what's new in fireware v11.10
TRANSCRIPT
What’s New in What’s New in Fireware v11.10Fireware v11.10
WatchGuard Training
©2015 WatchGuard Technologies, Inc.
What’s New in v11.10
New Features • Policies by Domain Name• Bandwidth and time user quotas
Monitoring Enhancements• Review and reset user quota data• VPN diagnostic messages and report enhancements• Gateway Wireless Controller shows rogue access points and client
signal strength• Full Screen mode in FireWatch in Fireware XTM Web UI
Subscription Services Enhancement• Setup wizards for services now available in the Web UI
VPN Enhancements• Mobile VPN with SSL v11.10 clients for Windows and Mac OS X
WatchGuard Training 22
What’s New in v11.10
Certificate Management Enhancements• Manage certificates from the Web UI• Automatic CA certificate updates
Wireless Access Point Enhancements• Wireless traffic shaping• Time-based SSID Activation• Scheduled restarts of AP devices• Multiple AP device selection for AP actions• Enable rogue access point detection
SSO Enhancements• Exchange Monitor (EM) Exchange Server 2013 support• Clientless SSO for RDP logins• Traffic through BOVPN tunnels can use SSO• Support for switching between multiple users of the SSO Client
WatchGuard Training 33
What’s New in v11.10
RapidDeploy Enhancements • Improvements for CSV files on a USB drive
System Enhancements• NTP server
Networking Enhancements• Improved routing tables• Multiple servers for DHCP relay• DHCPv6 prefix delegation• ARP limit updates• XTM Configuration Report updates
Logging & Reporting Enhancements• Simultaneously send log messages to two Log Servers• Expanded information included in Device Feedback
What Else is New?• A comprehensive Help system with instructions for all Fireware management
UIs.
WatchGuard Training 44
New Feature — Policies by Domain New Feature — Policies by Domain NameName
WatchGuard Training
Policies by Domain Name
WatchGuard Training 66
You can now use FQDN (Fully Qualified Domain Names) in:• From and To lists in a policy• Aliases• Blocked Sites• Blocked Site Exceptions• Quota Exceptions
We recommend you use this feature to allow traffic to selected domains while blocking all other traffic. • Software update sites such as
Windows updates• Antivirus signature update sites
Useful for when sites are hosted on content delivery networks (CDNs) that frequently add and change IP addresses.
Domain Name Format
WatchGuard Training 77
You can use a specific FQDN (host.example.com) or a wildcard domain (*.example.com). For example, the wildcard domain *.example.com would include:• a.example.com• b.example.com• a.b.example.com
These wildcard entries are not supported:• *.*.example.com• example*.com• *. example.*.com• example.*.com
Policies by Domain Name
WatchGuard Training 88
How It Works• When you define an FQDN in your configuration, your Firebox
performs forward DNS resolution for the specified domain and stores the IP mappings.
• For wildcard domains such as *.example.com, the device performs forward DNS resolution on example.com and www.example.com.
• To resolve the subdomains implied by *.example.com, the device analyzes DNS replies that match your FQDN configuration.
• As DNS traffic passes through the Firebox, it stores the IP mapping responses to relevant queries.
Policies by Domain Name
WatchGuard Training 99
DNS Configuration• You must have a DNS server configured in the network settings of
your Firebox, or have the external interface set to DHCP or PPPoE to get a DNS configuration.
• All clients and your Firebox must use the same DNS server. If the client contains different IP and domain mappings than the Firebox,
the traffic will not match to the correct policy and could be allowed by a different policy, or dropped if no policy is matched.
• If clients try to reach an internal destination with an internal DNS server, the Firebox might not have an opportunity to analyze this traffic for local servers.
We recommend that if you use internal DNS server, they should be located on a different internal network than your clients so that the Firebox can see and analyze replies from the DNS server.
Policies by Domain Name
WatchGuard Training 1010
When you configure Domain Names, consider these possibilities:• An FQDN can correspond to multiple IP addresses — It is
possible that different DNS servers can return different IP address replies based on geographical location, time zone, load balancing configurations, and other factors.
• A specific IP address might map to several FQDN — When an FQDN address is resolved to an IP address, it is equivalent to having a firewall policy with that specific IP address in the policy. If another domain or subdomain also resolves to the same IP address, traffic to or from that domain will also match this policy.
• Multiple FQDN for the same site — Many website main pages pull data from other websites and second-level domains for images and other information. If you block all traffic and allow a specific FQDN, you must also allow any additional FQDN that are called by the main page. The Firebox will attempt to map IP addresses from second-level domains for a wildcard domain to provide the full content for a site.
Domain Names in Logging
Log messages show the domain names (including wildcard domains) that are matched in the log messages when a policy is applied to traffic by FQDN.
WatchGuard Training 1111
Domain Names in Reporting
Reports show the domain name that was matched when the policy was applied to traffic by FQDN.
WatchGuard Training 1212
Domain Names in Reporting
The Blocked Sites list identifies the IP addresses blocked by FQDN included in the configuration.
WatchGuard Training 1313
New Feature — QuotasNew Feature — Quotas
WatchGuard Training 1414
Bandwidth and Time Quotas
WatchGuard Training 1515
You can enable bandwidth and time usage quotas for users on your network for access to external sites.
Apply a daily limit to user Internet usage to enforce corporate acceptable use policies.
When users exceed the quota limit, a notification message appears in their web browsers and further access attempts are denied.
Bandwidth and Time Quotas
You can set these types of quotas:• Bandwidth — The bandwidth
quota is set in MB per day, and is enforced for all TCP and UDP traffic in both directions.
• Time — The time quota is set in minutes per day.
Both bandwidth and time quotas can be enabled at the same time, and the limit that is reached first is enforced.
WatchGuard Training 1616
Bandwidth and Time Quotas
Quota limits are applied to users and groups based on authentication to the Firebox.
For a quota to take effect, a user must be authenticated and match a configured policy defined with Firebox users and groups.
WatchGuard Training 1717
Bandwidth and Time Quotas
WatchGuard Training 1818
To enable bandwidth and time quotas, you must:• Enable quotas and create quota rules• Apply a quota action to a rule• Enable the quota rule in a policy
Enable time and bandwidth quotas Add a quota rule that defines applicable users and groups, and the
quota action to apply.
Bandwidth and Time Quotas
WatchGuard Training 1919
A quota action defines the bandwidth and time restrictions to apply to a quota rule.
Bandwidth and Time Quotas
WatchGuard Training 2020
Bandwidth and Time Quotas
To enforce a quota, a quota rule must be enabled for a specific policy.
The policy must be defined with users or groups to be able to apply a quota rule.
WatchGuard Training 2121
You can create exceptions to quotas so that any traffic to a specific destination address is not counted towards the usage quota.
Create exemptions for your company's own domains, or software and antivirus signature update sites.
Bandwidth and Time Quotas
WatchGuard Training 2222
Bandwidth and Time Quotas
Options to reset user quota data include:• Quota daily limits are automatically reset the next day (starting at
00:00)• Configuration changes automatically reset quotas for users and groups
that use the updated quota action• Reboot the Firebox• Manually reset quota data for specific users from the Web UI and FSM
WatchGuard Training 2323
Monitoring EnhancementsMonitoring Enhancements
WatchGuard Training 2424
Review & Reset Bandwidth and Time Quotas
WatchGuard Training 2525
Monitor user quota usage data in Fireware XTM Web UI and Firebox System Manager.• Fireware XTM Web UI — System Status > Quotas page• Firebox System Manager — Quotas tab
Quota data includes these details for each connected user:Quotas Page (Web UI) User Quotas Tab (FSM) Description
User User The user name of the connected user.
Auth Domain N/A The authentication domain through which the user is authenticated.
Quota Action Quota Action The quota action defined on your Firebox that applies to the user.
Used/Configured Bandwidth (per day)
Bandwidth Usage (per day)
The amount of bandwidth the user has already used and is allowed to use (used/allowed), for each day.
Used/Configured Time (per day) Time Usage (per day) The amount of time the user has already used and is
allowed to use (used/allowed), for each day.
Review & Reset Bandwidth and Time Quotas
WatchGuard Training 2626
Manually reset user quota data for specific users:1. Select one or more users.2. Click Reset Quota.
Gateway Wireless Controller — Rogue Access Points Use the Gateway Wireless
Controller Wireless Deployment Maps to scan for foreign wireless access points
See a list of rogue access points on the Foreign BSSIDs page
A rogue access point is any wireless access point within range of your network that is not recognized as an authorized access point.
Rogue access point can be installed by a malicious user, but could also be a device installed by someone inside your organization without consent.
WatchGuard Training 2727
Gateway Wireless Controller — Client Signal Strength The Gateway Wireless Controller in Fireware XTM Web UI and
Firebox System Manager now includes an indicator to show the wireless client signal strength.
WatchGuard Training 2828
Enhanced VPN Diagnostic Tools
VPN diagnostic messages • New VPN messages now indicate why a branch office VPN gateway or
tunnel failed, and can include information about what action to take to resolve the error.
• VPN diagnostic messages appear in three places in the UI: Firebox System Manager — Front Panel tab WatchGuard System Manager — Device Status tab Fireware XTM Web UI — System Status > VPN Statistics page
Enhanced VPN Diagnostic Report• Performs more checks to identify many of the most common VPN
issues• Provides more actionable information
WatchGuard Training 2929
VPN Diagnostic Messages
VPN diagnostic messages appear below the gateway in the Web UI and FSM.• Messages can be for
a specific tunnel or gateway endpoint.
Errors• Error status — Web
UI• Red text — FSM and
WSM. Warnings
• Warning status — Web UI.
• Orange text — FSM and WSM.
WatchGuard Training 3030
VPN Diagnostic Report Enhancements
Improved VPN Diagnostic Report• The VPN Diagnostic Report now does more extensive diagnostics
checks, and provides more information.• The report includes three new sections:
[Conclusion] — This section at the top summarizes what was observed, lists any detected errors, and includes suggestions of next steps to troubleshoot the VPN.
[Address Pairs in Firewalld] — This section shows the address pairs and the traffic direction (IN, OUT, or BOTH).
[Policy checker result] — This section shows policy checker results for policies that manage traffic for each tunnel route.
The VPN Diagnostic Report is now available in the Fireware XTM Web UI on the System Status > VPN Statistics page, as well as on the System Status > Diagnostics page.
WatchGuard Training 3131
Branch Office VPN Troubleshooting Tips
For any branch office VPN, you can run reports and monitor error messages on both endpoint devices—the initiator and the responder.• The initiator is the endpoint that starts the tunnel negotiation• The responder receives the proposal and accepts or rejects the
proposed tunnel settings from the initiator For troubleshooting VPN negotiation, run the VPN Diagnostic
Report or look at the VPN diagnostic messages on the responder.• The responder has more information about settings that do not match.
On the responder, VPN diagnostic errors include more detailed information about what setting the initiator proposed, and what setting was expected.
• The initiator does not know what settings were expected.
WatchGuard Training 3232
VPN Troubleshooting in Firebox System Manager Example — VPN diagnostic message for a mismatched Phase 2
proposal • VPN diagnostic message on
the initiator:“Received ‘No Proposal Chosen’ message. Check VPN IKE diagnostic log messages on the remote gateway endpoint for more information.”
• The VPN diagnostic message on the responder is moreinformative:
“Received ESP encryption 3DES, expecting AES”
The same messages appear in the VPN Diagnostic Report.• To run the report, right-click
the gateway and select VPN Diagnostic Report.
WatchGuard Training 3333
Initiator
Responder
VPN Diagnostic Messages in the Web UI
VPN diagnostic messages appear in the System Status > VPN Statistics page.
WatchGuard Training 3434
VPN Diagnostic Report in the Web UI
To run the VPN Diagnostic Report from the System Status > VPN Statistics page:• On the Branch
Office VPN tab, click Debug for a Gateway.
• Or, select the Debug tab, select the gateway, and click Start Report.
WatchGuard Training 3535
Routes Table Updates
In Fireware XTM Web UI, the Routes table in System Status > Routes includes these updates:• Filter routes by:
IP address type (IPv4, IPv6, or both — IPv6 is new) Route Type (Connected, Static, Dynamic, VPN) Interface (Select the interface) Destination (Type a valid IPv4 network address)
The Routes table shows the first 100 routes that match the filter criteria.
WatchGuard Training 3636
Routes Table Updates
The Firebox System Manager Status Report tab now includes two route tables.• IPv4 Routes — Shows the first 100 IPv4 routes (all routes, including
static, dynamic, and VPN routes).• IPv6 Routes — Shows the first 100 IPv6 routes (all routes, including
static, dynamic, and VPN routes). Route table includes the same
information as the output of the CLI “show ip route” and “show v6 ip route” commands.
These two route tables replace the four route tables that previously appeared in the Status Report (main, ethx.out, any.out, and zebra).
WatchGuard Training 3737
FireWatch Enhancements
FireWatch can now be viewed in Full Screen mode in Fireware XTM Web UI
Full Screen mode options include:• Select to include one or more groups in the display• Specify the information refresh rate• The settings controls are hidden after a period of time• Select all standard filters• See information in bytes for all groups except WebBlocker, which
appears in number of connections
WatchGuard Training 3838
FireWatch Enhancements
Select group, data, and refresh options in Full Screen Mode
WatchGuard Training 3939
FireWatch Enhancements
Select which group information appears:• Source• Destination• Applications• Policies• Interface (In) • Interface (Out)
Select the type of data that appears:• Rate• Bytes• Connection• Duration
WatchGuard Training 4040
Subscription Services EnhancementsSubscription Services Enhancements
WatchGuard Training 4141
Subscription Services Setup Wizards
New Web UI activation wizards that guide you through the steps to enable these Subscription Services and create a basic configuration:• spamBlocker• WebBlocker• Gateway AntiVirus• Intrusion Prevention
WatchGuard Training 4242
Signature Update Warnings
New warnings displayed for services when automatic signature updates are disabled.• IPS• Gateway AntiVirus• Application Control• DLP
WatchGuard Training 4343
VPN EnhancementsVPN Enhancements
WatchGuard Training 4444
Updates to Mobile VPN with SSL Clients
Updated WatchGuard Mobile VPN with SSL clients for Windows and Mac OS X• Both clients now use OpenVPN 2.3.6• Both clients now support more than 24 routes• The Windows client now includes the TAP driver for Windows 8.1
WatchGuard Training 4545
Certificate Management EnhancementsCertificate Management Enhancements
WatchGuard Training 4646
Manage Certificates from the Web UI
You can now perform all the same certificate management tasks from the Web UI that are available in Firebox System Manager. • Delete, Install, and
export certificates• View certificate
details• Import CRLs• Create CSRs
(certificate signing requests)
WatchGuard Training 4747
Automatic CA Certificate Updates
Automatically get new versions of the trusted CA certificates stored on the device and automatically install the new certificates.
Ensures all trusted CA certificates on your device are the latest version.
Expired certificates are updated, and new trusted CA certificates are added to your device.
Updated certificates are downloaded from a secure WatchGuard server.
WatchGuard Training 4848
Wireless Access Point EnhancementsWireless Access Point Enhancements
WatchGuard Training 4949
Wireless AP Enhancements
WatchGuard Training 5050
Wireless traffic shaping Time-based SSID Activation Scheduled restarts of AP devices Multiple AP device selection for AP actions Enable rogue access point detection
Wireless Traffic Shaping
Configure traffic rate shaping for each wireless SSID.
Traffic shaping is for wireless download traffic only.• Base rate — The base
throughput rate for the SSID. Not allowed to exceed this limit except for burst activity.
• Ceiling rate — The hard limit throughput rate for the SSID. This limit includes burst activity.
• Burst — The maximum number of kilobytes allowed beyond the base rate.
WatchGuard Training 5151
Time-based SSID Activation
Enable SSIDs for specific time periods.
Limits access to the SSID based on the start and end times you configure.
WatchGuard Training 5252
Scheduled Restarts of AP Devices
Restart wireless services or reboot all of your AP devices at scheduled times on a daily or weekly basis.
Refreshes the AP device and makes sure the device configuration and all access control lists are up to date.
Automatically updates wireless channel selection.
AP devices are restarted in 90 second intervals to make sure they are not all restarted at the same time.
WatchGuard Training 5353
Multiple AP Device Selection for AP Actions
You can select multiple AP devices to complete reboot, upgrade, and restart wireless actions.
WatchGuard Training 5454
Enable Rogue Access Point Detection
Enable rogue access point detection for each SSID.
Add known device MAC addresses to the exceptions list so they are not considered a rogue access point.
WatchGuard Training 5555
SSO EnhancementsSSO Enhancements
WatchGuard Training 5656
Single Sign-On Enhancements
Single Sign-On Enhancements include:• Support for Microsoft Exchange Server 2013 for the SSO Exchange
Monitor .NET Framework v3.5 required on Exchange Server 2013 server
• Clientless SSO for RDP logins Event Log Monitor now recognizes both logon and logoff events for RDP
connections and reports this information to the SSO Agent, which sends the events to the Firebox.
The Firebox opens and closes user sessions based on the logon and logoff event reports from the Event Log Monitor.
• Traffic through BOVPN tunnels can now use Single Sign-On (SSO Client only)
• Support for switching between multiple users of the SSO Client on Windows Vista, 2008, 2012, 7, 8, and 8.1
WatchGuard Training 5757
Single Sign-On Enhancements
New Enable SSO through BOVPN tunnels option allows users of BOVPN tunnels to use SSO for network connections
WatchGuard Training 5858
RapidDeploy EnhancementsRapidDeploy Enhancements
WatchGuard Training 5959
RapidDeploy CSV File — Change External Interface You can now use a CSV file to change the external interface
number. A device that starts with factory-default settings can automatically
configure the external interface from settings in a CSV file on a connected USB drive. • Previously, the only valid interface you could specify in the CSV file was
0.• A device that uses Fireware v11.10 now supports interface numbers
other than 0.• The format of the CSV file did not change. • This is most often used for RapidDeploy.
Example line in a CSV file to configure interface 2 as the external interface:70XX00777X777,2,ext,Static,203.0.113.20/24,203.0.113.1,198.51.100.20
WatchGuard Training 6060
System EnhancementsSystem Enhancements
WatchGuard Training 6161
NTP Server
After you enable a Firebox to use NTP, you can enable the device as an NTP server.• When you enable the device as
an NTP server, the NTP Server policy is automatically created.
• The NTP Server policy allows connections to the NTP server from clients on the trusted and optional networks.
Configure NTP clients to get the date and time from the interface IP address or domain name of the Firebox.
WatchGuard Training 6262
Networking EnhancementsNetworking Enhancements
WatchGuard Training 6363
Multiple Servers for DHCP Relay
In the DHCP Relay settings, you can now add the IP addresses of up to three DHCP servers.• Previously you could configure
only one IP address for DHCP Relay.
The Firebox relays DHCP requests to the IP addresses of all DHCP servers.
WatchGuard Training 6464
DHCPv6 Prefix Delegation
You can enable DHCPv6 Client Prefix Delegation on an external interface. • The device requests an IPv6
prefix from a DHCPv6 server.• You can use the delegated
prefix when you configure IPv6 addresses on trusted, optional, and custom interfaces.
DHCP prefix delegation isdescribed in RFC 3633.
WatchGuard Training 6565
DHCPv6 Prefix Delegation
The delegated prefix appears on the Front Panel tab of Firebox System Manager.
WatchGuard Training 6666
DHCPv6 Prefix Delegation
You can use the delegated prefix for a trusted, optional or custom interface.• Static IPv6 interface IP address• IPv6 prefix advertisement• DHCPv6 address pool• DHCPv6 reserved addresses
Select Use delegated prefix.• The delegated prefix name appears
as the first part of the IPv6 address.• The prefix name includes the external
interface device name, followed by “_prefix”. For example “eth0_prefix”.
• Type the subnet in the adjacent text box.
WatchGuard Training 6767
Delegated prefix in the DHCPv6 address pool
Delegated prefix in a static IPv6 address
DHCPv6 Prefix Delegation
WatchGuard Training 6868
You can also enable the DHCPv6server on an interface to delegateprefixes to DHCPv6 clients.• Add prefixes to the Prefix
Pool.• To reserve a specific prefix for
a client, add the prefix to the Reserved Addresses and Prefixes list.
Improved Route Tables — Command Line Interface To see the first 100 IPv4 routes, use the “show ip route” command• Replaces the “show route” command• Output is easier to read than the output of the old show route command
WG>show ip routeKernel IP routing tableDestination Gateway Genmask Interface Flags Metric0.0.0.0 203.0.113.1 0.0.0.0 eth0 UG 510.0.70.0 0.0.0.0 255.255.255.0 eth1 U 010.0.71.0 0.0.0.0 255.255.255.0 eth1 U 010.0.78.0 0.0.0.0 255.255.255.0 vlan10 U 010.0.79.0 0.0.0.0 255.255.255.0 br0 U 010.10.10.0 0.0.0.0 255.255.255.0 ath1 U 0127.0.0.0 0.0.0.0 255.0.0.0 lo U 0192.168.113.0 0.0.0.0 255.255.255.0 tun0 U 0203.0.113.0 0.0.0.0 255.255.255.0 eth0 U 0
• Use command options to filter the route table (same filters as in the Web UI)WG>show ip route ? <cr> Carriage return <net> IP subnet for the destination <A.B.C.D/(1-32)> connected Connected routes dynamic Dynamic routes ifname Interface device name static Static routes vpn VPN routes
WatchGuard Training 6969
Improved Route Tables — Command Line Interface To see the first 100 IPv6 routes use “show v6 ip route”• Output — no change from 11.9.xWG>show v6 ip routeKernel IPv6 routing tableDestination Next Hop Interface Flags Metric2001::/64 :: vlan10 U 256fe80::/64 :: vlan10 U 256
• New command options to filter the route table (same filters as in the Web UI)WG>show v6 ip route ? <cr> Carriage return <netipv6> IPv6 subnet for the destination <A:B:C:D:E:F:G:H/I> <A::G:H/I> <::H/I> connected Connected routes dynamic Dynamic routes ifname Interface device name static Static routes vpn VPN routes
WatchGuard Training 7070
Updated XTM Configuration Report
The XTM Configuration Report available from the Fireware Web UI now includes information about Default Packet Handling and FireCluster configuration settings.
WatchGuard Training 7171
Logging & Reporting EnhancementsLogging & Reporting Enhancements
WatchGuard Training 7272
Logging Enhancements
Simultaneously send Log Messages to two WatchGuard Log Servers• Two different WatchGuard Log Servers — Dimension or WSM Log
Servers• Configure two sets of Log Servers• Add primary and backup servers for each Log Server set
WatchGuard Training 7373
Logging Enhancements
Fireware XTM Web UI — Logging > Log Servers 1 & Log Servers 2 tabs
WatchGuard Training 7474
Logging Enhancements
Policy Manager — Logging Setup > Configure > Log Servers 1 & Log Servers 2 tabs
WatchGuard Training 7575
Device Feedback Report Enhancements
New information in the Device Feedback sent to WatchGuard includes:• Start and end time stamps for the feedback data sent to WatchGuard• Peak proxy connection limit usage• Number of proxy actions with Subscription Services enabled in the
configuration• Subscription Services details include:
Whether the service is enabled Counts of the number of events for each service enabled on the Firebox A list of the events triggered on the Firebox for each service (includes the
source IP address, protocol, and threat level of the event).
WatchGuard Training 7676
What Else is New?What Else is New?
WatchGuard Training 7777
Integrated Fireware Help
The v11.10 release includes the first iteration of a comprehensive online-only Help system for Fireware with integrated instructions for all Fireware management UIs.
Includes context-sensitive help topics for these management and monitoring tools:• Fireware XTM Web UI• WatchGuard System Manager & all WSM tools• WatchGuard Dimension• WatchGuard WebCenter• WatchGuard Server Center & WatchGuard servers• WatchGuard Deployment Center (RapidDeploy)
WatchGuard Training 7878
Additional ResourcesAdditional Resources
WatchGuard Training 7979
Additional Resources
Information about the new and enhanced features included in this release is available from these resources on the Product Documentation pages of the WatchGuard website:• From the Help systems:
Fireware Help — What’s New in This Release• From the What’s New presentation:
What’s New in Fireware v11.10
WatchGuard Training 8080
Thank You!Thank You!
WatchGuard Training 8181