Fireware v11.10.7 Release Notes

Fireware v11.10.7 Release Notes
Fireware v11.10.7 Release Notes
Supported Devices
Firebox T10, T30, T50, Firebox M200, M300,
M400, M440, M500, M4600, M5600
XTM 3, 5, 8, 800, 1500, and 2500 Series
XTM 25, XTM 26, XTM 1050, XTM 2050
XTMv, WatchGuard AP
Release Date
24 March 2016
Release Notes Revision Date
11 May 2016
Fireware OS Build
498658
WatchGuard System Manager Build
497557
For AP 100, 102, 200: Build 1.2.9.6 (151211)
WatchGuard AP Device Firmware
For AP 300: Build 2.0.0.1 (151216)
Introduction
WatchGuard is pleased to announce the release of Fireware v11.10.7 and WatchGuard System Manager
v11.10.7. This maintenance release includes many bug fixes and several small feature enhancements,
including:
l
l
Enhancements to the device configuration template available from the WatchGuard Management
Server, as well as the ability to generate configuration reports for centrally managed Firebox devices
Support for the Huawei E3372 , Huawei E8372, and D-Link DWM-221 USB modems
For more information on the bug fixes and enhancements in this release, see the Enhancements and Resolved
Issues section. For more detailed information about the feature enhancements and functionality changes
included in Fireware v11.10.7, see the product documentation or review What's New in Fireware v11.10.7.
Important Information about Firebox Certificates
Important Information about Firebox Certificates
SHA-1 is being deprecated by many popular web browsers, and WatchGuard recommends that you now use
SHA-256 certificates. Because of this, we have upgraded our default Firebox certificates. Starting with
Fireware v11.10.4, all newly generated default Firebox certificates use a 2048-bit key length. In addition, newly
generated default Proxy Server and Proxy Authority certificates use SHA-256 for their signature hash
algorithm. Starting with Fireware v11.10.5, all newly generated default Firebox certificates use SHA-256 for
their signature hash algorithm. New CSRs created from the Firebox also use SHA-256 for their signature hash
algorithm.
Default certificates are not automatically upgraded after you upgrade from Fireware v11.10.4 or lower to Firebox
v11.10.5 or higher.
To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use the CLI commands described in the next section.
Before you regenerate the Proxy Server or Proxy Authority certification, there are some important things to
know.
The Proxy Server certificate is used for inbound HTTPS with content inspection and SMTP with TLS
inspection. The Proxy Authority certificate is used for outbound HTTPS with content inspection. The two
certificates are linked because the default Proxy Server certificate is signed by the default Proxy Authority
certificate. If you use the CLI to regenerate these certificates, after you upgrade, you must redistribute the new
Proxy Authority certificate to your clients or users will receive web browser warnings when they browse
HTTPS sites, if content inspection is enabled.
Also, if you use a third-party Proxy Server or Proxy Authority certificate:
l
l
l
The CLI command will not work unless you first delete either the Proxy Server or Proxy Authority
certificate. The CLI command will regenerate both the Proxy Server and Proxy Authority default
certificates.
If you originally used a third-party tool to create the CSR, you can simply re-import your existing thirdparty certificate and private key.
If you originally created your CSR from the Firebox, you must create a new CSR to be signed, and then
import a new third-party certificate.
CLI Commands to Regenerate Default Firebox Certificates
To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use these CLI commands:
l
l
l
l
To upgrade the default Proxy Authority and Proxy Server certificates for use with HTTPS content
inspection, you can use the CLI command: upgrade certificate proxy
To upgrade the Firebox web server certificate, use the CLI command: upgrade certificate web
To upgrade the SSLVPN certificate, use the CLI command: upgrade certificate sslvpn
To upgrade the 802.1x certificate, use the CLI command: upgrade certificate 8021x
For more information about the CLI, see the Command Line Interface Reference.
2
WatchGuard Technologies, Inc.
Before You Begin
Before You Begin
Before you install this release, make sure that you have:
l
l
l
A supported WatchGuard Firebox or XTM device. This device can be a WatchGuard Firebox T10, T30,
T50, XTM 2 Series (models 25 and 26 only), 3 Series, 5 Series, 8 Series, 800 Series, XTM 1050, XTM
1500 Series, XTM 2050 device, XTM 2500 Series, Firebox M200, M300, M400, M500, M440, M4600,
M5600, or XTMv (any edition).
The required hardware and software components as shown below. If you use WatchGuard System
Manager (WSM), make sure your WSM version is equal to or higher than the version of Fireware OS
installed on your Firebox or XTM device and the version of WSM installed on your Management Server.
Feature key for your Firebox or XTM device — If you upgrade your device from an earlier version of
Fireware OS, you can use your existing feature key. If you do not have a feature key for your device, you
can log in to the WatchGuard website to download it.
Note that you can install and use WatchGuard System Manager v11.10.7 and all WSM server components with
devices running earlier versions of Fireware v11. In this case, we recommend that you use the product
documentation that matches your Fireware OS version.
If you have a new Firebox or XTM physical device, make sure you use the instructions in the Quick Start Guide
that shipped with your device. If this is a new XTMv installation, make sure you carefully review the XTMv
Setup Guide for important installation and setup instructions. We also recommend that you review the
Hardware Guide for your Firebox or XTM device model. The Hardware Guide contains useful information about
your device interfaces, as well as information on resetting your device to factory default settings, if necessary.
Product documentation for all WatchGuard products is available on the WatchGuard web site at
www.watchguard.com/help/documentation.
Release Notes
3
Localization
Localization
This release includes localized management user interfaces (WSM application suite and Web UI) current as of
Fireware v11.10.2. UI changes introduced since v11.10.2 may remain in English. Supported languages are:
l
l
l
French (France)
Japanese
Spanish (Latin American)
Note that most data input must still be made using standard ASCII characters. You can use non-ASCII
characters in some areas of the UI, including:
l
l
l
Proxy deny message
Wireless hotspot title, terms and conditions, and message
WatchGuard Server Center users, groups, and role names
Any data returned from the device operating system (e.g. log data) is displayed in English only. Additionally, all
items in the Web UI System Status menu and any software components provided by third-party companies
remain in English.
Fireware Web UI
The Web UI will launch in the language you have set in your web browser by default.
WatchGuard System Manager
When you install WSM, you can choose what language packs you want to install. The language displayed in
WSM will match the language you select in your Microsoft Windows environment. For example, if you use
Windows 7 and want to use WSM in Japanese, go to Control Panel > Regions and Languages and select
Japanese on the Keyboards and Languages tab as your Display Language.
Dimension, WebCenter, Quarantine Web UI, and Wireless Hotspot
These web pages automatically display in whatever language preference you have set in your web browser.
4
WatchGuard Technologies, Inc.
Fireware and WSM v11.10.7 Operating System Compatibility
Fireware and WSM v11.10.7 Operating System Compatibility
Last revised: 11 March 2016
WSM/
FirewareComponent
Microsoft
Microsoft
Microsoft
Windows
Windows
Windows
7,8,8.1,
Server
Server
10
2012
2008&
(32-bit&
&2012R2
2008R2
64-bit)
(64-bit)
MacOS
X
v10.9,
v10.10,
v10.11
Android
4.x
&5.x
iOS
v7, v8,
& v9
WatchGuard System Manager
WatchGuard Servers
For information on WatchGuard
Dimension, see the Dimension Release
Notes.
Single Sign-On Agent
(Includes Event Log Monitor)
Single Sign-On Client
Single Sign-On Exchange
Monitor1
Terminal Services Agent2
Mobile VPN with IPSec
Mobile VPN with SSL
3
3
[4]
Notes about Microsoft Windows support:
l
For Microsoft Windows Server 2008, we support both 32-bit and 64-bit support. For Windows Server
2008 R2, we support 64-bit only.
l
Windows 8.x support does not include Windows RT.
l
Windows Exchange Server 2013 is supported if you install Windows Sever 2012 or 2012 R2 and .Net
framework 3.5.
The following browsers are supported for both Fireware Web UI and WebCenter (Javascript required):
l
IE 9 and later
l
Microsoft Edge
l
Firefox v22 and later
l
Safari 6 and later
l
Safari iOS 6 and later
l
Chrome v29 and later
Release Notes
5
Fireware and WSM v11.10.7 Operating System Compatibility
1Microsoft Exchange Server 2007, 2010, and 2013 are supported.
2Terminal Services
support with manual or Single Sign-On authentication operates in a Microsoft Terminal
Services or Citrix XenApp 4.5, 5.0, 6.0, 6.5 and 7.6 environment.
3Native (Cisco) IPSec
client and OpenVPN are supported for Mac OS and iOS. For Mac OS X 10.8 -10.10, we
also support the WatchGuard IPSec Mobile VPN Client for Mac, powered by NCP.
4 Mobile VPN
with SSL on Windows 7 requires TLS 1.1 or 1.2, which may not be enabled on all systems.
Authentication Support
This table gives you a quick view of the types of authentication servers supported by key features of Fireware.
Using an authentication server gives you the ability to configure user and group-based firewall and VPN policies
in your Firebox or XTM device configuration. With each type of third-party authentication server supported, you
can specify a backup server IP address for failover.
Fully supported by WatchGuard
customers
6
Not yet supported, but tested with success by WatchGuard
WatchGuard Technologies, Inc.
Fireware and WSM v11.10.7 Operating System Compatibility
Firebox
Active
Directory1
LDAP
RADIUS SecurID
2
2
Mobile VPN with IPSec/Shrew Soft
(Firebox-DB)
Local
Authentication
–
Mobile VPN with IPSec/WatchGuard client
(NCP)
Mobile VPN with IPSec for iOS and Mac OS
X native VPN client
Mobile VPN with IPSec for Android devices
–
Mobile VPN with SSL for Windows
3
3
Mobile VPN with SSL for Mac
Mobile VPN with SSL for iOS and Android
devices
Mobile VPN with L2TP
Mobile VPN with PPTP
5
–
–
–
–
N/A
Built-in Authentication Web Page on Port
4100
Single Sign-On Support (with or without client
–
–
–
–
–
–
–
–
–
–
–
software)
Terminal Services Manual Authentication
Terminal Services Authentication with
Single Sign-On
4
Citrix Manual Authentication
Citrix Manual Authentication with Single
Sign-On
4
1. Active Directory support includes both single domain and multi-domain support, unless otherwise noted.
2. RADIUS and SecurID support includes support for both one-time passphrases and challenge/response
authentication integrated with RADIUS. In many cases, SecurID can also be used with other RADIUS
implementations, including Vasco.
3. Fireware supports RADIUS Filter ID 11 for group authentication.
4. Both single and multiple domain Active Directory configurations are supported. For information about the
supported Operating System compatibility for the WatchGuard TO Agent and SSO Agent, see the current
Fireware and WSM Operating System Compatibility table.
5. Active Directory authentication methods are supported only through a RADIUS server.
Release Notes
7
Fireware and WSM v11.10.7 Operating System Compatibility
System Requirements
If you have WatchGuard System
Manager client software only
installed
If you install WatchGuard System
Manager and WatchGuard Server
software
Intel Core or Xeon
Intel Core or Xeon
2GHz
2GHz
Minimum Memory
1 GB
2 GB
Minimum Available
Disk Space
250 MB
1 GB
1024x768
1024x768
Minimum CPU
Minimum
Recommended
Screen Resolution
XTMv System Requirements
With support for installation in both a VMware and a Hyper-V environment, a WatchGuard XTMv virtual
machine can run on a VMware ESXi 4.1, 5.0, 5.1, 5.5, or 6.0 host, or on Windows Server 2008 R2, Windows
Server 2012, Hyper-V Server 2008 R2, or Hyper-V Server 2012.
The hardware requirements for XTMv are the same as for the hypervisor environment it runs in.
Each XTMv virtual machine requires 3 GB of disk space.
Recommended Resource Allocation Settings
Small Office Medium Office Large Office Datacenter
8
Virtual CPUs 1
2
4
8 or more
Memory
2 GB
4 GB
4 GB or more
1 GB
WatchGuard Technologies, Inc.
Downloading Software
Downloading Software
You can download software from the WatchGuard Software Downloads Center.
There are several software files available for download with this release. See the descriptions below so you
know what software packages you will need for your upgrade.
WatchGuard System Manager
With this software package you can install WSM and the WatchGuard Server Center software:
WSM11_10_7.exe — Use this file to install WSM v11.10.7 or to upgrade WatchGuard System Manager
from v11.x to WSM v11.10.7.
Fireware OS
Select the correct Fireware OS image for your Firebox or XTM device. Use the .exe file if you want to install or
upgrade the OS using WSM. Use the .zip file if you want to install or upgrade the OS using the Fireware Web
UI. Use the .ova or .vhd file to deploy a new XTMv device.
Release Notes
9
Downloading Software
If you have…
Firebox M5600
Firebox M4600
XTM 2500 Series
XTM 2050
XTM 1500 Series
XTM 1050
XTM 800 Series
XTM 8 Series
Firebox M500 Series
XTM 5 Series
Firebox M440
Firebox M400 Series
Firebox M300
Firebox M200
XTM 330
Firebox_OS_M4600_M5600_11_10_7.exe
firebox_M4600_M5600_11_10_7.zip
Firebox_OS_M6400_M5600_11_10_7.exe
firebox_M4600_M6500_11_10_7.zip
XTM_OS_XTM800_1500_2500_11_10_7.exe
xtm_xtm800_1500_2500_11_10_7.zip
XTM_OS_XTM2050_11_10_7.exe
xtm_xtm2050_11_10_7.zip
XTM_OS_XTM800_1500_2500_11_10_7.exe
xtm_xtm800_1500_2500_11_10_7.zip
XTM_OS_XTM1050_11_10_7.exe
xtm_xtm1050_11_10_7.zip
XTM_OS_XTM800_1500_2500_11_10_7.exe
xtm_xtm800_1500_2500_11_10_7.zip
XTM_OS_XTM8_11_10_7.exe
xtm_xtm8_11_10_7.zip
Firebox_OS_M400_M500_11_10_7.exe
firebox_M400_M500_11_10_7.zip
XTM_OS_XTM5_11_10_7.exe
xtm_xtm5_11_10_7.zip
Firebox_OS_M440_11_10_7.exe
firebox_M440_11_10_7.zip
Firebox_OS_M400_M500_11_10_7.exe
firebox_M400_M500_11_10_7.zip
Firebox_OS_M200_M300_11_10_7.exe
firebox_M200_M300_11_10_7.zip
Firebox_OS_M200_M300_11_10_7.exe
firebox_M200_M300_11_10_7.zip
XTM_OS_XTM330_11_10_7.exe
xtm_xtm330_11_10_7.zip
XTM 33
XTM_OS_XTM3_11_10_7.exe
xtm_xtm3_11_10_7.zip
XTM 2 Series
Models 25, 26
XTM_OS_XTM2A6_11_10_7.exe
xtm_xtm2a6_11_10_7.zip
Firebox T30
Firebox_OS_T30_T50_11_10_7.exe
firebox_T30_T50_11_10_7.zip
Firebox T50
10
Select from these Fireware OS packages
Firebox_OS_T30_T50_11_10_7.exe
firebox_T30_T50_11_10_7.zip
WatchGuard Technologies, Inc.
Downloading Software
If you have…
Firebox T10
XTMv
All editions for VMware
XTMv
All editions for Hyper-V
Release Notes
Select from these Fireware OS packages
Firebox_OS_T10_11_10_7.exe
firebox_T10_11_10_7.zip
xtmv_11_10_7.ova
xtmv_11_10_7.exe
xtmv_11_10_7.zip
xtmv_11_10_7_vhd.zip
xtmv_11_10_7.exe
xtmv_11_10_7.zip
11
Downloading Software
Single Sign-On Software
These files are available for Single Sign-On. No files have been updated with the v11.10.7 release.
l
l
l
l
l
WG-Authentication-Gateway_11_10_4.exe (SSO Agent software - required for Single Sign-On and
includes optional Event Log Monitor for clientless SSO)
WG-Authentication-Client_11_9_4.msi (SSO Client software for Windows)
WG-SSOCLIENT-MAC_11_10.dmg (SSO Client software for Mac OS X)
SSOExchangeMonitor_x86_11_10_4.exe (Exchange Monitor for 32-bit operating systems)
SSOExchangeMonitor_x64_11_10_4.exe (Exchange Monitor for 64-bit operating systems)
For information about how to install and set up Single Sign-On, see the product documentation.
Terminal Services Authentication Software
l
TO_AGENT_SETUP_11_10_4.exe (This installer includes both 32-bit and 64-bit file support.)
Mobile VPN with SSL Client for Windows and Mac
There are two files available for download if you use Mobile VPN with SSL. There are no updates with the
v11.10.7 release.
l
l
WG-MVPN-SSL_11_10_4.exe (Client software for Windows)
WG-MVPN-SSL_11_10_4.dmg (Client software for Mac)
Mobile VPN with IPSec client for Windows and Mac
There are several available files to download. There are no updates with the v11.10.7 release.
Shrew Soft Client
l
Shrew Soft Client 2.2.2 for Windows - No client license required.
WatchGuard IPSec Mobile VPN Clients
l
WatchGuard IPSec Mobile VPN Client for Windows (32-bit), powered by NCP - There is a
license required for this premium client, with a 30-day free trial available with download.
l
WatchGuard IPSec Mobile VPN Client for Windows (64-bit), powered by NCP - There is a
l
license required for this premium client, with a 30-day free trial available with download.
WatchGuard IPSec Mobile VPN Client for Mac OS X, powered by NCP - There is a license
required for this premium client, with a 30-day free trial available with download.
WatchGuard Mobile VPN License Server
l
WatchGuard Mobile VPN License Server (MVLS) v2.0, powered by NCP - Click here for more
information about MVLS.
12
WatchGuard Technologies, Inc.
Upgrade to Fireware v11.10.7
Upgrade to Fireware v11.10.7
Before you upgrade to Fireware v11.10.x, your Firebox must be running:
- Fireware XTM v11.7.5
- Fireware XTM v11.8.4
- Fireware XTM v11.9 or higher
If you try to upgrade from Policy Manager and your Firebox is running an unsupported version,
the upgrade is prevented.
If you try to schedule an OS update of managed devices through a Management Server, the
upgrade is also prevented.
If you use the Fireware Web UI to upgrade your device, you see a warning, but it is possible to
continue so you must make sure your Firebox is running v11.7.5, v11.8.4, or v11.9.x before
you upgrade to Fireware v11.10.x or your Firebox will be reset to a default state.
Before you upgrade from Fireware v11.x to Fireware v11.10.7, download and save the Fireware OS file that
matches the Firebox you want to upgrade. You can use Policy Manager or the Web UI to complete the upgrade
procedure. We strongly recommend that you back up your Firebox configuration and your WatchGuard
Management Server configuration before you upgrade. It is not possible to downgrade without these backup
files.
If you use WatchGuard System Manager (WSM), make sure your WSM version is equal to or higher than the
version of Fireware OS installed on your Firebox and the version of WSM installed on your Management Server.
Also, make sure to upgrade WSM before you upgrade the version of Fireware OS on your Firebox.
If you want to upgrade an XTM 2 Series, 3 Series, or 5 Series device, we recommend that you
reboot your Firebox before you upgrade. This clears your device memory and can prevent many
problems commonly associated with upgrades in those devices.
Release Notes
13
Upgrade to Fireware v11.10.7
Back up your WatchGuard Servers
It is not usually necessary to uninstall your previous v11.x server or client software when you upgrade to WSM
v11.10.7. You can install the v11.10.7 server and client software on top of your existing installation to upgrade
your WatchGuard software components. We do, however, strongly recommend that you back up your
WatchGuard Servers (for example: WatchGuard Log Server, WatchGuard Report Server) to a safe location
before you upgrade. You will need these backup files if you ever want to downgrade.
To back up your Management Server configuration, from the computer where you installed the Management
Server:
1. From WatchGuard Server Center, select Backup/Restore Management Server.
The WatchGuard Server Center Backup/Restore Wizard starts.
2. Click Next.
The Select an action screen appears.
3. Select Back up settings.
4. Click Next.
The Specify a backup file screen appears.
5. Click Browse to select a location for the backup file. Make sure you save the configuration file to a
location you can access later to restore the configuration.
6. Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete screen appears.
7. Click Finish to exit the wizard.
Upgrade to Fireware v11.10.x from Web UI
If your Firebox is running Fireware v11.10 or later, you can upgrade the Fireware OS on your Firebox
automatically from the System > Upgrade OS page. If your Firebox is running v11.9.x or earlier, use these
steps to upgrade:
1. Go to System > Backup Image or use the USB Backup feature to back up your current device image.
2. On your management computer, launch the OS software file you downloaded from the WatchGuard
Software Downloads page.
If you use the Windows-based installer on a computer with a Windows 64-bit operating system, this
installation extracts an upgrade file called [product series]_[product code].sysa-dl l to the default
location of C:\Program Files(x86)\Common Files\WatchGuard\resources\FirewareXTM\11.10.7\[model]
or [model][product_code].
On a computer with a Windows 32-bit operating system, the path is: C:\Program Files\Common
Files\WatchGuard\resources\Fireware\11.10.7
3. Connect to your Firebox with the Web UI and select System > Upgrade OS.
4. Browse to the location of the [product series]_[product code].sysa-dl from Step 2 and click Upgrade.
Upgrade to Fireware v11.10.x from WSM/Policy Manager
1. Select File > Backup or use the USB Backup feature to back up your current device image.
2. On a management computer running a Windows 64-bit operating system, launch the OS executable file
you downloaded from the WatchGuard Portal. This installation extracts an upgrade file called [Firebox or
xtm series]_[product code].sysa-dl to the default location of C:\Program Files(x86)\Common
files\WatchGuard\resources\Fireware\11.10.7\[model] or [model][product_code].
On a computer with a Windows 32-bit operating system, the path is: C:\Program Files\Common
Files\WatchGuard\resources\Fireware\11.10.7
14
WatchGuard Technologies, Inc.
Upgrade to Fireware v11.10.7
3. Install and open WatchGuard System Manager v11.10.7. Connect to your Firebox and launch Policy
Manager.
4. From Policy Manager, select File > Upgrade. When prompted, browse to and select the [product
series]_[product code].sysa-dl file from Step 2.
Release Notes
15
Update AP Devices
Update AP Devices
With Fireware v11.10.5, we released new AP firmware for all AP devices and the process to update to new
AP firmware changed. While there are no AP firmware updates released with Fireware v11.10.7, if you have not
already upgraded to Fireware v11.10.5 or higher, please review this section carefully for important information
about updating AP devices.
Update your AP100, AP102, and AP200 Devices
Fireware v11.10.5 includes new AP firmware v1.2.9.6 for AP100/102 and AP200 devices. If you have enabled
automatic AP device firmware updates in Gateway Wireless Controller AND you upgrade from Fireware
v11.10.4 to Fireware v11.10.5, your AP devices are automatically updated. Note that, beginning with Fireware
v11.10.5, automatic updates occur only between midnight and 4:00am local time.
If you upgrade from Fireware v11.10.3 or lower to Fireware v11.10.5 (without first upgrading to Fireware
v11.10.4), there is an additional step you must take to make sure AP v1.2.9.6 is applied to your AP devices.
When you upgrade to Fireware v11.10.5 with Fireware Web UI or Policy Manager, you must do the upgrade
process twice. From the Web UI:
1. Connect to your Firebox and select System > Upgrade OS.
2. Browse to the location of your Fireware v11.10. 5 upgrade file and click Upgrade.
3. When the upgrade is complete, repeat Step 2.
If you reset your Firebox to factory-default settings, the AP firmware is removed from the Firebox. To reinstall
the AP firmware on the Firebox you must reinstall Fireware v11.10.5 on the Firebox.
AP firmware v1.2.9.6 is not available in the Software Downloads Center. The only way to update your
AP devices to v1.2.9.6 is through Gateway Wireless Controller.
Update your AP300 Devices
It is important to understand that you cannot manage AP300 devices unless you use the Gateway Wireless
Controller with Fireware v11.10.5. If you manage AP300 devices and downgrade to an earlier version of
Fireware, you will lose the ability to manage your AP300 devices.
Fireware v11.10.5 includes AP firmware v2.0.0.1. If you have enabled automatic AP device firmware updates
in Gateway Wireless Controller AND you upgrade from Fireware v11.10.4 to Fireware v11.10.5, your AP
devices will be automatically updated if necessary. Note that, beginning with Fireware v11.10.5, automatic
updates occur only between midnight and 4:00am local time.
If you upgrade from Fireware v11.10.3 or lower to Fireware v11.10.5 (without first upgrading to Fireware
v11.10.4), there is an additional step you must take to make sure AP v2.0.0.1 is applied to your AP devices.
When you upgrade to Fireware v11.10.5 with Fireware Web UI or Policy Manager, you must do the upgrade
process twice. From the Web UI:
1. Connect to your Firebox and select System > Upgrade OS.
2. Browse to the location of your Fireware v11.10. 5 upgrade file and click Upgrade.
3. When the upgrade is complete, repeat Step 2.
16
WatchGuard Technologies, Inc.
Upgrade your FireCluster to Fireware v11.10.7
If you reset your Firebox to factory-default settings, the AP firmware is removed from the Firebox. To reinstall
the AP firmware, use one of these two methods:
Reinstall Fireware v11.10.5 on your Firebox
1. Connect to your Firebox and select System > Upgrade OS.
2. Browse to the location of your Fireware v11.10. 5 upgrade file and click Upgrade.
Download the AP firmware package from the Software Downloads Center and install it on the Firebox
1.
2.
3.
4.
Download and extract the AP firmware package. The component package file extension is wgpkg-dl .
From Fireware Web UI, select System > Upgrade OS.
Select Use an upgrade file.
Browse to the location of the wgpkg-dl file and click Upgrade.
Upgrade your FireCluster to Fireware v11.10.7
Before you upgrade to Fireware v11.10.x, your Firebox must be running:
- Fireware XTM v11.7.5
- Fireware XTM v11.8.4
- Fireware XTM v11.9 or higher
If you try to upgrade from Policy Manager and your Firebox is running an unsupported version,
the upgrade is prevented.
If you try to schedule an OS update of managed devices through a Management Server, the
upgrade is also prevented.
If you use the Fireware Web UI to upgrade your device, you see a warning, but it is possible to
continue so you must make sure your Firebox is running v11.7.5, v11.8.4, or v11.9.x before
you upgrade to Fireware v11.10.x or your Firebox will be reset to a default state.
There are two methods to upgrade Fireware OS on your FireCluster. The method you use depends on the
version of Fireware you currently use.
We recommend that you use Policy Manager to upgrade, downgrade, or restore a backup
image to a FireCluster. It is possible to do some of these operations from the Web UI but, if you
choose to do so, you must follow the instructions in the Help carefully as the Web UI is not
optimized for these tasks. It is not possible to upgrade your FireCluster from v11.8.x to v11.9.x
or higher with the Web UI.
Upgrade a FireCluster from Fireware v11.4.x–v11.9.x to v11.10.x
Use these steps to upgrade a FireCluster to Fireware v11.10.x:
1. Open the cluster configuration file in Policy Manager
2. Select File > Upgrade.
Release Notes
17
Upgrade your FireCluster to Fireware v11.10.7
3. Type the configuration passphrase.
4. Type or select the location of the upgrade file.
5. To create a backup image, select Yes.
A list of the cluster members appears.
6. Select the check box for each device you want to upgrade.
A message appears when the upgrade for each device is complete.
When the upgrade is complete, each cluster member reboots and rejoins the cluster. If you upgrade both
devices in the cluster at the same time, the devices are upgraded one at a time. This is to make sure there is
not an interruption in network access at the time of the upgrade.
Policy Manager upgrades the backup member first and then waits for it to reboot and rejoin the cluster as a
backup. Then Policy Manager upgrades the master. Note that the master’s role will not change until it reboots
to complete the upgrade process. At that time the backup takes over as the master.
To perform the upgrade from a remote location, make sure the FireCluster interface for management IP address
is configured on the external interface, and that the management IP addresses are public and routable. For
more information, see About the Interface for Management IP Address.
Upgrade a FireCluster from Fireware v11.3.x
To upgrade a FireCluster from Fireware v11.3.x to Fireware v11.9.x or higher, you must perform a manual
upgrade. For manual upgrade steps, see the Knowledge Base article Upgrade Fireware OS for a FireCluster.
18
WatchGuard Technologies, Inc.
Downgrade Instructions
Downgrade Instructions
Downgrade from WSM v11.10.x to WSM v11.x
If you want to revert from v11.10.x to an earlier version of WSM, you must uninstall WSM v11.10.x. When you
uninstall, choose Yes when the uninstaller asks if you want to delete server configuration and data files. After
the server configuration and data files are deleted, you must restore the data and server configuration files you
backed up before you upgraded to WSM v11.10.x.
Next, install the same version of WSM that you used before you upgraded to WSM v11.10.x. The installer
should detect your existing server configuration and try to restart your servers from the Finish dialog box. If you
use a WatchGuard Management Server, use WatchGuard Server Center to restore the backup Management
Server configuration you created before you first upgraded to WSM v11.10.x. Verify that all WatchGuard
servers are running.
Downgrade from Fireware v11.10.x to Fireware v11.x
If you use the Fireware Web UI or CLI to downgrade from Fireware v11.10.x to an earlier
version, the downgrade process resets the network and security settings on your device to
their factory-default settings. The downgrade process does not change the device
passphrases and does not remove the feature keys and certificates.
If you want to downgrade from Fireware v11.10.x to an earlier version of Fireware, the recommended method is
to use a backup image that you created before the upgrade to Fireware v11.10.x. With a backup image, you can
either:
l
l
Restore the full backup image you created when you upgraded to Fireware v11.10.x to complete the
downgrade; or
Use the USB backup file you created before the upgrade as your auto-restore image, and then boot into
recovery mode with the USB drive plugged in to your device. This is not an option for XTMv users.
See the Fireware Help for more information about these downgrade procedures, and information about how to
downgrade if you do not have a backup image.
Release Notes
19
Downgrade Instructions
Downgrade Restrictions
See this Knowledge Base article for a list of downgrade restrictions.
When you downgrade the Fireware OS on your Firebox or XTM device, the firmware on any
paired AP devices is not automatically downgraded. We recommend that you reset the AP
device to its factory-default settings to make sure that it can be managed by the older version of
Fireware OS.
20
WatchGuard Technologies, Inc.
Enhancements and Resolved Issues in Fireware v11.10.7
Enhancements and Resolved Issues in Fireware v11.10.7
Certificates and Security
l
l
l
l
l
l
l
l
The WatchGuard Management Server now correctly generates managed device certificates with a
2048-bit key. [85912]
The default Firebox CA certificate bundle has been updated to include the Entrust Certification Authority
– L1K Intermediate certificate. [88671]
The glibc package included in Fireware OS has been patched to resolve security advisory CVE-20157547. [90013]
The OpenSSH library included in Fireware OS has been patched to resolve security advisories CVE2016-0777 and CVE-2016-0778. [89524]
The OpenSSL library included in Fireware OS has been upgraded to version 1.0.1q to resolve multiple
security advisories. [89024]
The OpenSSL library included in WatchGuard System Manager has been upgraded to version 1.0.2f to
resolve multiple security advisories. [89051]
The Linux kernel as used by Fireware OS has been patched to resolve security advisory CVE-20160728 .[89603]
This release resolves an open redirect vulnerability in the management Web UI authentication form.
[89149]
General
l
l
l
l
l
l
XTM 2050 devices now correctly report available memory above 3 GB. [89188]
An issue with a kernel module that resulted in a crash and reboot of Firebox M440 devices has been
resolved. [88591]
This release resolves an issue that caused a CPU soft lockup. [89643]
The USB driver for the Sprint 341U modem has been updated on Firebox T30/T50 appliances. [90064]
A driver error has been resolved that prevented fiber interfaces from working correctly. [90006]
Several kernel crashes that caused unexpected reboots of Firebox M440 devices have been resolved.
[89074, 87488]
l
l
This release resolves an issue that caused the fwatch process to crash. [87313]
This release resolves an issue that caused high CPU use when logging proxy traffic in the WatchGuard
Partner-specific feature WatchMode. [89234]
Networking
l
l
l
Modem failover is now supported with D-link DWM-221 USB Modem. [87247]
Modem failover is now supported with Huawei E3372 USB LTE Modem. [82897]
This release resolves an issue that caused the Firebox to fail to add a default route for a dynamic
external interface when a DHCP lease renew occurred and the Firebox is configured for multi-WAN.
[89110]
l
Multi-WAN alarm events are now triggered correctly when a link monitor ping host fails to respond.
[89599]
l
This release corrects an issue that caused erroneous Multi-WAN probe log messages to be sent.
[84662]
l
When you install XTMv in a Hyper-V environment, it now supports interface autonegotiation at 10 Gbps
[84424]
Release Notes
21
Enhancements and Resolved Issues in Fireware v11.10.7
l
l
l
Novatel U620L modem support has been improved for Firebox T30/T50 and Firebox M400/M500
appliances. [88824]
This release resolves an issue that prevented VLAN traffic from passing through the HTTP proxy when
using Bridge Mode. [88601]
This release resolves an issue that caused the CTD process to crash, which caused a FireCluster
failover and some data to not be synchronized properly between the FireCluster members. [88194,
89036]
Wireless
l
l
This release includes scalability improvements to allow you to successfully monitor more than 100 AP
devices. [71648, 88437]
A wireless driver crash that prevented wireless traffic from passing has been resolved. [88914]
Proxies and Security Subscriptions
l
l
l
l
l
l
l
This release includes changes to prevent occurrences of Gateway AV signatures that do not sync
correctly to the Backup Master Firebox in a FireCluster. [88845]
The Gateway AV engine has been improved so that remnants of attachments that match an
SMTP/POP3 proxy rule violation are no longer released. [61611]
Gateway AV actions now apply to complete file attachments in SMTP/POP3 traffic. [87222]
When the POP3 proxy is configured to use APT Blocker and configured to Drop APT violations, email
clients are no longer prevented from retrieving clean mail after a threat is detected. [89652]
The APT demo sample file is now correctly recognized in POP3 traffic. [89432]
POP3 proxy log messages now correctly indicate the final APT action. [89677]
The virus status information in POP3 proxy deny messages no longer includes erroneous characters.
[89241]
l
l
l
l
l
l
l
l
l
l
l
Safe Search is now enforced by the HTTP Proxy for BING image search results. [74845]
This release resolves an issue that caused Reputation Enabled Defense to fail to produce log
messages. [88443]
This release resolves an issue that caused portions of encrypted files over 100 kB in size to pass
through the Firebox when Gateway AV tries to lock or quarantine the file. [87222]
An issue with Record-Route manipulation in the SIP-ALG has been resolved. [88015]
The URL parsing of From/To Headers has been corrected. This prevents the wrong Media Connection
from closing in SIP connections. [89266]
This release resolves a scand process crash when using APT Blocker. [85330, 88002]
FTP uploads now work correctly through the FTP Proxy when the file transferred is smaller than the
Gateway AV scan limit. [88021]
An Active FTP connection is no longer disconnected when you access an empty folder through the FTP
proxy. [87027]
This release resolves an issue that caused a stuck proxy connection to use excessive CPU. [88043]
Quarantine Server now correctly decodes subjects that contain multi-byte characters in user
notifications. [87641]
This release resolves a kernel crash related to the handling of dynamic proxy connections used by the
SIP, H323 or FTP proxies when FireCluster is enabled. [81588, 84399]
VPN
l
22
Policy Manager now correctly requires an authentication value other than None in an IPSec proposal
when you select the AH proposal Type. [88707]
WatchGuard Technologies, Inc.
Enhancements and Resolved Issues in Fireware v11.10.7
l
l
In Policy Manager, you can now enable NAT-Traversal on a Phase 2 proposal after you change the
proposal Type from AH to ESP. [88710]
To avoid confusion, Policy Manager no longer appears to allow you to edit default Phase 2 Proposals.
[86597]
l
l
l
l
This release resolves an issue that caused BOVPN tunnel names that included a special character,
such as "&", to fail to display in WatchGuard System Manager and Firebox System Manager. [82642]
The BOVPN Gateway Names are now displayed correctly for Managed BOVPNs within Policy Manager
when the device name on the Management Server contains the parentheses characters, such as VPN
(seattle). [89237]
Branch Office VPN Phase 1 logic has been improved to accept more variety in 3rd aggressive mode
responses. This provides better interoperability with routers such as those from Cybertec. [88626]
An issue that prevented devices managed by a Dimension server from having multiple managed VPNs
to remote devices with dynamic external IP addresses has been resolved. [88946]
Logging
l
l
This release resolves an issue that generated large number of unnecessary log messages, such as
"Unrecognized archive format: Invalid or incomplete multibyte or wide character". [89688]
This release resolves an issue that caused repeated log messages to generate when the Firebox tried to
update the signature set for a service the Firebox is not licensed for. [88597]
Management Server
l
l
l
The Management Server template configuration for Data Loss Prevention rules now includes the
Netherlands region. [88284]
An error is now displayed when you try to add a VPN Firewall Policy Template that contains a space in
the name. [71587]
An issue that prevented policy changes from taking effect has been resolved. [88286]
Authentication
l
An issue that prevented traffic from the Backend-Service account on a terminal server running the TO
Agent from being identified correctly has been resolved. [88516]
Release Notes
23
Known Issues and Limitations
Known Issues and Limitations
Known issues for Fireware v11.10.7 and its management applications, including workarounds where available,
can be found on the WatchGuard website.
To see the known issues:
1. Log in to the WatchGuard website at login.watchguard.com.
2. Click the Technical Search icon to go to the Technical Search page.
3. On the Technical Search page, select the Knowledge Base tab.
Knowledge Base filters appear on the left side of the page.
4. To see known issues for a specific release, use these filters:
l
l
l
From the Category filters, select the Known Issues check box.
From the Status filters, select the Open check box.
From the Product & Version filters, expand the Fireware version list and select the check box for
v11.10.7
Using the CLI
The Fireware CLI (Command Line Interface) is fully supported for v11.x releases. For information on how to
start and use the CLI, see the Command Line Reference Guide. You can download the latest CLI guide from
the documentation web site at http://www.watchguard.com/wgrd-help/documentation/xtm.
Technical Assistance
For technical assistance, contact WatchGuard Technical Support by telephone or log in to the WatchGuard
Portal on the Web at http://www.watchguard.com/support. When you contact Technical Support, you must
supply your registered Product Serial Number or Partner ID.
Phone Number
U.S. End Users
877.232.3531
International End Users
+1 206.613.0456
Authorized WatchGuard Resellers 206.521.8375
24
WatchGuard Technologies, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement