Upload File

whats new in xtm 11-9-4

75
What’s New in What’s New in Fireware XTM v11.9.4 Fireware XTM v11.9.4 WatchGuard Training ©2014 WatchGuard Technologies, Inc.

Upload: hasmawimatjunit

Post on 09-Nov-2015

221 views

Category:

Documents


2 download

Report

Tags:

DESCRIPTION

WG

TRANSCRIPT

  • Whats New in Fireware XTM v11.9.4WatchGuard Training2014 WatchGuard Technologies, Inc.

  • Whats New in v11.9.4Authentication EnhancementsHotspot EnhancementsCreate custom hotspot page settings & manage Guest Administrator accountsSupport for Guest Administrators to manage guest user accounts and create custom vouchersSingle Sign-On Event Log Monitor EnhancementsHTTPS Proxy Content Inspection based on SNI or WebBlocker CategorySupports SNI (Server Name Indication) to more accurately configure the domains you want to allow, block, or inspect.More control over the HTTPS sites you want to inspect and the sites you want to bypass.You can select the WebBlocker categories you want to inspect.Branch Office VPN enhancementsA BOVPN Virtual Interface now supports any interface as the local gatewayNew BOVPN Configuration Reports for easier VPN troubleshootingRenamed Enable IPSec Pass-through VPN settingWatchGuard Training*

  • Whats New in v11.9.4Enable/Disable SSLv3 Option in HTTPS and SMTP Proxy ActionsOffline Signature UpdatesSupport for /31 and /32 subnet masksManagement Server EnhancementsChange the order of IP addresses in the Distribution IP Address listMonitoring EnhancementsWeb UI VPN Statistics page includes statistics for Mobile VPN types on one tabClear the WebBlocker cache from Firebox System ManagerSupport for NAT connections through the SNMP application layer gatewayOther EnhancementsSupport for new Firebox modelsFirebox M400Firebox M500Fireware XTM OS update for Firebox M440 and FireboxT10-DWhat Else is New?

    WatchGuard Training*

  • Authentication EnhancementsWatchGuard Training*

  • Hotspot EnhancementsThe Hotspot feature now includes these new features: Customize guest user authentication options for a hotspotCreate and manage Guest Administrator user accounts New Wireless Guest Administration web portal for Guest Administrators to:Manage guest user accountsConfigure guest user account settingsCustomize vouchers with guest user account informationWatchGuard Training*

  • Customize Guest User Authentication for HotspotsConfigure the Hotspot Connections settings for a custom hotspot page and manage Guest Administrator accounts.In Fireware XTM Web UI, select Authentication > Hotspot.In Policy Manager, select Setup > Authentication > Hotspot.WatchGuard Training*

  • Customize Guest User Authentication for HotspotsOn the new Hotspot Connections tab:Select whether guest users must use credentials to connect.Set the number of user account the Guest Administrator can add.Add Guest Administrator user accounts.Guest Administrator user accounts are added to the default Firebox-DB authentication server.You can add and remove accounts, or edit them to disable the account or change the passphrase.WatchGuard Training*

  • Customize Guest User Authentication for HotspotsTo add Guest Administrator user accounts:In Policy Manager, click Manage Guest Administrator Accounts.WatchGuard Training*

  • Customize Guest User Authentication for HotspotsIn Fireware XTM Web UI, add Guest Administrators in the Wireless Guest Administrators section.WatchGuard Training*

  • Customize Guest User Authentication for HotspotsGuest Administrator user accounts also appear in the Firebox or XTM device Users and Roles list, with the Guest Administrator role:In Policy Manager, select File > Manage Users and Roles.In Fireware XTM Web UI, select System > Users and Roles.

    WatchGuard Training*

  • Customize Guest User Authentication for HotspotsCustom Page settings remain the same, but have moved to the Customize Hotspot Page tab.WatchGuard Training*

  • Guest Administration for HotspotsGuest Administrators can connect to the Wireless Guest Administration web portal on the Firebox or XTM device to manage guest user accounts and create custom vouchers for guest user accounts.Guest Administrators connect to the device at: https://:8080/wirelessguest/ and logs in to the Wireless Guest Administration web portal with Guest Administrator credentials

    WatchGuard Training*

  • Guest Administration for HotspotsThe Guest Administrator configures the user account settings for guest user accounts.Select the Settings tab.WatchGuard Training*

  • Guest Administration for HotspotsConfigure these settings for guest user accounts:User Name Prefix The prefix for all guest user account user names. When guest user accounts are generated, each user name begins with this prefix.Account Lifetime The amount of time that each guest user account can be used after it is activated for the first time. When the guest user logs in with the guest user account credentials, the countdown starts. The default account lifetime is 24 hours. Account Expiration The amount of time after which the guest user account expires and is removed from the Guest Accounts list. If the guest user account has not been activated before the account expiration time is reached, the guest user account still expires.

    WatchGuard Training*

  • Guest Administration for HotspotsThe Guest Admin configures the settings for the printed vouchers to give guest users with their guest user account information.Select the Customize Voucher tab.WatchGuard Training*

  • Guest Administration for HotspotsConfigure these settings for the guest user vouchers:Business NameThe name of the company where the hotspot is located.The name you specify is included in the voucher text.Contact InformationThe contact information for the company. This text can include instructions to get hotspot connection help as well as contact numbers or addresses.Use a custom logoUpload the company logo to use on the voucher. The logo file can include images, text, and other special information that you want to give guest users.Image files must be JPG, PNG, or GIF files. There is no size constraint on the logo image files, but the recommended size is 90 x 50 pixels.WatchGuard Training*

  • Guest Administration for HotspotsThe Guest Admin adds guest user accounts and prints vouchers.Select the Accounts tab.Specify the number of guest user accounts to create.Click Add and Print New Accounts.WatchGuard Training*

  • Guest Administration for HotspotsExample vouchers Logo only and logo with informational text.WatchGuard Training*

  • Guest Administration for HotspotsPrint the voucher:Click Print in the Print Guest Account window.WatchGuard Training*

  • Guest Administration for HotspotsManage guest user accounts:Select the check box for an account.To remove the account, click Delete.To print a new voucher, click Print.WatchGuard Training*

  • Single Sign-On EnhancementsSingle Sign-On has been updated to support failover and load balancing for the Event Log Monitors installed on multiple domains in your network.The SSO Agent sends a DNS resolution request to resolve the host name for the IP address of the client, and determines which domain the client is a member of.The SSO Agent then contacts the Event Log Monitors in that domain to attempt to authenticate the client.If multiple Event Log Monitors are installed and included in the SSO Agent Configuration, and the first Event Log Monitor is unable to resolve the authentication request, the SSO Agent will fail over to the next Event Log Monitor to attempt to resolve the request.The SSO Agent can also contact the Event Log Monitors from other domains in your network, if they are specified in the SSO Agent configuration.

    WatchGuard Training*

  • HTTPS Proxy Content Inspection based on SNI or WebBlocker CategoryWatchGuard Training*

  • What is SNI?SNI (Server Name Indication), is an extension of the TLS protocol that indicates the specific server name while making a TLS/SSL connection.SNI is supported by most modern web browsers. SNIis more accurate than the certificate CN (Common Name) for a site because it can determine the actual server name from the HTTPS traffic headers. Many web servers host several web sites that share the same IP address and multiple certificates, and these sites can share the same certificate CN (Common Name).

    WatchGuard Training*

  • SNI and Certificate CNFor example, many Google services such as YouTube and Google Maps share the same certificate CN (*.google.com)If you block access to YouTube based on the certificate CN, this would also block access to Google Maps and other services with the same CN. SNI provides the server name that you can use to more accurately control access to specific sites and perform or bypass content inspection.The certificate CN is used if SNIinformation is not available

    WatchGuard Training*

  • Benefits of HTTPS Content Inspection with SNIWith selective content inspection and SNI checks in v11.9.4, you now have more control over the HTTPS sites you want to inspect and the sites you want to bypass.For example, you can configure HTTPS content inspection but bypass banking, financial, or other sites with privacy concerns.You can more accurately allow, block, or inspect specific sites that come from domains (Google, YouTube, etc.) that may share the same certificate common name (CN).With WebBlocker, you can enable HTTPS content inspection only for known categories of high risk web sites.WatchGuard Training*

  • HTTPS Content Inspection Enable Content InspectionEnable Content InspectionTo enable content inspection, in the HTTPS Proxy Action configuration, select the Enable deep inspection of HTTPS content check box.Select the HTTP Proxy Action to apply to inspected traffic.At this point, even when this feature is enabled globally, all HTTPS web sites will bypass inspection.To inspect a site, you must define the domain in the Domain Names page and configure the domain with the Inspect action. WatchGuard Training*

  • HTTPS Content Inspection Domain NamesDomain NamesSNI and CN are used to check the rules configured in the Domain Names section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available.You can allow or deny access to a site, or perform content inspection. When content inspection in enabled, web sites will only be inspected if the domain is configured with the action Inspect.The pattern name can be server name (SNI), certificate common name (CN), or an IP address.Allow action bypasses content inspection

    WatchGuard Training*

  • HTTPS Content Inspection Domain NamesExamine the HTTPS entries in the traffic logs for the correct SNI/CNinformation when you create your domain name rules. WatchGuard Training*

  • HTTPS Content Inspection WebBlockerWebBlockerOnly categories allowed by WebBlocker are displayed in the HTTPS Proxy Action WebBlocker configuration. When content inspection is enabled, you must select the WebBlocker categories you want to perform content inspection on.If content inspection is not enabled, WebBlocker can allow or deny the connection.Domain Names rules have the highest priority. WebBlocker checks only occur when there is no domain name rule match and default action is Allow.

    WatchGuard Training*

  • HTTPS Content Inspection v11.9.3 vs. v11.9.4In v11.9.3 and lower:A certificate name (CN) check determines whether to allow or deny access to site as configured in Certificate Names.If content inspection is enabled, all connections are redirected to the HTTP-Proxy for content inspection except for addresses defined in the Bypass List.WebBlocker checks to allow or block sites are performed only for traffic that is not content inspected.

    In v11.9.4 and higher:SNI, CN, and IP address are used to check the rules configured in the Domain Names section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available.You inspect, allow (bypass inspection), or deny access to a domain.When content inspection in enabled, inspection only occurs if the domain is configured with the action Inspect.No Bypass List in v11.9.4. Set the action in Domain Names to Allow to bypass content inspection. When content inspection is enabled, you must choose the WebBlocker categories you want to inspect. WatchGuard Training*

  • Branch Office VPN EnhancementsWatchGuard Training*

  • BOVPN Virtual Interface Local Gateway InterfaceBOVPN Virtual Interface now supports any interface as the local gateway. You cannot use a modem for failover from a BOVPN virtual interface if a local gateway endpoint uses an interface that is not external.From the Physical drop-down list, select any enabled physical or wireless interface.Select Other and click Select to select any VLAN, Bridge, PPPoE, or Link Aggregation interface.

    WatchGuard Training*

  • BOVPN Virtual Interface Local Gateway InterfaceWhen you select Other, a list of logical interfaces appears.To filter the interface list, use the Type and Zone drop-down lists, or type the interface Name.Types:VLANBridgeLink AggregationPPPoEZone:TrustedOptionalCustom ExternalWatchGuard Training*

  • BOVPN Configuration ReportsThree new branch office VPN configuration reports show a summary of BOVPN settings in HTML or plain text format that you can save or print.BOVPN Gateway Configuration ReportBOVPN Tunnel Configuration ReportBOVPN Virtual Interface Configuration ReportThe reports make it easier to compare VPN configuration settings when you troubleshoot a branch office VPN.The reports are available in Policy Manager and Fireware XTM Web UI in the same locations where you add or edit a VPN gateway, tunnel or BOVPN virtual interface.In Policy Manager, these reports include information about the selected gateway, tunnel, or virtual interface.In the Web UI, these are sections of the existing XTM Configuration Report, which also contain information about other device configuration settings.WatchGuard Training*

  • BOVPN Gateway Configuration ReportThe BOVPN Gateway Configuration Report shows settings for the selected branch office VPN gateway.

    Click Report to see the report.Click Show Tunnel Details to add tunnel details to the report.Select HTML or Plain text format.Save or Print the report.WatchGuard Training*

  • BOVPN Tunnel Configuration ReportThe BOVPN Tunnel Configuration Report shows settings for the selected branch office VPN tunnel.

    Click Report to see the report.Click Show Gateway Details to add gateway details to the report.Select HTML or Plain text format.Save or Print the report.WatchGuard Training*

  • BOVPN Virtual Interface Configuration ReportThe BOVPN Virtual Interface Configuration Report shows settings for the selected BOVPN virtual interface.

    Click Report to see the report.Select HTML or Plain text format.Save or Print the report.WatchGuard Training*

  • BOVPN Configuration Reports in the Web UIIn the Web UI, reports are available for BOVPN gateways and tunnels.Click Report to see the XTM Configuration Report in a new browser window, scrolled to the section for the tunnel or gateway you selected.Make sure that your browser is configured to allow pop-ups for Fireware XTM Web UI.This is the same report available from the System > Configuration File page.

    WatchGuard Training*

  • VPN Global Settings UpdateThe Global VPN setting Enable IPSec Pass-through has been renamed to clarify that this adds a policy to enable outbound IPSec traffic.The functionality of the new Add a Policy to enable outbound IPSec pass-through check box is unchanged.When you select this option, a policy called WatchGuard IPSec is automatically generated.This policy allows IPSec VPN clients on the trusted or optional networks to make outbound IPSec VPN connections. WatchGuard Training*

  • Enable/Disable SSLv3 in HTTPS and SMTP Proxy ActionsWatchGuard Training*

  • There are recent vulnerabilities discovered with the SSLv3 protocol (POODLE vulnerability).You can now disable or enable SSLv3 in the HTTPS proxy action (Content Inspection) and the SMTP proxy action (TLS Encryption). SSLv3 and SSLv2 are disabled by default.

    Enable/Disable SSLv3 in HTTPS & SMTP Proxy ActionsWatchGuard Training*

  • 31-bit and 32-bit Subnet Mask SupportYou can now configure an external interface IP address with a /31 or /32 subnet mask./31 and /32 addresses are used to conserve IPv4 address space.Supported in Mixed Routing mode only.31-bit Subnet Mask (/31)Supported for any external interface (physical, VLAN, Bridge, Link Aggregation).Often used for point-to-point networks as described in RFC 3021. 32-bit Subnet Mask (/32)Supported only for physical external interfaces.Not supported for virtual interfaces (VLAN, Link Aggregation, Bridge)A 32-bit subnet mask defines a network with only one IPaddress. You cannot use a /32 subnet mask for a virtual external interface, because these interfaces do not support a gateway on a different subnet. WatchGuard Training*

  • Offline Signature UpdatesWatchGuard Training*

  • Offline Signature UpdatesFor security reasons, some customer environments require direct control over the distribution and installation of periodic signature updates for signature services such as Gateway AntiVirus, Intrusion Prevention, and Data Loss Prevention. WatchGuard now offers Offline Signature Updates that enables you to download the latest signatures for these services directly fromWatchGuard, and then use a special utility to manually install these files on your WatchGuard Firebox or XTM devices.A special set of credentials are required to access the signature update files from the WatchGuard servers. For more information, please contact your local WatchGuard representative. WatchGuard Training*

  • Management Server EnhancementsWatchGuard Training*

  • Distribution IP Address ListChange the order of IP addresses in the Distribution IP Address list.This feature is important for Management Tunnels, to make sure that the private IP address of the Management Server appears first in the list.WatchGuard Training*

  • Expire Lease on Device FolderWhen you connect to your Management Server in WSM, you can now expire the lease on all the devices in these folders:Filtered View > PendingAny folder in the Devices treeRight-click the folder and select Expire Lease to expire the lease on all devices in that folder.WatchGuard Training*

  • New Device Configuration Template VersionThe Management Server now includes a new version option for Device Configuration TemplatesWhen you create a new template, select from these new options:Fireware XTM v11.4-11.9.3Fireware XTM v11.9.4 or laterWatchGuard Training*

  • Monitoring EnhancementsWatchGuard Training*

  • View VPN StatisticsFrom the Fireware XTM Web UI System Status > VPN Statistics page, on the Branch Office VPN tab, you can see the statistics for the virtual interfaces and gateways configured for the Branch Office VPNs on your device.You can filter the page details to see only virtual interfaces, gateways, or both.You can also use the Search feature to locate an interface or gateway in the list.

    WatchGuard Training*

  • View VPN StatisticsExpand a gateway or virtual interface to see the active tunnels.Expand a tunnel to see statistics for that tunnel.Click Edit to go to the Branch Office VPN / Edit page for the selected gateway.If the tunnel was created by the Management Server, the Edit button is not available.Click Rekey tunnel to rekey the selected tunnel.WatchGuard Training*

  • View VPN StatisticsFireware XTM Web UI now includes statistics for all Mobile VPN types on one tab.Select System Status > VPN Statistics.Select the Mobile VPN tab.Select the Mobile VPN type to show:AllIPSecSSLPPTPL2TP

    WatchGuard Training*

  • View VPN StatisticsFor each Mobile VPN type that you select, a list of users for that tunnel type appears.Click a user to see statistics for that user.

    WatchGuard Training*

  • Clear WebBlocker CacheFrom Firebox System Manager, clear the WebBlocker cacheSelect Tools > Clear WebBlocker CacheSupported for single Firebox or XTM devices and FireClusters

    WatchGuard Training*

  • View DNS Server DetailsWhen you configure the external interface on your device to use PPPoE, you can see the DNS server information in the Firebox status in the Web UI, WSM, and FSM.Web UI DASHBOARD > Interfaces > DetailWatchGuard Training*

  • View DNS Server DetailsWSM Device Status > Firebox Status > DNS ServersWatchGuard Training*

  • Monitoring Enhancements View DNS Server DetailsFSM Front Panel > DNS ServersWatchGuard Training*

  • SNMP EnhancementsWatchGuard Training*

  • SNMP EnhancementsYou can now enable your device to use NAT for connections through the SNMP application layer gateway.When you enable this option, all SNMP connections are forced to use NAT.In the Web UI, select System > SNMP and select the Use NAT for connections through the SNMP application layer gateway check box.

    WatchGuard Training*

  • SNMP EnhancementsIn Policy Manager, select Setup > SNMP and select the Use NAT for connections through the SNMP application layer gateway check box.

    WatchGuard Training*

  • Other EnhancementsWatchGuard Training*

  • Other EnhancementsYou can now set the maximum time interval for failed FTP logins per connection in the FTP client and server proxy actions. You can now manage the Gateway Wireless Controller from the Command Line Interface (CLI).MAC address reservations for AP wireless devices are now limited to 256.WatchGuard Training*

  • Support for New Firebox ModelsWatchGuard Training*

  • Support for New Firebox ModelsWatchGuard System Manager v11.9.4 adds support for management of two new Firebox models. Firebox M400Firebox M500Fireware XTM OS v11.9.4 is the first OS update available for these models:Firebox M400Firebox M500Firebox M440Firebox T10-DWatchGuard Training*

  • New Models Firebox M400 and Firebox M500Firebox M4006x 1 Gb interfaces2x 1 Gb SFP ports150 to 350 usersReplaces XTM 525Firebox M5006x 1 Gb interfaces2x 1 Gb SFP ports350 to 750 usersReplaces XTM 535 and XTM 545SFP transceivers available as accessories1 Gb Fiber to Copper1 Gb Fiber WatchGuard Training*

  • New Model Firebox M440Support for Firebox M440 was added in v11.9.3.25 1 Gb interfaces, 8 with Power over Ethernet2 10 Gb SFP+ fiber interfaces (transceivers sold separately)

    WatchGuard Training*

  • The Firebox T10-D is a DSL device. Interface 0 is an ADSL/VDSL RJ11 interface.DSL specifications:VDSL2 8a, 8b, 8c, 8d, 12a, 12b, 17a, 30a profilesADSL1/2/2+ DSLmode: Annex ADSL settings are automatically configuredThere are no user-configurable DSL settings.The Firebox T10-D is supported only in Europe, Australia, and New Zealand.

    Firebox T10-DWatchGuard Training*

  • Firebox T10-D ADSLADSL service providers require the DSL device to use specific Virtual Path Identifier (VPI) and Virtual Circuit Identifier (VCI) settings. The Firebox T10-D supports eight VPI/VCI combinations:

    If the connection fails with these VPI/VCI settings, the Firebox automatically polls the ISP to try additional VPI/VCI combinations: 0/32, 0/33, 0/34, 0/50, 0/67, 1/33, 1/39, 1/50, 2/32, 8/67, 8/81, 14/24.If the ISP disables ATM OAM F5 ping responses, automatic polling cannot use these alternate VPI/VCI combinations to establish a connection.Work with your local WatchGuard Sales Engineer if you are interested in exploring and testing DSL configurations that are not supported by default.For a list of VPI and VCI settings required by some service providers see:Firebox T10-D VDSL and ADSL requirements by service providerWatchGuard Training*

  • Firebox T10-D VDSLFor VDSL, the external interface must use a VLAN ID specified by the ISP.To configure the required VLAN:Add an external VLAN, with the VLAN ID and external network settings (PPPoE, static IP address, or DHCP).Configure Interface 0 to send and receive tagged traffic for the external VLAN.

    For a list of VLAN IDs required by some service providers see:Firebox T10-D VDSL and ADSL requirements by service provider

    WatchGuard Training*

  • Firebox T10-D DSL StatusThe Status Report tab in Firebox System Manager shows DSL statusDSL link statusDSL mode DSL firmware version The same status information is available with the CLI command diagnose hardware dsl

    WatchGuard Training*

  • What Else is New?WatchGuard Training*

  • VPN Troubleshooting HelpNew troubleshooting guides for Mobile VPN with IPSec, SSL, L2TP, and PPTP.Tips to help resolve the most common mobile VPN configuration issues. Find them in the WatchGuard System Manager Help and Fireware XTM Web UI Help for each mobile VPN type.

    WatchGuard Training*

  • Additional ResourcesWatchGuard Training*

  • Additional ResourcesInformation about the new and enhanced features included in this release is available from these resources on the Product Documentation pages of the WatchGuard website:From the Help systems:WatchGuard System Manager Help Whats New in This ReleaseFireware XTM Web UI Help Whats New in This ReleaseWatchGuard Dimension Help Whats New in This ReleaseThe Whats New in This Release topics also include information about features and enhancements for recent previous releases.From the Whats New presentation:Whats New in Fireware XTM v11.9.4

    WatchGuard Training*

  • Thank You!WatchGuard Training*


Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple

What’s New in Fireware XTM 11.7

Whats new 2011

Whats New 10

Whats New 2010

Whats New ES

Whats New Pussycat

Whats New @ WLP

What’s New in Fireware XTM 11.7.2

Whats new 2014

Whats New in Fireware XTM v11.7.3 WatchGuard Training

whats new 7.5

Java 7 Whats New(), Whats Next() from Oredev

What’s New in Fireware XTM v11.8.3

Whats New in Fireware XTM 11.6.3. New Features in Fireware XTM v11.6.3 Automatic Feature Key Synchronization RapidDeploy New Hardware 2050A WatchGuard

Whats New in Fireware XTM v11.3.4. 2WatchGuard Training Whats New in Fireware XTM v11.3.4 Mobile VPN with IPSec Support for the Shrew Soft VPN client

NSClient++ Whats new?

Xtm webinar presentation xtm system overview

CreoElementsView10 Whats New

What’s New in Fireware XTM v11.8.3 WatchGuard Training

TFS2008 Whats New

Whats New NX9.0.0

What’s New in Fireware XTM v11.8

What’s New in Fireware XTM v11.9 WatchGuard Training

Cw Whats New

Whats New in Fireware XTM v11.3.2. 2WatchGuard Training New Features in Fireware XTM v11.3.2 DHCP release and renew functionality in Web UI and CLI Updated

RapidWorks Whats New

Whats New 2013

What's new in Fireware XTM 11 - Comunicaciones - 3digits s New in Fireware XTM v11.5.1 . New Features in Fireware XTM v11.5.1 Major Changes ... WatchGuard Training 2 . New Features

Whats new in_ms_dynamics_nav

What’s New in Fireware XTM v11.8.1

2012 IRS Form 990 Whats New - Whats Important

What’s New in Fireware XTM v11.7.3

Security Policy XTM - V2.1 - NIST...FIPS 140-2 Security Policy for WatchGuard XTM Page 1 of 61 FIPS 140-2 Security Policy for WatchGuard XTM XTM 21, XTM 21-W, XTM 22, XTM 22-W, XTM

Mq whats new