Fireware v11.10.6 Release Notes

Fireware v11.10.6 Release Notes
Fireware v11.10.6 Release Notes
Supported Devices
Firebox M4600, Firebox M5600
Release Date
18 February 2016
Release Notes Revision Date
18 February 2016
Fireware OS Build
All Firebox M4600 and M5600 devices ship with
Fireware v11.10.6 pre-installed. No updates are
available at this time.
WatchGuard System Manager Build
496305
For AP 100, 102, 200: Build 1.2.9.6 (151211)
WatchGuard AP Device Firmware
For AP 300: Build 2.0.0.1 (151216)
Introduction
WatchGuard is pleased to announce the release of the new Firebox M4600 and Firebox M5600, exciting new
upgrades to the WatchGuard product line. These new appliances represent a significant upgrade to the XTM
800/1500/2500 devices they are designed to replace, including increased performance and the ability to add
network interface modules.
These new Firebox models are manufactured with Fireware v11.10.6. Fireware v11.10.6 is functionally
equivalent to Fireware v11.10.5, but is necessary to accommodate the new hardware. If you use WatchGuard
System Manager (WSM) to manage your Firebox, you must use WSM v11.10.6. You can also use WSM
v11.10.6 to manage other Firebox models, even if they use a lower version of Fireware.
To set up your new Firebox, make sure to use the instructions in the Quick Start Guide, because there are
important differences in the default interface configuration on Firebox M5600 devices. For more information on
how to add network interface modules to your new Firebox, see the Hardware Guide.
Important Information about Firebox Certificates
Important Information about Firebox Certificates
SHA-1 is being deprecated by many popular web browsers, and WatchGuard recommends that you now use
SHA-256 certificates. Because of this, we have upgraded our default Firebox certificates. Starting with
Fireware v11.10.4, all newly generated default Firebox certificates use a 2048-bit key length. In addition, newly
generated default Proxy Server and Proxy Authority certificates use SHA-256 for their signature hash
algorithm. Starting with Fireware v11.10.5, all newly generated default Firebox certificates use SHA-256 for
their signature hash algorithm. New CSRs created from the Firebox also use SHA-256 for their signature hash
algorithm.
Default certificates are not automatically upgraded after you install Fireware v11.10.5 or higher.
To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use the CLI commands described in the next section.
Before you regenerate the Proxy Server or Proxy Authority certification, there are some important things to
know.
The Proxy Server certificate is used for inbound HTTPS with content inspection and SMTP with TLS
inspection. The Proxy Authority certificate is used for outbound HTTPS with content inspection. The two
certificates are linked because the default Proxy Server certificate is signed by the default Proxy Authority
certificate. If you use the CLI to regenerate these certificates, after you upgrade, you must redistribute the new
Proxy Authority certificate to your clients or users will receive web browser warnings when they browse
HTTPS sites, if content inspection is enabled.
Also, if you use a third-party Proxy Server or Proxy Authority certificate:
l
l
l
The CLI command will not work unless you first delete either the Proxy Server or Proxy Authority
certificate. The CLI command will regenerate both the Proxy Server and Proxy Authority default
certificates.
If you originally used a third-party tool to create the CSR, you can simply re-import your existing thirdparty certificate and private key.
If you originally created your CSR from the Firebox, you must create a new CSR to be signed, and then
import a new third-party certificate.
CLI Commands to Regenerate Default Firebox Certificates
To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use these CLI commands:
l
l
l
l
To upgrade the default Proxy Authority and Proxy Server certificates for use with HTTPS content
inspection, you can use the CLI command: upgrade certificate proxy
To upgrade the Firebox web server certificate, use the CLI command: upgrade certificate web
To upgrade the SSLVPN certificate, use the CLI command: upgrade certificate sslvpn
To upgrade the 802.1x certificate, use the CLI command: upgrade certificate 8021x
For more information about the CLI, see the Command Line Interface Reference.
2
WatchGuard Technologies, Inc.
Before You Begin
Before You Begin
Before you can use your new Firebox, you must have:
l
l
The required hardware and software components as shown below. If you use WatchGuard System
Manager (WSM), make sure your WSM version is equal to or higher than the version of Fireware OS
installed on your Firebox and the version of WSM installed on your Management Server.
Feature key for your Firebox — If you upgrade your device from an earlier version of Fireware OS, you
can use your existing feature key. If you do not have a feature key for your device, you can log in to the
WatchGuard website to download it.
Note that you can install and use WatchGuard System Manager v11.10.6 and all WSM server components with
devices running earlier versions of Fireware v11. In this case, we recommend that you use the product
documentation that matches your Fireware OS version.
If you have a new Firebox, make sure you use the instructions in the Quick Start Guide that shipped with your
device. We also recommend that you review the Hardware Guide for your Firebox. The Hardware Guide
contains useful information about your device interfaces, as well as information on resetting your device to
factory default settings, if necessary.
Product documentation for all WatchGuard products is available on the WatchGuard web site at
www.watchguard.com/help/documentation. There are no updates to Fireware Help for this release.
Release Notes
3
Localization
Localization
This release includes localized management user interfaces (WSM application suite and Web UI) current as of
Fireware v11.10.2. UI changes introduced since v11.10.2 may remain in English. Supported languages are:
l
l
l
French (France)
Japanese
Spanish (Latin American)
Note that most data input must still be made using standard ASCII characters. You can use non-ASCII
characters in some areas of the UI, including:
l
l
l
Proxy deny message
Wireless hotspot title, terms and conditions, and message
WatchGuard Server Center users, groups, and role names
Any data returned from the device operating system (e.g. log data) is displayed in English only. Additionally, all
items in the Web UI System Status menu and any software components provided by third-party companies
remain in English.
Fireware Web UI
The Web UI will launch in the language you have set in your web browser by default.
WatchGuard System Manager
When you install WSM, you can choose what language packs you want to install. The language displayed in
WSM will match the language you select in your Microsoft Windows environment. For example, if you use
Windows 7 and want to use WSM in Japanese, go to Control Panel > Regions and Languages and select
Japanese on the Keyboards and Languages tab as your Display Language.
Dimension, WebCenter, Quarantine Web UI, and Wireless Hotspot
These web pages automatically display in whatever language preference you have set in your web browser.
4
WatchGuard Technologies, Inc.
Fireware and WSM v11.10.6 Operating System Compatibility
Fireware and WSM v11.10.6 Operating System Compatibility
Last revised: 6 January 2016
WSM/
FirewareComponent
Microsoft
Microsoft
Microsoft
Windows
Windows
Windows
7,8,8.1,
Server
Server
10
2012
2008&
(32-bit&
&2012R2
2008R2
64-bit)
(64-bit)
MacOS
X
v10.9,
v10.10,
v10.11
Android
4.x
&5.x
iOS
v7, v8,
& v9
WatchGuard System Manager
WatchGuard Servers
For information on WatchGuard
Dimension, see the Dimension Release
Notes.
Single Sign-On Agent
(Includes Event Log Monitor)
Single Sign-On Client
Single Sign-On Exchange
Monitor1
Terminal Services Agent2
Mobile VPN with IPSec
3
3
Mobile VPN with SSL
Notes about Microsoft Windows support:
l
For Microsoft Windows Server 2008, we support both 32-bit and 64-bit support. For Windows Server
2008 R2, we support 64-bit only.
l
Windows 8.x support does not include Windows RT.
l
Windows Exchange Server 2013 is supported if you install Windows Sever 2012 or 2012 R2 and .Net
framework 3.5.
The following browsers are supported for both Fireware Web UI and WebCenter (Javascript required):
l
IE 9 and later
l
Microsoft Edge
l
Firefox v22 and later
l
Safari 6 and later
l
Safari iOS 6 and later
l
Chrome v29 and later
Release Notes
5
Fireware and WSM v11.10.6 Operating System Compatibility
1Microsoft Exchange Server 2007, 2010, and 2013 are supported.
2Terminal Services
support with manual or Single Sign-On authentication operates in a Microsoft Terminal
Services or Citrix XenApp 4.5, 5.0, 6.0, 6.5 and 7.6 environment.
3Native (Cisco) IPSec
client and OpenVPN are supported for Mac OS and iOS. For Mac OS X 10.8 -10.10, we
also support the WatchGuard IPSec Mobile VPN Client for Mac, powered by NCP.
Authentication Support
This table gives you a quick view of the types of authentication servers supported by key features of Fireware.
Using an authentication server gives you the ability to configure user and group-based firewall and VPN policies
in your Firebox or XTM device configuration. With each type of third-party authentication server supported, you
can specify a backup server IP address for failover.
Fully supported by WatchGuard
customers
6
Not yet supported, but tested with success by WatchGuard
WatchGuard Technologies, Inc.
Fireware and WSM v11.10.6 Operating System Compatibility
Firebox
Active
Directory1
LDAP
RADIUS SecurID
2
Mobile VPN with IPSec/Shrew Soft
2
3
(Firebox-DB)
Local
Authentication
–
Mobile VPN with IPSec/WatchGuard client
(NCP)
Mobile VPN with IPSec for iOS and Mac OS
X native VPN client
Mobile VPN with IPSec for Android devices
–
Mobile VPN with SSL for Windows
4
4
Mobile VPN with SSL for Mac
Mobile VPN with SSL for iOS and Android
devices
Mobile VPN with L2TP
Mobile VPN with PPTP
6
–
–
–
–
N/A
Built-in Authentication Web Page on Port
4100
Single Sign-On Support (with or without client
–
–
–
–
–
–
–
–
–
–
–
software)
Terminal Services Manual Authentication
Terminal Services Authentication with Single
Sign-On
5
Citrix Manual Authentication
Citrix Manual Authentication with Single SignOn
Release Notes
5
7
Fireware and WSM v11.10.6 Operating System Compatibility
1. Active Directory support includes both single domain and multi-domain support, unless otherwise noted.
2. RADIUS and SecurID support includes support for both one-time passphrases and challenge/response
3.
4.
5.
6.
authentication integrated with RADIUS. In many cases, SecurID can also be used with other RADIUS
implementations, including Vasco.
The Shrew Soft client does not support two-factor authentication.
Fireware supports RADIUS Filter ID 11 for group authentication.
Both single and multiple domain Active Directory configurations are supported. For information about the
supported Operating System compatibility for the WatchGuard TO Agent and SSO Agent, see the current
Fireware and WSM Operating System Compatibility table.
Active Directory authentication methods are supported only through a RADIUS server.
System Requirements
If you have WatchGuard System
Manager client software only
installed
If you install WatchGuard System
Manager and WatchGuard Server
software
Intel Core or Xeon
Intel Core or Xeon
2GHz
2GHz
Minimum Memory
1 GB
2 GB
Minimum Available
Disk Space
250 MB
1 GB
1024x768
1024x768
Minimum CPU
Minimum
Recommended
Screen Resolution
XTMv System Requirements
With support for installation in both a VMware and a Hyper-V environment, a WatchGuard XTMv virtual
machine can run on a VMware ESXi 4.1, 5.0, 5.1, 5.5, or 6.0 host, or on Windows Server 2008 R2, Windows
Server 2012, Hyper-V Server 2008 R2, or Hyper-V Server 2012.
The hardware requirements for XTMv are the same as for the hypervisor environment it runs in.
Each XTMv virtual machine requires 3 GB of disk space.
Recommended Resource Allocation Settings
Small Office Medium Office Large Office Datacenter
8
Virtual CPUs 1
2
4
8 or more
Memory
2 GB
4 GB
4 GB or more
1 GB
WatchGuard Technologies, Inc.
Downloading Software
Downloading Software
You can download software from the WatchGuard Software Downloads Center.
There are several software files available for download with this release. See the descriptions below so you
know what software packages you will need for your upgrade.
WatchGuard System Manager
With this software package you can install WSM and the WatchGuard Server Center software:
WSM11_10_6.exe — Use this file install WSM v11.10.6 or to upgrade WatchGuard System Manager
from v11.x to WSM v11.10.6.
Fireware OS
Your Firebox was manufactured with Fireware v11.10.6. There is no Fireware update available at this time.
Release Notes
9
Downloading Software
Single Sign-On Software
These files are available for Single Sign-On.
l
l
l
l
l
WG-Authentication-Gateway_11_10_4.exe (SSO Agent software - required for Single Sign-On and
includes optional Event Log Monitor for clientless SSO)
WG-Authentication-Client_11_9_4.msi (SSO Client software for Windows)
WG-SSOCLIENT-MAC_11_10.dmg (SSO Client software for Mac OS X)
SSOExchangeMonitor_x86_11_10_4.exe (Exchange Monitor for 32-bit operating systems)
SSOExchangeMonitor_x64_11_10_4.exe (Exchange Monitor for 64-bit operating systems)
For information about how to install and set up Single Sign-On, see the product documentation.
Terminal Services Authentication Software
l
TO_AGENT_SETUP_11_10_4.exe (This installer includes both 32-bit and 64-bit file support.)
Mobile VPN with SSL Client for Windows and Mac
There are two files available for download if you use Mobile VPN with SSL.
l
l
WG-MVPN-SSL_11_10_4.exe (Client software for Windows)
WG-MVPN-SSL_11_10_4.dmg (Client software for Mac)
Mobile VPN with IPSec client for Windows and Mac
There are several available files to download.
Shrew Soft Client
l
Shrew Soft Client 2.2.2 for Windows - No client license required.
WatchGuard IPSec Mobile VPN Clients
l
WatchGuard IPSec Mobile VPN Client for Windows (32-bit), powered by NCP - There is a
license required for this premium client, with a 30-day free trial available with download.
l
WatchGuard IPSec Mobile VPN Client for Windows (64-bit), powered by NCP - There is a
l
license required for this premium client, with a 30-day free trial available with download.
WatchGuard IPSec Mobile VPN Client for Mac OS X, powered by NCP - There is a license
required for this premium client, with a 30-day free trial available with download.
WatchGuard Mobile VPN License Server
l
WatchGuard Mobile VPN License Server (MVLS) v2.0, powered by NCP - Click here for more
information about MVLS.
10
WatchGuard Technologies, Inc.
Upgrade to WSM v11.10.6
Upgrade to WSM v11.10.6
If you use WatchGuard System Manager (WSM), make sure your WSM version is equal to or higher than the
version of Fireware OS installed on your Firebox and the version of WSM installed on your Management Server.
Also, make sure to upgrade WSM before you upgrade the version of Fireware OS on your Firebox.
Release Notes
11
Upgrade to WSM v11.10.6
Back up your WatchGuard Servers
It is not usually necessary to uninstall your previous v11.x server or client software when you upgrade to WSM
v11.10.6. You can install the v11.10.6 server and client software on top of your existing installation to upgrade
your WatchGuard software components. We do, however, strongly recommend that you back up your
WatchGuard Servers (for example: WatchGuard Log Server, WatchGuard Report Server) to a safe location
before you upgrade. You will need these backup files if you ever want to downgrade.
To back up your Management Server configuration, from the computer where you installed the Management
Server:
1. From WatchGuard Server Center, select Backup/Restore Management Server.
The WatchGuard Server Center Backup/Restore Wizard starts.
2. Click Next.
The Select an action screen appears.
3. Select Back up settings.
4. Click Next.
The Specify a backup file screen appears.
5. Click Browse to select a location for the backup file. Make sure you save the configuration file to a
location you can access later to restore the configuration.
6. Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete screen appears.
7. Click Finish to exit the wizard.
12
WatchGuard Technologies, Inc.
Known Issues and Limitations
Known Issues and Limitations
Known issues for Fireware v11.10.6 and its management applications, including workarounds where available,
can be found on the WatchGuard website. To see Known Issues, log in to the WatchGuard website and use the
filters available on the Technical Search > Knowledge Base tab.
Using the CLI
The Fireware CLI (Command Line Interface) is fully supported for v11.x releases. For information on how to
start and use the CLI, see the Command Line Reference Guide. You can download the latest CLI guide from
the documentation web site at http://www.watchguard.com/wgrd-help/documentation/xtm.
Technical Assistance
For technical assistance, contact WatchGuard Technical Support by telephone or log in to the WatchGuard
Portal on the Web at http://www.watchguard.com/support. When you contact Technical Support, you must
supply your registered Product Serial Number or Partner ID.
Phone Number
U.S. End Users
877.232.3531
International End Users
+1 206.613.0456
Authorized WatchGuard Resellers 206.521.8375
Release Notes
13
Technical Assistance
Release Notes
14
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement