guest User Authentication for Hotspots Custom Page settings remain
the same, but have moved to the Customize Hotspot Page tab.
WatchGuard Training 1111
Guest Administration for Hotspots
Guest Administrators can connect to the Wireless Guest Administration web portal on the Firebox or XTM device to manage guest user accounts and create custom vouchers for guest user accounts.
Guest Administrators connect to the device at: https://<device-ip-address>:8080/wirelessguest/and logs in to the Wireless Guest Administration web portal with Guest Administrator credentials
WatchGuard Training 1212
Guest Administration for Hotspots
The Guest Administrator configures the user account settings for guest user accounts.• Select the Settings tab.
WatchGuard Training 1313
Guest Administration for Hotspots
Configure these settings for guest user accounts:• User Name Prefix
The prefix for all guest user account user names. When guest user accounts are generated, each user name begins with this
prefix.
• Account Lifetime The amount of time that each guest user account can be used after it is
activated for the first time. When the guest user logs in with the guest user account credentials, the
countdown starts. The default account lifetime is 24 hours.
• Account Expiration The amount of time after which the guest user account expires and is
removed from the Guest Accounts list. If the guest user account has not been activated before the account
expiration time is reached, the guest user account still expires.
WatchGuard Training 1414
Guest Administration for Hotspots
The Guest Admin configures the settings for the printed vouchers to give guest users with their guest user account information.• Select the Customize Voucher tab.
WatchGuard Training 1515
Guest Administration for Hotspots
Configure these settings for the guest user vouchers:• Business Name
The name of the company where the hotspot is located. The name you specify is included in the voucher text.
• Contact Information The contact information for the company. This text can include instructions to get hotspot connection help as well as
contact numbers or addresses.
• Use a custom logo Upload the company logo to use on the voucher. The logo file can include images, text, and other special information that you
want to give guest users. Image files must be JPG, PNG, or GIF files. There is no size constraint on the
logo image files, but the recommended size is 90 x 50 pixels.
WatchGuard Training 1616
Guest Administration for Hotspots
The Guest Admin adds guest user accounts and prints vouchers.• Select the Accounts tab.
• Specify the number of guest user accounts to create.
• Click Add and Print New Accounts.
WatchGuard Training 1717
Guest Administration for Hotspots
Example vouchers — Logo only and logo with informational text.
WatchGuard Training 1818
Guest Administration for Hotspots
Print the voucher:• Click Print in the
Print Guest Account window.
WatchGuard Training 1919
Guest Administration for Hotspots
Manage guest user accounts:• Select the check
box for an account.
• To remove the account, click Delete.
• To print a new voucher, click Print.
WatchGuard Training 2020
Single Sign-On Enhancements
Single Sign-On has been updated to support failover and load balancing for the Event Log Monitors installed on multiple domains in your network.
The SSO Agent sends a DNS resolution request to resolve the host name for the IP address of the client, and determines which domain the client is a member of.
The SSO Agent then contacts the Event Log Monitors in that domain to attempt to authenticate the client.• If multiple Event Log Monitors are installed and included in the SSO
Agent Configuration, and the first Event Log Monitor is unable to resolve the authentication request, the SSO Agent will fail over to the next Event Log Monitor to attempt to resolve the request.
The SSO Agent can also contact the Event Log Monitors from other domains in your network, if they are specified in the SSO Agent configuration.
WatchGuard Training 2121
HTTPS Proxy Content Inspection based on SNI or WebBlocker
Category
WatchGuard Training 2222
What is SNI?
SNI (Server Name Indication), is an extension of the TLS protocol that indicates the specific server name while making a TLS/SSL connection.
SNI is supported by most modern web browsers. SNI is more accurate than the certificate CN (Common Name) for a
site because it can determine the actual server name from the HTTPS traffic headers.
Many web servers host several web sites that share the same IP address and multiple certificates, and these sites can share the same certificate CN (Common Name).
WatchGuard Training 2323
SNI and Certificate CN
For example, many Google services such as YouTube and Google Maps share the same certificate CN (*.google.com)
If you block access to YouTube based on the certificate CN, this would also block access to Google Maps and other services with the same CN.
SNI provides the server name that you can use to more accurately control access to specific sites and perform or bypass content inspection.
The certificate CN is used if SNI information is not available
WatchGuard Training 2424
Benefits of HTTPS Content Inspection with SNI
With selective content inspection and SNI checks in v11.9.4, you now have more control over the HTTPS sites you want to inspect and the sites you want to bypass.
For example, you can configure HTTPS content inspection but bypass banking, financial, or other sites with privacy concerns.
You can more accurately allow, block, or inspect specific sites that come from domains (Google, YouTube, etc.) that may share the same certificate common name (CN).
With WebBlocker, you can enable HTTPS content inspection only for known categories of high risk web sites.
WatchGuard Training 2525
HTTPS Content Inspection — Enable Content Inspection Enable Content Inspection
• To enable content inspection, in the HTTPS Proxy Action configuration, select the Enable deep inspection of HTTPS content check box.
• Select the HTTP Proxy Action to apply to inspected traffic.
• At this point, even when this feature is enabled globally, all HTTPS web sites will bypass inspection.
• To inspect a site, you must define the domain in the Domain Names page and configure the domain with the Inspect action.
WatchGuard Training 2626
HTTPS Content Inspection — Domain Names
Domain Names
• SNI and CN are used to check the rules configured in the Domain Names section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available.
• You can allow or deny access to a site, or perform content inspection.
• When content inspection in enabled, web sites will only be inspected if the domain is configured with the action Inspect.
• The pattern name can be server name (SNI), certificate common name (CN), or an IP address.
• Allow action bypasses content inspection
WatchGuard Training 2727
HTTPS Content Inspection — Domain Names
Examine the HTTPS entries in the traffic logs for the correct SNI/CN information when you create your domain name rules.
WatchGuard Training 2828
HTTPS Content Inspection — WebBlocker
WebBlocker
• Only categories allowed by WebBlocker are displayed in the HTTPS Proxy Action WebBlocker configuration.
• When content inspection is enabled, you must select the WebBlocker categories you want to perform content inspection on.
• If content inspection is not enabled, WebBlocker can allow or deny the connection.
• Domain Names rules have the highest priority. WebBlocker checks only occur when there is no domain name rule match and default action is Allow.
WatchGuard Training 2929
HTTPS Content Inspection — v11.9.3 vs. v11.9.4 In v11.9.3 and lower:
A certificate name (CN) check determines whether to allow or deny access to site as configured in Certificate Names.
If content inspection is enabled, all connections are redirected to the HTTP-Proxy for content inspection except for addresses defined in the Bypass List.
WebBlocker checks to allow or block sites are performed only for traffic that is not content inspected.
In v11.9.4 and higher: SNI, CN, and IP address are used to check the rules configured in the Domain Names
section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available. You inspect, allow (bypass inspection), or deny access to a domain. When content inspection in enabled, inspection only occurs if the domain is configured
with the action Inspect. No Bypass List in v11.9.4. Set the action in Domain Names to Allow to bypass
content inspection. When content inspection is enabled, you must choose the WebBlocker categories you
want to inspect.
WatchGuard Training 3030
Branch Office VPN Enhancements
WatchGuard Training 3131
BOVPN Virtual Interface Local Gateway Interface BOVPN Virtual Interface now supports any interface as the local
gateway. • You cannot use a modem for failover from a BOVPN virtual interface if a
local gateway endpoint uses an interface that is not external. From the Physical drop-down
list, select any enabled physical or wireless interface.
Select Other and click Select to select any VLAN, Bridge, PPPoE, or Link Aggregation interface.
WatchGuard Training 3232
BOVPN Virtual Interface Local Gateway Interface When you select Other, a list of logical interfaces appears. To filter the interface list, use the Type and Zone drop-down lists,
or type the interface Name.• Types:
VLAN Bridge Link Aggregation PPPoE
• Zone: Trusted Optional Custom
External
WatchGuard Training 3333
BOVPN Configuration Reports
Three new branch office VPN configuration reports show a summary of BOVPN settings in HTML or plain text format that you can save or print.• BOVPN Gateway Configuration Report
• BOVPN Tunnel Configuration Report
• BOVPN Virtual Interface Configuration Report The reports make it easier to compare VPN configuration settings
when you troubleshoot a branch office VPN. The reports are available in Policy Manager and Fireware XTM Web
UI in the same locations where you add or edit a VPN gateway, tunnel or BOVPN virtual interface.• In Policy Manager, these reports include information about the selected
gateway, tunnel, or virtual interface.
• In the Web UI, these are sections of the existing XTM Configuration Report, which also contain information about other device configuration settings.
WatchGuard Training 3434
BOVPN Gateway Configuration Report
The BOVPN Gateway Configuration Report shows settings for the selected branch office VPN gateway.
Click Report to see the report.• Click Show Tunnel Details to
add tunnel details to the report.
• Select HTML or Plain text format.
• Save or Print the report.
WatchGuard Training 3535
BOVPN Tunnel Configuration Report
The BOVPN Tunnel Configuration Report shows settings for the selected branch office VPN tunnel.
Click Report to see the report.• Click Show Gateway Details to add
gateway details to the report.
• Select HTML or Plain text format.
• Save or Print the report.
WatchGuard Training 3636
BOVPN Virtual Interface Configuration Report
The BOVPN Virtual Interface Configuration Report shows settings for the selected BOVPN virtual interface.
Click Report to see the report.• Select HTML or Plain text format.
• Save or Print the report.
WatchGuard Training 3737
BOVPN Configuration Reports in the Web UI
In the Web UI, reports are available for BOVPN gateways and tunnels.• Click Report to see the XTM Configuration Report in a new browser
window, scrolled to the section for the tunnel or gateway you selected. Make sure that your browser is configured to allow pop-ups for Fireware XTM
Web UI.
• This is the same report available from the System > Configuration File page.
WatchGuard Training 3838
VPN Global Settings Update
The Global VPN setting Enable IPSec Pass-through has been renamed to clarify that this adds a policy to enable outbound IPSec traffic.
The functionality of the new Add a Policy to enable outbound IPSec pass-through check box is unchanged.• When you select this option, a policy called WatchGuard IPSec is
automatically generated.
• This policy allows IPSec VPN clients on the trusted or optional networks to make outbound IPSec VPN connections.
WatchGuard Training 3939
Enable/Disable SSLv3 in HTTPS and SMTP Proxy Actions
WatchGuard Training 4040
There are recent vulnerabilities discovered with the SSLv3 protocol (POODLE vulnerability).
You can now disable or enable SSLv3 in the HTTPS proxy action (Content Inspection) and the SMTP proxy action (TLS Encryption).
SSLv3 and SSLv2 are disabled by default.
Enable/Disable SSLv3 in HTTPS & SMTP Proxy Actions
WatchGuard Training 4141
31-bit and 32-bit Subnet Mask Support
You can now configure an external interface IP address with a /31 or /32 subnet mask.• /31 and /32 addresses are used to conserve IPv4 address space.
• Supported in Mixed Routing mode only. 31-bit Subnet Mask (/31)
• Supported for any external interface (physical, VLAN, Bridge, Link Aggregation).
• Often used for point-to-point networks as described in RFC 3021. 32-bit Subnet Mask (/32)
• Supported only for physical external interfaces.
• Not supported for virtual interfaces (VLAN, Link Aggregation, Bridge) A 32-bit subnet mask defines a network with only one IP address. You cannot use a /32 subnet mask for a virtual external interface, because
these interfaces do not support a gateway on a different subnet.
WatchGuard Training 4242
Offline Signature Updates
WatchGuard Training 4343
Offline Signature Updates
For security reasons, some customer environments require direct control over the distribution and installation of periodic signature updates for signature services such as Gateway AntiVirus, Intrusion Prevention, and Data Loss Prevention.
WatchGuard now offers Offline Signature Updates that enables you to download the latest signatures for these services directly from WatchGuard, and then use a special utility to manually install these files on your WatchGuard Firebox or XTM devices.
A special set of credentials are required to access the signature update files from the WatchGuard servers. For more information, please contact your local WatchGuard representative.
WatchGuard Training 4444
Management Server Enhancements
WatchGuard Training 4545
Distribution IP Address List
Change the order of IP addresses in the Distribution IP Address list.
This feature is important for Management Tunnels, to make sure that the private IP address of the Management Server appears first in the list.
WatchGuard Training 4646
Expire Lease on Device Folder
When you connect to your Management Server in WSM, you can now expire the lease on all the devices in these folders:• Filtered View >
Pending
• Any folder in the Devices tree
Right-click the folder and select Expire Lease to expire the lease on all devices in that folder.
WatchGuard Training 4747
New Device Configuration Template Version
The Management Server now includes a new version option for Device Configuration Templates
When you create a new template, select from these new options:• Fireware XTM v11.4-11.9.3
• Fireware XTM v11.9.4 or later
WatchGuard Training 4848
Monitoring Enhancements
WatchGuard Training 4949
View VPN Statistics
From the Fireware XTM Web UI System Status > VPN Statistics page, on the Branch Office VPN tab, you can see the statistics for the virtual interfaces and gateways configured for the Branch Office VPNs on your device.
You can filter the page details to see only virtual interfaces, gateways, or both.
You can also use the Search feature to locate an interface or gateway in the list.
WatchGuard Training 5050
View VPN Statistics
Expand a gateway or virtual interface to see the active tunnels.
Expand a tunnel to see statistics for that tunnel.
Click Edit to go to the Branch Office VPN / Edit page for the selected gateway.• If the tunnel was created
by the Management Server, the Edit button is not available.
Click Rekey tunnel to rekey the selected tunnel.
WatchGuard Training 5151
View VPN Statistics
Fireware XTM Web UI now includes statistics for all Mobile VPN types on one tab.• Select System
Status > VPN Statistics.
• Select the Mobile VPN tab.
• Select the Mobile VPN type to show:
All IPSec SSL PPTP L2TP
WatchGuard Training 5252
View VPN Statistics
For each Mobile VPN type that you select, a list of users for that tunnel type appears.
Click a user to see statistics for that user.
WatchGuard Training 5353
Clear WebBlocker Cache
From Firebox System Manager, clear the WebBlocker cache• Select Tools > Clear
WebBlocker Cache
• Supported for single Firebox or XTM devices and FireClusters
WatchGuard Training 5454
View DNS Server Details
When you configure the external interface on your device to use PPPoE, you can see the DNS server information in the Firebox status in the Web UI, WSM, and FSM.
Web UI — DASHBOARD > Interfaces > Detail
WatchGuard Training 5555
View DNS Server Details
WSM — Device Status > Firebox Status > DNS Servers
WatchGuard Training 5656
Monitoring Enhancements — View DNS Server Details FSM — Front Panel > DNS Servers
WatchGuard Training 5757
SNMP Enhancements
WatchGuard Training 5858
SNMP Enhancements
You can now enable your device to use NAT for connections through the SNMP application layer gateway.
When you enable this option, all SNMP connections are forced to use NAT.
In the Web UI, select System > SNMP and select the Use NAT for connections through the SNMP application layer gateway check box.
WatchGuard Training 5959
SNMP Enhancements
In Policy Manager, select Setup > SNMP and select the Use NAT for connections through the SNMP application layer gateway check box.
WatchGuard Training 6060
Other Enhancements
WatchGuard Training 6161
Other Enhancements
You can now set the maximum time interval for failed FTP logins per connection in the FTP client and server proxy actions.
You can now manage the Gateway Wireless Controller from the Command Line Interface (CLI).
MAC address reservations for AP wireless devices are now limited to 256.
WatchGuard Training 6262
Support for New Firebox Models
WatchGuard Training 6363
Support for New Firebox Models
WatchGuard System Manager v11.9.4 adds support for management of two new Firebox models. • Firebox M400
• Firebox M500 Fireware XTM OS v11.9.4 is the first OS update available for these
models:• Firebox M400
• Firebox M500
• Firebox M440
• Firebox T10-D
WatchGuard Training 6464
New Models — Firebox M400 and Firebox M500 Firebox M400
• 6x 1 Gb interfaces
• 2x 1 Gb SFP ports
• 150 to 350 users
• Replaces XTM 525 Firebox M500
• 6x 1 Gb interfaces
• 2x 1 Gb SFP ports
• 350 to 750 users
• Replaces XTM 535 and XTM 545 SFP transceivers available as accessories
1 Gb Fiber to Copper 1 Gb Fiber
WatchGuard Training 6565
New Model — Firebox M440
Support for Firebox M440 was added in v11.9.3.• 25 1 Gb interfaces, 8 with Power over Ethernet
• 2 10 Gb SFP+ fiber interfaces (transceivers sold separately)
WatchGuard Training 6666
The Firebox T10-D is a DSL device. • Interface 0 is an ADSL/VDSL RJ11 interface.
• DSL specifications: VDSL2 8a, 8b, 8c, 8d, 12a, 12b, 17a, 30a profiles ADSL1/2/2+ DSL mode: Annex A
DSL settings are automatically configured• There are no user-configurable DSL settings.
The Firebox T10-D is supported only in Europe, Australia, and New Zealand.
Firebox T10-D
WatchGuard Training 6767
Firebox T10-D ADSL
ADSL service providers require the DSL device to use specific Virtual Path Identifier (VPI) and Virtual Circuit Identifier (VCI) settings. • The Firebox T10-D supports eight VPI/VCI combinations:
• If the connection fails with these VPI/VCI settings, the Firebox automatically polls the ISP to try additional VPI/VCI combinations: 0/32, 0/33, 0/34, 0/50, 0/67, 1/33, 1/39, 1/50, 2/32, 8/67, 8/81, 14/24.
If the ISP disables ATM OAM F5 ping responses, automatic polling cannot use these alternate VPI/VCI combinations to establish a connection.
• Work with your local WatchGuard Sales Engineer if you are interested in exploring and testing DSL configurations that are not supported by default.
For a list of VPI and VCI settings required by some service providers see:Firebox T10-D VDSL and ADSL requirements by service provider
WatchGuard Training 6868
• VPI = 8, VCI = 32• VPI = 8, VCI = 35• VPI = 8, VCI = 36• VPI = 8, VCI = 48
• VPI = 0, VCI = 35• VPI = 0, VCI = 38• VPI = 0, VCI = 100• VPI = 1, VCI = 32
Firebox T10-D VDSL
For VDSL, the external interface must use a VLAN ID specified by the ISP. To configure the required VLAN:
• Add an external VLAN, with the VLAN ID and external network settings (PPPoE, static IP address, or DHCP).
• Configure Interface 0 to send and receive tagged traffic for the external VLAN.
For a list of VLAN IDs required by some service providers see:Firebox T10-D VDSL and ADSL requirements by service provider
WatchGuard Training 6969
Firebox T10-D DSL Status
The Status Report tab in Firebox System Manager shows DSL status• DSL link status
• DSL mode
• DSL firmware version The same status information is available with the CLI command
diagnose hardware dsl
WatchGuard Training 7070
What Else is New?
WatchGuard Training 7171
VPN Troubleshooting Help
New troubleshooting guides for Mobile VPN with IPSec, SSL, L2TP, and PPTP.• Tips to help resolve the most common mobile VPN configuration issues.
• Find them in the WatchGuard System Manager Help and Fireware XTM Web UI Help for each mobile VPN type.
WatchGuard Training 7272
Additional Resources
WatchGuard Training 7373
Additional Resources
Information about the new and enhanced features included in this release is available from these resources on the Product Documentation pages of the WatchGuard website:• From the Help systems:
WatchGuard System Manager Help — What’s New in This Release Fireware XTM Web UI Help — What’s New in This Release WatchGuard Dimension Help — What’s New in This Release The What’s New in This Release topics also include information about
features and enhancements for recent previous releases.
• From the What’s New presentation:What’s New in Fireware XTM v11.9.4
WatchGuard Training 7474
Thank You!
WatchGuard Training 7575