what’s new in fireware xtm v11.9.4 watchguard training ©2014 watchguard technologies, inc

What’s New in What’s New in Fireware XTM v11.9.4Fireware XTM v11.9.4

WatchGuard Training

©2014 WatchGuard Technologies, Inc.

What’s New in v11.9.4

Authentication Enhancements• Hotspot Enhancements

Create custom hotspot page settings & manage Guest Administrator accounts Support for Guest Administrators to manage guest user accounts and create

custom vouchers

• Single Sign-On Event Log Monitor Enhancements HTTPS Proxy Content Inspection based on SNI or WebBlocker

Category• Supports SNI (Server Name Indication) to more accurately configure the

domains you want to allow, block, or inspect.

• More control over the HTTPS sites you want to inspect and the sites you want to bypass.

• You can select the WebBlocker categories you want to inspect. Branch Office VPN enhancements

• A BOVPN Virtual Interface now supports any interface as the local gateway

• New BOVPN Configuration Reports for easier VPN troubleshooting

• Renamed “Enable IPSec Pass-through” VPN setting

WatchGuard Training 22

What’s New in v11.9.4

Enable/Disable SSLv3 Option in HTTPS and SMTP Proxy Actions Offline Signature Updates Support for /31 and /32 subnet masks Management Server Enhancements

• Change the order of IP addresses in the Distribution IP Address list Monitoring Enhancements

• Web UI VPN Statistics page includes statistics for Mobile VPN types on one tab

• Clear the WebBlocker cache from Firebox System ManagerSupport for NAT connections through the SNMP application layer gateway

Other Enhancements Support for new Firebox models

• Firebox M400

• Firebox M500

• Fireware XTM OS update for Firebox M440 and FireboxT10-D What Else is New?


Authentication Enhancements


Hotspot Enhancements

The Hotspot feature now includes these new features: • Customize guest user authentication options for a hotspot

• Create and manage Guest Administrator user accounts

• New Wireless Guest Administration web portal for Guest Administrators to:

Manage guest user accounts Configure guest user account settings Customize vouchers with guest user account information


Customize Guest User Authentication for Hotspots Configure the Hotspot Connections settings for a custom hotspot

page and manage Guest Administrator accounts.• In Fireware XTM Web UI, select Authentication > Hotspot.

• In Policy Manager, select Setup > Authentication > Hotspot.


Customize Guest User Authentication for Hotspots On the new Hotspot Connections tab:

• Select whether guest users must use credentials to connect.

• Set the number of user account the Guest Administrator can add.

• Add Guest Administrator user accounts. Guest Administrator user accounts are added to the default Firebox-DB

authentication server. You can add and remove accounts, or edit them to disable the account or

change the passphrase.


Customize Guest User Authentication for Hotspots To add Guest Administrator user accounts:

• In Policy Manager, click Manage Guest Administrator Accounts.


Customize Guest User Authentication for Hotspots

• In Fireware XTM Web UI, add Guest Administrators in the Wireless Guest Administrators section.


Customize Guest User Authentication for Hotspots Guest Administrator user accounts also appear in the Firebox or

XTM device Users and Roles list, with the Guest Administrator role:• In Policy Manager, select File > Manage Users and Roles.

• In Fireware XTM Web UI, select System > Users and Roles.


Customize Guest User Authentication for Hotspots Custom Page settings remain

the same, but have moved to the Customize Hotspot Page tab.


Guest Administration for Hotspots

Guest Administrators can connect to the Wireless Guest Administration web portal on the Firebox or XTM device to manage guest user accounts and create custom vouchers for guest user accounts.

Guest Administrators connect to the device at: https://<device-ip-address>:8080/wirelessguest/and logs in to the Wireless Guest Administration web portal with Guest Administrator credentials



The Guest Administrator configures the user account settings for guest user accounts.• Select the Settings tab.



Configure these settings for guest user accounts:• User Name Prefix

The prefix for all guest user account user names. When guest user accounts are generated, each user name begins with this

prefix.

• Account Lifetime The amount of time that each guest user account can be used after it is

activated for the first time. When the guest user logs in with the guest user account credentials, the

countdown starts. The default account lifetime is 24 hours.

• Account Expiration The amount of time after which the guest user account expires and is

removed from the Guest Accounts list. If the guest user account has not been activated before the account

expiration time is reached, the guest user account still expires.



The Guest Admin configures the settings for the printed vouchers to give guest users with their guest user account information.• Select the Customize Voucher tab.



Configure these settings for the guest user vouchers:• Business Name

The name of the company where the hotspot is located. The name you specify is included in the voucher text.

• Contact Information The contact information for the company. This text can include instructions to get hotspot connection help as well as

contact numbers or addresses.

• Use a custom logo Upload the company logo to use on the voucher. The logo file can include images, text, and other special information that you

want to give guest users. Image files must be JPG, PNG, or GIF files. There is no size constraint on the

logo image files, but the recommended size is 90 x 50 pixels.



The Guest Admin adds guest user accounts and prints vouchers.• Select the Accounts tab.

• Specify the number of guest user accounts to create.

• Click Add and Print New Accounts.



Example vouchers — Logo only and logo with informational text.



Print the voucher:• Click Print in the

Print Guest Account window.



Manage guest user accounts:• Select the check

box for an account.

• To remove the account, click Delete.

• To print a new voucher, click Print.


Single Sign-On Enhancements

Single Sign-On has been updated to support failover and load balancing for the Event Log Monitors installed on multiple domains in your network.

The SSO Agent sends a DNS resolution request to resolve the host name for the IP address of the client, and determines which domain the client is a member of.

The SSO Agent then contacts the Event Log Monitors in that domain to attempt to authenticate the client.• If multiple Event Log Monitors are installed and included in the SSO

Agent Configuration, and the first Event Log Monitor is unable to resolve the authentication request, the SSO Agent will fail over to the next Event Log Monitor to attempt to resolve the request.

The SSO Agent can also contact the Event Log Monitors from other domains in your network, if they are specified in the SSO Agent configuration.


HTTPS Proxy Content Inspection based on SNI or WebBlocker

Category


What is SNI?

SNI (Server Name Indication), is an extension of the TLS protocol that indicates the specific server name while making a TLS/SSL connection.

SNI is supported by most modern web browsers. SNI is more accurate than the certificate CN (Common Name) for a

site because it can determine the actual server name from the HTTPS traffic headers.

Many web servers host several web sites that share the same IP address and multiple certificates, and these sites can share the same certificate CN (Common Name).


SNI and Certificate CN

For example, many Google services such as YouTube and Google Maps share the same certificate CN (*.google.com)

If you block access to YouTube based on the certificate CN, this would also block access to Google Maps and other services with the same CN.

SNI provides the server name that you can use to more accurately control access to specific sites and perform or bypass content inspection.

The certificate CN is used if SNI information is not available


Benefits of HTTPS Content Inspection with SNI

With selective content inspection and SNI checks in v11.9.4, you now have more control over the HTTPS sites you want to inspect and the sites you want to bypass.

For example, you can configure HTTPS content inspection but bypass banking, financial, or other sites with privacy concerns.

You can more accurately allow, block, or inspect specific sites that come from domains (Google, YouTube, etc.) that may share the same certificate common name (CN).

With WebBlocker, you can enable HTTPS content inspection only for known categories of high risk web sites.


HTTPS Content Inspection — Enable Content Inspection Enable Content Inspection

• To enable content inspection, in the HTTPS Proxy Action configuration, select the Enable deep inspection of HTTPS content check box.

• Select the HTTP Proxy Action to apply to inspected traffic.

• At this point, even when this feature is enabled globally, all HTTPS web sites will bypass inspection.

• To inspect a site, you must define the domain in the Domain Names page and configure the domain with the Inspect action.


HTTPS Content Inspection — Domain Names

Domain Names

• SNI and CN are used to check the rules configured in the Domain Names section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available.

• You can allow or deny access to a site, or perform content inspection.

• When content inspection in enabled, web sites will only be inspected if the domain is configured with the action Inspect.

• The pattern name can be server name (SNI), certificate common name (CN), or an IP address.

• Allow action bypasses content inspection


HTTPS Content Inspection — Domain Names

Examine the HTTPS entries in the traffic logs for the correct SNI/CN information when you create your domain name rules.


HTTPS Content Inspection — WebBlocker

WebBlocker

• Only categories allowed by WebBlocker are displayed in the HTTPS Proxy Action WebBlocker configuration.

• When content inspection is enabled, you must select the WebBlocker categories you want to perform content inspection on.

• If content inspection is not enabled, WebBlocker can allow or deny the connection.

• Domain Names rules have the highest priority. WebBlocker checks only occur when there is no domain name rule match and default action is Allow.


HTTPS Content Inspection — v11.9.3 vs. v11.9.4 In v11.9.3 and lower:

A certificate name (CN) check determines whether to allow or deny access to site as configured in Certificate Names.

If content inspection is enabled, all connections are redirected to the HTTP-Proxy for content inspection except for addresses defined in the Bypass List.

WebBlocker checks to allow or block sites are performed only for traffic that is not content inspected.

In v11.9.4 and higher: SNI, CN, and IP address are used to check the rules configured in the Domain Names

section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available. You inspect, allow (bypass inspection), or deny access to a domain. When content inspection in enabled, inspection only occurs if the domain is configured

with the action Inspect. No Bypass List in v11.9.4. Set the action in Domain Names to Allow to bypass

content inspection. When content inspection is enabled, you must choose the WebBlocker categories you

want to inspect.


Branch Office VPN Enhancements


BOVPN Virtual Interface Local Gateway Interface BOVPN Virtual Interface now supports any interface as the local

gateway. • You cannot use a modem for failover from a BOVPN virtual interface if a

local gateway endpoint uses an interface that is not external. From the Physical drop-down

list, select any enabled physical or wireless interface.

Select Other and click Select to select any VLAN, Bridge, PPPoE, or Link Aggregation interface.


BOVPN Virtual Interface Local Gateway Interface When you select Other, a list of logical interfaces appears. To filter the interface list, use the Type and Zone drop-down lists,

or type the interface Name.• Types:

VLAN Bridge Link Aggregation PPPoE

• Zone: Trusted Optional Custom

External


BOVPN Configuration Reports

Three new branch office VPN configuration reports show a summary of BOVPN settings in HTML or plain text format that you can save or print.• BOVPN Gateway Configuration Report

• BOVPN Tunnel Configuration Report

• BOVPN Virtual Interface Configuration Report The reports make it easier to compare VPN configuration settings

when you troubleshoot a branch office VPN. The reports are available in Policy Manager and Fireware XTM Web

UI in the same locations where you add or edit a VPN gateway, tunnel or BOVPN virtual interface.• In Policy Manager, these reports include information about the selected

gateway, tunnel, or virtual interface.

• In the Web UI, these are sections of the existing XTM Configuration Report, which also contain information about other device configuration settings.


BOVPN Gateway Configuration Report

The BOVPN Gateway Configuration Report shows settings for the selected branch office VPN gateway.

Click Report to see the report.• Click Show Tunnel Details to

add tunnel details to the report.

• Select HTML or Plain text format.

• Save or Print the report.


BOVPN Tunnel Configuration Report

The BOVPN Tunnel Configuration Report shows settings for the selected branch office VPN tunnel.

Click Report to see the report.• Click Show Gateway Details to add

gateway details to the report.

• Select HTML or Plain text format.



BOVPN Virtual Interface Configuration Report

The BOVPN Virtual Interface Configuration Report shows settings for the selected BOVPN virtual interface.

Click Report to see the report.• Select HTML or Plain text format.



BOVPN Configuration Reports in the Web UI

In the Web UI, reports are available for BOVPN gateways and tunnels.• Click Report to see the XTM Configuration Report in a new browser

window, scrolled to the section for the tunnel or gateway you selected. Make sure that your browser is configured to allow pop-ups for Fireware XTM

Web UI.

• This is the same report available from the System > Configuration File page.


VPN Global Settings Update

The Global VPN setting Enable IPSec Pass-through has been renamed to clarify that this adds a policy to enable outbound IPSec traffic.

The functionality of the new Add a Policy to enable outbound IPSec pass-through check box is unchanged.• When you select this option, a policy called WatchGuard IPSec is

automatically generated.

• This policy allows IPSec VPN clients on the trusted or optional networks to make outbound IPSec VPN connections.


Enable/Disable SSLv3 in HTTPS and SMTP Proxy Actions


There are recent vulnerabilities discovered with the SSLv3 protocol (POODLE vulnerability).

You can now disable or enable SSLv3 in the HTTPS proxy action (Content Inspection) and the SMTP proxy action (TLS Encryption).

SSLv3 and SSLv2 are disabled by default.

Enable/Disable SSLv3 in HTTPS & SMTP Proxy Actions


31-bit and 32-bit Subnet Mask Support

You can now configure an external interface IP address with a /31 or /32 subnet mask.• /31 and /32 addresses are used to conserve IPv4 address space.

• Supported in Mixed Routing mode only. 31-bit Subnet Mask (/31)

• Supported for any external interface (physical, VLAN, Bridge, Link Aggregation).

• Often used for point-to-point networks as described in RFC 3021. 32-bit Subnet Mask (/32)

• Supported only for physical external interfaces.

• Not supported for virtual interfaces (VLAN, Link Aggregation, Bridge) A 32-bit subnet mask defines a network with only one IP address. You cannot use a /32 subnet mask for a virtual external interface, because

these interfaces do not support a gateway on a different subnet.


Offline Signature Updates


Offline Signature Updates

For security reasons, some customer environments require direct control over the distribution and installation of periodic signature updates for signature services such as Gateway AntiVirus, Intrusion Prevention, and Data Loss Prevention.

WatchGuard now offers Offline Signature Updates that enables you to download the latest signatures for these services directly from WatchGuard, and then use a special utility to manually install these files on your WatchGuard Firebox or XTM devices.

A special set of credentials are required to access the signature update files from the WatchGuard servers. For more information, please contact your local WatchGuard representative.


Management Server Enhancements


Distribution IP Address List

Change the order of IP addresses in the Distribution IP Address list.

This feature is important for Management Tunnels, to make sure that the private IP address of the Management Server appears first in the list.


Expire Lease on Device Folder

When you connect to your Management Server in WSM, you can now expire the lease on all the devices in these folders:• Filtered View >

Pending

• Any folder in the Devices tree

Right-click the folder and select Expire Lease to expire the lease on all devices in that folder.


New Device Configuration Template Version

The Management Server now includes a new version option for Device Configuration Templates

When you create a new template, select from these new options:• Fireware XTM v11.4-11.9.3

• Fireware XTM v11.9.4 or later


Monitoring Enhancements


View VPN Statistics

From the Fireware XTM Web UI System Status > VPN Statistics page, on the Branch Office VPN tab, you can see the statistics for the virtual interfaces and gateways configured for the Branch Office VPNs on your device.

You can filter the page details to see only virtual interfaces, gateways, or both.

You can also use the Search feature to locate an interface or gateway in the list.


View VPN Statistics

Expand a gateway or virtual interface to see the active tunnels.

Expand a tunnel to see statistics for that tunnel.

Click Edit to go to the Branch Office VPN / Edit page for the selected gateway.• If the tunnel was created

by the Management Server, the Edit button is not available.

Click Rekey tunnel to rekey the selected tunnel.


View VPN Statistics

Fireware XTM Web UI now includes statistics for all Mobile VPN types on one tab.• Select System

Status > VPN Statistics.

• Select the Mobile VPN tab.

• Select the Mobile VPN type to show:

All IPSec SSL PPTP L2TP


View VPN Statistics

For each Mobile VPN type that you select, a list of users for that tunnel type appears.

Click a user to see statistics for that user.


Clear WebBlocker Cache

From Firebox System Manager, clear the WebBlocker cache• Select Tools > Clear

WebBlocker Cache

• Supported for single Firebox or XTM devices and FireClusters


View DNS Server Details

When you configure the external interface on your device to use PPPoE, you can see the DNS server information in the Firebox status in the Web UI, WSM, and FSM.

Web UI — DASHBOARD > Interfaces > Detail


View DNS Server Details

WSM — Device Status > Firebox Status > DNS Servers


Monitoring Enhancements — View DNS Server Details FSM — Front Panel > DNS Servers


SNMP Enhancements


SNMP Enhancements

You can now enable your device to use NAT for connections through the SNMP application layer gateway.

When you enable this option, all SNMP connections are forced to use NAT.

In the Web UI, select System > SNMP and select the Use NAT for connections through the SNMP application layer gateway check box.


SNMP Enhancements

In Policy Manager, select Setup > SNMP and select the Use NAT for connections through the SNMP application layer gateway check box.


Other Enhancements


Other Enhancements

You can now set the maximum time interval for failed FTP logins per connection in the FTP client and server proxy actions.

You can now manage the Gateway Wireless Controller from the Command Line Interface (CLI).

MAC address reservations for AP wireless devices are now limited to 256.


Support for New Firebox Models


Support for New Firebox Models

WatchGuard System Manager v11.9.4 adds support for management of two new Firebox models. • Firebox M400

• Firebox M500 Fireware XTM OS v11.9.4 is the first OS update available for these

models:• Firebox M400

• Firebox M500

• Firebox M440

• Firebox T10-D


New Models — Firebox M400 and Firebox M500 Firebox M400

• 6x 1 Gb interfaces

• 2x 1 Gb SFP ports

• 150 to 350 users

• Replaces XTM 525 Firebox M500

• 6x 1 Gb interfaces

• 2x 1 Gb SFP ports

• 350 to 750 users

• Replaces XTM 535 and XTM 545 SFP transceivers available as accessories

1 Gb Fiber to Copper 1 Gb Fiber


New Model — Firebox M440

Support for Firebox M440 was added in v11.9.3.• 25 1 Gb interfaces, 8 with Power over Ethernet

• 2 10 Gb SFP+ fiber interfaces (transceivers sold separately)


The Firebox T10-D is a DSL device. • Interface 0 is an ADSL/VDSL RJ11 interface.

• DSL specifications: VDSL2 8a, 8b, 8c, 8d, 12a, 12b, 17a, 30a profiles ADSL1/2/2+ DSL mode: Annex A

DSL settings are automatically configured• There are no user-configurable DSL settings.

The Firebox T10-D is supported only in Europe, Australia, and New Zealand.

Firebox T10-D


Firebox T10-D ADSL

ADSL service providers require the DSL device to use specific Virtual Path Identifier (VPI) and Virtual Circuit Identifier (VCI) settings. • The Firebox T10-D supports eight VPI/VCI combinations:

• If the connection fails with these VPI/VCI settings, the Firebox automatically polls the ISP to try additional VPI/VCI combinations: 0/32, 0/33, 0/34, 0/50, 0/67, 1/33, 1/39, 1/50, 2/32, 8/67, 8/81, 14/24.

If the ISP disables ATM OAM F5 ping responses, automatic polling cannot use these alternate VPI/VCI combinations to establish a connection.

• Work with your local WatchGuard Sales Engineer if you are interested in exploring and testing DSL configurations that are not supported by default.

For a list of VPI and VCI settings required by some service providers see:Firebox T10-D VDSL and ADSL requirements by service provider


• VPI = 8, VCI = 32• VPI = 8, VCI = 35• VPI = 8, VCI = 36• VPI = 8, VCI = 48

• VPI = 0, VCI = 35• VPI = 0, VCI = 38• VPI = 0, VCI = 100• VPI = 1, VCI = 32

http://customers.watchguard.com/articles/Article/Firebox-T10-D-VLAN-IDs-for-VDSL-by-service-provider/

Firebox T10-D VDSL

For VDSL, the external interface must use a VLAN ID specified by the ISP. To configure the required VLAN:

• Add an external VLAN, with the VLAN ID and external network settings (PPPoE, static IP address, or DHCP).

• Configure Interface 0 to send and receive tagged traffic for the external VLAN.

For a list of VLAN IDs required by some service providers see:Firebox T10-D VDSL and ADSL requirements by service provider


http://customers.watchguard.com/articles/Article/Firebox-T10-D-VLAN-IDs-for-VDSL-by-service-provider/

Firebox T10-D DSL Status

The Status Report tab in Firebox System Manager shows DSL status• DSL link status

• DSL mode

• DSL firmware version The same status information is available with the CLI command

diagnose hardware dsl


What Else is New?


VPN Troubleshooting Help

New troubleshooting guides for Mobile VPN with IPSec, SSL, L2TP, and PPTP.• Tips to help resolve the most common mobile VPN configuration issues.

• Find them in the WatchGuard System Manager Help and Fireware XTM Web UI Help for each mobile VPN type.


Additional Resources


Additional Resources

Information about the new and enhanced features included in this release is available from these resources on the Product Documentation pages of the WatchGuard website:• From the Help systems:

WatchGuard System Manager Help — What’s New in This Release Fireware XTM Web UI Help — What’s New in This Release WatchGuard Dimension Help — What’s New in This Release The What’s New in This Release topics also include information about

features and enhancements for recent previous releases.

• From the What’s New presentation:What’s New in Fireware XTM v11.9.4


https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/support/release_news_c.html

https://www.watchguard.com/help/docs/webui/XTM_11/en-US/index.html#en-US/support/release_news_c.html

https://www.watchguard.com/help/docs/dimension/v1/en-US/index.html#en-US/dimension/release_news_d.html

https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/whats_new_in_XTM_11_9_4.ppt

Thank You!


what’s new in fireware xtm v11.9.4 watchguard training ©2014 watchguard technologies, inc

Documents

guest users

number of user account

setup authentication

whats new

new hotspot connections

new features

hotspot connections

fireware xtm v11