What`s New in Fireware XTM v11.9.4

What`s New in Fireware XTM v11.9.4
What’s New in
Fireware XTM v11.9.4
WatchGuard Training
©2014 WatchGuard Technologies, Inc.
What’s New in v11.9.4
 Authentication Enhancements
•
Hotspot Enhancements
 Create custom hotspot page settings & manage Guest Administrator accounts
 Support for Guest Administrators to manage guest user accounts and create custom
vouchers
•
Single Sign-On Event Log Monitor Enhancements
 HTTPS Proxy Content Inspection based on SNI or WebBlocker Category
•
•
•
Supports SNI (Server Name Indication) to more accurately configure the
domains you want to allow, block, or inspect.
More control over the HTTPS sites you want to inspect and the sites you want to
bypass.
You can select the WebBlocker categories you want to inspect.
 Branch Office VPN enhancements
•
•
•
A BOVPN Virtual Interface now supports any interface as the local gateway
New BOVPN Configuration Reports for easier VPN troubleshooting
Renamed “Enable IPSec Pass-through” VPN setting
WatchGuard Training
2
What’s New in v11.9.4




Enable/Disable SSLv3 Option in HTTPS and SMTP Proxy Actions
Offline Signature Updates
Support for /31 and /32 subnet masks
Management Server Enhancements
•
Change the order of IP addresses in the Distribution IP Address list
 Monitoring Enhancements
•
•
Web UI VPN Statistics page includes statistics for Mobile VPN types on one tab
Clear the WebBlocker cache from Firebox System Manager
 Support for NAT connections through the SNMP application layer gateway
 Other Enhancements
 Support for new Firebox models
•
•
•
Firebox M400
Firebox M500
Fireware XTM OS update for Firebox M440 and FireboxT10-D
 What Else is New?
WatchGuard Training
3
Authentication Enhancements
WatchGuard Training
4
Hotspot Enhancements
 The Hotspot feature now includes these new features:
•
•
•
Customize guest user authentication options for a hotspot
Create and manage Guest Administrator user accounts
New Wireless Guest Administration web portal for Guest Administrators to:
 Manage guest user accounts
 Configure guest user account settings
 Customize vouchers with guest user account information
WatchGuard Training
5
Customize Guest User Authentication for Hotspots
 Configure the Hotspot Connections settings for a custom hotspot page and
manage Guest Administrator accounts.
•
•
In Fireware XTM Web UI, select Authentication > Hotspot.
In Policy Manager, select Setup > Authentication > Hotspot.
WatchGuard Training
6
Customize Guest User Authentication for Hotspots
 On the new Hotspot Connections tab:
•
•
•
Select whether guest users must use credentials to connect.
Set the number of user account the Guest Administrator can add.
Add Guest Administrator user accounts.
 Guest Administrator user accounts are added to the default Firebox-DB authentication
server.
 You can add and remove accounts, or edit them to disable the account or change the
passphrase.
WatchGuard Training
7
Customize Guest User Authentication for Hotspots
 To add Guest Administrator user accounts:
•
In Policy Manager, click Manage Guest Administrator Accounts.
WatchGuard Training
8
Customize Guest User Authentication for Hotspots
•
In Fireware XTM Web UI, add Guest Administrators in the Wireless Guest
Administrators section.
WatchGuard Training
9
Customize Guest User Authentication for Hotspots
 Guest Administrator user accounts also appear in the Firebox or XTM
device Users and Roles list, with the Guest Administrator role:
•
•
In Policy Manager, select File > Manage Users and Roles.
In Fireware XTM Web UI, select System > Users and Roles.
WatchGuard Training
10
Customize Guest User Authentication for Hotspots
 Custom Page settings remain the
same, but have moved to the
Customize Hotspot Page tab.
WatchGuard Training
11
Guest Administration for Hotspots
 Guest Administrators can connect to the Wireless Guest Administration web
portal on the Firebox or XTM device to manage guest user accounts and
create custom vouchers for guest user accounts.
 Guest Administrators connect to the device at:
https://<device-ip-address>:8080/wirelessguest/
and logs in to the
Wireless Guest
Administration web portal
with Guest Administrator
credentials
WatchGuard Training
12
Guest Administration for Hotspots
 The Guest Administrator configures the user account settings for guest user
accounts.
•
Select the Settings tab.
WatchGuard Training
13
Guest Administration for Hotspots
 Configure these settings for guest user accounts:
•
User Name Prefix
 The prefix for all guest user account user names.
 When guest user accounts are generated, each user name begins with this prefix.
•
Account Lifetime
 The amount of time that each guest user account can be used after it is activated for the
first time.
 When the guest user logs in with the guest user account credentials, the countdown
starts.
 The default account lifetime is 24 hours.
•
Account Expiration
 The amount of time after which the guest user account expires and is removed from the
Guest Accounts list.
 If the guest user account has not been activated before the account expiration time is
reached, the guest user account still expires.
WatchGuard Training
14
Guest Administration for Hotspots
 The Guest Admin configures the settings for the printed vouchers to give
guest users with their guest user account information.
•
Select the Customize Voucher tab.
WatchGuard Training
15
Guest Administration for Hotspots
 Configure these settings for the guest user vouchers:
•
Business Name
 The name of the company where the hotspot is located.
 The name you specify is included in the voucher text.
•
Contact Information
 The contact information for the company.
 This text can include instructions to get hotspot connection help as well as contact
numbers or addresses.
•
Use a custom logo
 Upload the company logo to use on the voucher.
 The logo file can include images, text, and other special information that you want to
give guest users.
 Image files must be JPG, PNG, or GIF files. There is no size constraint on the logo
image files, but the recommended size is 90 x 50 pixels.
WatchGuard Training
16
Guest Administration for Hotspots
 The Guest Admin adds guest user accounts and prints vouchers.
•
•
•
Select the Accounts tab.
Specify the number of guest user accounts to create.
Click Add and Print New Accounts.
WatchGuard Training
17
Guest Administration for Hotspots
 Example vouchers — Logo only and logo with informational text.
WatchGuard Training
18
Guest Administration for Hotspots
 Print the voucher:
•
Click Print in the
Print Guest Account
window.
WatchGuard Training
19
Guest Administration for Hotspots
 Manage guest user
accounts:
•
•
•
Select the check
box for an account.
To remove the
account, click
Delete.
To print a new
voucher, click Print.
WatchGuard Training
20
Single Sign-On Enhancements
 Single Sign-On has been updated to support failover and load balancing for
the Event Log Monitors installed on multiple domains in your network.
 The SSO Agent sends a DNS resolution request to resolve the host name
for the IP address of the client, and determines which domain the client is a
member of.
 The SSO Agent then contacts the Event Log Monitors in that domain to
attempt to authenticate the client.
•
If multiple Event Log Monitors are installed and included in the SSO Agent
Configuration, and the first Event Log Monitor is unable to resolve the
authentication request, the SSO Agent will fail over to the next Event Log Monitor
to attempt to resolve the request.
 The SSO Agent can also contact the Event Log Monitors from other
domains in your network, if they are specified in the SSO Agent
configuration.
WatchGuard Training
21
HTTPS Proxy Content Inspection based on
SNI or WebBlocker Category
WatchGuard Training
22
What is SNI?
 SNI (Server Name Indication), is an extension of the TLS protocol that
indicates the specific server name while making a TLS/SSL connection.
 SNI is supported by most modern web browsers.
 SNI is more accurate than the certificate CN (Common Name) for a site
because it can determine the actual server name from the HTTPS traffic
headers.
 Many web servers host several web sites that share the same IP address
and multiple certificates, and these sites can share the same certificate CN
(Common Name).
WatchGuard Training
23
SNI and Certificate CN
 For example, many Google services such as YouTube and Google Maps
share the same certificate CN (*.google.com)
 If you block access to YouTube based on the certificate CN, this would also
block access to Google Maps and other services with the same CN.
 SNI provides the server name that you can use to more accurately control
access to specific sites and perform or bypass content inspection.
 The certificate CN is used if SNI information is not available
WatchGuard Training
24
Benefits of HTTPS Content Inspection with SNI
 With selective content inspection and SNI checks in v11.9.4, you now have
more control over the HTTPS sites you want to inspect and the sites you
want to bypass.
 For example, you can configure HTTPS content inspection but bypass
banking, financial, or other sites with privacy concerns.
 You can more accurately allow, block, or inspect specific sites that come
from domains (Google, YouTube, etc.) that may share the same certificate
common name (CN).
 With WebBlocker, you can enable HTTPS content inspection only for known
categories of high risk web sites.
WatchGuard Training
25
HTTPS Content Inspection — Enable Content Inspection
 Enable Content Inspection
•
•
•
•
To enable content inspection, in
the HTTPS Proxy Action
configuration, select the
Enable deep inspection of
HTTPS content check box.
Select the HTTP Proxy Action to
apply to inspected traffic.
At this point, even when this
feature is enabled globally, all
HTTPS web sites will bypass
inspection.
To inspect a site, you must define
the domain in the Domain Names
page and configure the domain
with the Inspect action.
WatchGuard Training
26
HTTPS Content Inspection — Domain Names
 Domain Names
•
•
•
•
•
SNI and CN are used to check the
rules configured in the Domain
Names section of the HTTPS
Proxy Action. The certificate CN
will be used if SNI not available.
You can allow or deny access to a
site, or perform content inspection.
When content inspection in
enabled, web sites will only be
inspected if the domain is
configured with the action Inspect.
The pattern name can be server
name (SNI), certificate common
name (CN), or an IP address.
Allow action bypasses content
inspection
WatchGuard Training
27
HTTPS Content Inspection — Domain Names
 Examine the HTTPS entries in the traffic logs for the correct
SNI/CN information when you create your domain name rules.
WatchGuard Training
28
HTTPS Content Inspection — WebBlocker
 WebBlocker
•
•
•
•
Only categories allowed by
WebBlocker are displayed in the
HTTPS Proxy Action
WebBlocker configuration.
When content inspection is
enabled, you must select the
WebBlocker categories you want
to perform content inspection on.
If content inspection is not
enabled, WebBlocker can allow
or deny the connection.
Domain Names rules have the
highest priority. WebBlocker
checks only occur when there is
no domain name rule match and
default action is Allow.
WatchGuard Training
29
HTTPS Content Inspection — v11.9.3 vs. v11.9.4
 In v11.9.3 and lower:
 A certificate name (CN) check determines whether to allow or deny access to site as
configured in Certificate Names.
 If content inspection is enabled, all connections are redirected to the HTTP-Proxy for
content inspection except for addresses defined in the Bypass List.
 WebBlocker checks to allow or block sites are performed only for traffic that is not
content inspected.
 In v11.9.4 and higher:
 SNI, CN, and IP address are used to check the rules configured in the Domain Names
section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available.
 You inspect, allow (bypass inspection), or deny access to a domain.
 When content inspection in enabled, inspection only occurs if the domain is configured
with the action Inspect.
 No Bypass List in v11.9.4. Set the action in Domain Names to Allow to bypass
content inspection.
 When content inspection is enabled, you must choose the WebBlocker categories you
want to inspect.
WatchGuard Training
30
Branch Office VPN Enhancements
WatchGuard Training
31
BOVPN Virtual Interface Local Gateway Interface
 BOVPN Virtual Interface now supports any interface as the local gateway.
•
You cannot use a modem for failover from a BOVPN virtual interface if a local
gateway endpoint uses an interface that is not external.
 From the Physical drop-down
list, select any enabled physical
or wireless interface.
 Select Other and click
Select to select any VLAN,
Bridge, PPPoE, or
Link Aggregation interface.
WatchGuard Training
32
BOVPN Virtual Interface Local Gateway Interface
 When you select Other, a list of logical interfaces appears.
 To filter the interface list, use the Type and Zone drop-down lists, or type the
interface Name.
•
Types:




•
VLAN
Bridge
Link Aggregation
PPPoE
Zone:
 Trusted
 Optional
 Custom
External
WatchGuard Training
33
BOVPN Configuration Reports
 Three new branch office VPN configuration reports show a summary of
BOVPN settings in HTML or plain text format that you can save or print.
•
•
•
BOVPN Gateway Configuration Report
BOVPN Tunnel Configuration Report
BOVPN Virtual Interface Configuration Report
 The reports make it easier to compare VPN configuration settings when you
troubleshoot a branch office VPN.
 The reports are available in Policy Manager and Fireware XTM Web UI in
the same locations where you add or edit a VPN gateway, tunnel or BOVPN
virtual interface.
•
•
In Policy Manager, these reports include information about the selected gateway,
tunnel, or virtual interface.
In the Web UI, these are sections of the existing XTM Configuration Report,
which also contain information about other device configuration settings.
WatchGuard Training
34
BOVPN Gateway Configuration Report
 The BOVPN Gateway Configuration Report shows settings for the selected
branch office VPN gateway.
 Click Report to see the report.
•
•
•
Click Show Tunnel Details to
add tunnel details to the report.
Select HTML or Plain text format.
Save or Print the report.
WatchGuard Training
35
BOVPN Tunnel Configuration Report
 The BOVPN Tunnel Configuration Report shows settings for the selected
branch office VPN tunnel.
 Click Report to see the report.
•
•
•
Click Show Gateway Details to add
gateway details to the report.
Select HTML or Plain text format.
Save or Print the report.
WatchGuard Training
36
BOVPN Virtual Interface Configuration Report
 The BOVPN Virtual Interface Configuration Report shows settings for the
selected BOVPN virtual interface.
 Click Report to see the report.
•
•
Select HTML or Plain text format.
Save or Print the report.
WatchGuard Training
37
BOVPN Configuration Reports in the Web UI
 In the Web UI, reports are available for BOVPN gateways and tunnels.
•
Click Report to see the XTM Configuration Report in a new browser window,
scrolled to the section for the tunnel or gateway you selected.
 Make sure that your browser is configured to allow pop-ups for Fireware XTM Web UI.
•
This is the same report available from the System > Configuration File page.
WatchGuard Training
38
VPN Global Settings Update
 The Global VPN setting Enable IPSec Pass-through has been renamed to
clarify that this adds a policy to enable outbound IPSec traffic.
 The functionality of the new Add a Policy to enable outbound IPSec passthrough check box is unchanged.
•
•
When you select this option, a policy called WatchGuard IPSec is automatically
generated.
This policy allows IPSec VPN clients on the trusted or optional networks to make
outbound IPSec VPN connections.
WatchGuard Training
39
Enable/Disable SSLv3 in
HTTPS and SMTP Proxy Actions
WatchGuard Training
40
Enable/Disable SSLv3 in HTTPS & SMTP Proxy Actions
 There are recent vulnerabilities discovered with the SSLv3 protocol
(POODLE vulnerability).
 You can now disable or enable SSLv3 in the HTTPS proxy action (Content
Inspection) and the SMTP proxy action (TLS Encryption).
 SSLv3 and SSLv2 are disabled by default.
WatchGuard Training
41
31-bit and 32-bit Subnet Mask Support
 You can now configure an external interface IP address with a /31 or /32
subnet mask.
•
•
/31 and /32 addresses are used to conserve IPv4 address space.
Supported in Mixed Routing mode only.
 31-bit Subnet Mask (/31)
•
•
Supported for any external interface (physical, VLAN, Bridge, Link Aggregation).
Often used for point-to-point networks as described in RFC 3021.
 32-bit Subnet Mask (/32)
•
•
Supported only for physical external interfaces.
Not supported for virtual interfaces (VLAN, Link Aggregation, Bridge)
 A 32-bit subnet mask defines a network with only one IP address.
 You cannot use a /32 subnet mask for a virtual external interface, because these
interfaces do not support a gateway on a different subnet.
WatchGuard Training
42
Offline Signature Updates
WatchGuard Training
43
Offline Signature Updates
 For security reasons, some customer environments require direct control
over the distribution and installation of periodic signature updates for
signature services such as Gateway AntiVirus, Intrusion Prevention, and
Data Loss Prevention.
 WatchGuard now offers Offline Signature Updates that enables you to
download the latest signatures for these services directly from WatchGuard,
and then use a special utility to manually install these files on your
WatchGuard Firebox or XTM devices.
 A special set of credentials are required to access the signature update files
from the WatchGuard servers. For more information, please contact your
local WatchGuard representative.
WatchGuard Training
44
Management Server Enhancements
WatchGuard Training
45
Distribution IP Address List
 Change the order of IP addresses
in the Distribution IP Address list.
 This feature is important for
Management Tunnels, to make
sure that the private IP address of
the Management Server appears
first in the list.
WatchGuard Training
46
Expire Lease on Device Folder
 When you connect to your
Management Server in WSM,
you can now expire the lease
on all the devices in these
folders:
•
•
Filtered View > Pending
Any folder in the Devices tree
 Right-click the folder and
select Expire Lease to expire
the lease on all devices in that
folder.
WatchGuard Training
47
New Device Configuration Template Version
 The Management Server now
includes a new version option for
Device Configuration Templates
 When you create a new template,
select from these new options:
•
•
Fireware XTM v11.4-11.9.3
Fireware XTM v11.9.4 or later
WatchGuard Training
48
Monitoring Enhancements
WatchGuard Training
49
View VPN Statistics
 From the Fireware XTM Web UI
System Status > VPN Statistics
page, on the Branch Office VPN
tab, you can see the statistics for
the virtual interfaces and
gateways configured for the
Branch Office VPNs on your
device.
 You can filter the page details to
see only virtual interfaces,
gateways, or both.
 You can also use the Search
feature to locate an interface or
gateway in the list.
WatchGuard Training
50
View VPN Statistics
 Expand a gateway or virtual
interface to see the active
tunnels.
 Expand a tunnel to see
statistics for that tunnel.
 Click Edit to go to the Branch
Office VPN / Edit page for the
selected gateway.
•
If the tunnel was created by
the Management Server, the
Edit button is not available.
 Click Rekey tunnel to rekey
the selected tunnel.
WatchGuard Training
51
View VPN Statistics
 Fireware XTM Web UI
now includes statistics for
all Mobile VPN types on
one tab.
•
•
•
Select System Status >
VPN Statistics.
Select the Mobile VPN
tab.
Select the Mobile VPN
type to show:





WatchGuard Training
All
IPSec
SSL
PPTP
L2TP
52
View VPN Statistics
 For each Mobile VPN type that you select, a list of users for that tunnel type
appears.
 Click a user to see statistics for that user.
WatchGuard Training
53
Clear WebBlocker Cache
 From Firebox System
Manager, clear the
WebBlocker cache
•
•
Select Tools > Clear
WebBlocker Cache
Supported for single
Firebox or XTM devices
and FireClusters
WatchGuard Training
54
View DNS Server Details
 When you configure the external interface on your device to use PPPoE,
you can see the DNS server information in the Firebox status in the Web
UI, WSM, and FSM.
 Web UI — DASHBOARD > Interfaces > Detail
WatchGuard Training
55
View DNS Server Details
 WSM — Device Status >
Firebox Status > DNS Servers
WatchGuard Training
56
Monitoring Enhancements — View DNS Server Details
 FSM — Front Panel > DNS Servers
WatchGuard Training
57
SNMP Enhancements
WatchGuard Training
58
SNMP Enhancements
 You can now enable your
device to use NAT for
connections through the
SNMP application layer
gateway.
 When you enable this option,
all SNMP connections are
forced to use NAT.
 In the Web UI, select
System > SNMP and select
the Use NAT for connections
through the SNMP application
layer gateway check box.
WatchGuard Training
59
SNMP Enhancements
 In Policy Manager, select
Setup > SNMP and select the
Use NAT for connections
through the SNMP application
layer gateway check box.
WatchGuard Training
60
Other Enhancements
WatchGuard Training
61
Other Enhancements
 You can now set the maximum time interval for failed FTP logins per
connection in the FTP client and server proxy actions.
 You can now manage the Gateway Wireless Controller from the Command
Line Interface (CLI).
 MAC address reservations for AP wireless devices are now limited to 256.
WatchGuard Training
62
Support for New Firebox Models
WatchGuard Training
63
Support for New Firebox Models
 WatchGuard System Manager v11.9.4 adds support for management of two
new Firebox models.
•
•
Firebox M400
Firebox M500
 Fireware XTM OS v11.9.4 is the first OS update available for these models:
•
•
•
•
Firebox M400
Firebox M500
Firebox M440
Firebox T10-D
WatchGuard Training
64
New Models — Firebox M400 and Firebox M500
 Firebox M400
•
•
•
•
6x 1 Gb interfaces
2x 1 Gb SFP ports
150 to 350 users
Replaces XTM 525
 Firebox M500
•
•
•
•
6x 1 Gb interfaces
2x 1 Gb SFP ports
350 to 750 users
Replaces XTM 535 and XTM 545
 SFP transceivers available as accessories
 1 Gb Fiber to Copper
 1 Gb Fiber
WatchGuard Training
65
New Model — Firebox M440
 Support for Firebox M440 was added in v11.9.3.
•
•
25 1 Gb interfaces, 8 with Power over Ethernet
2 10 Gb SFP+ fiber interfaces (transceivers sold separately)
WatchGuard Training
66
Firebox T10-D
 The Firebox T10-D is a DSL device.
•
•
Interface 0 is an ADSL/VDSL RJ11 interface.
DSL specifications:
 VDSL2 8a, 8b, 8c, 8d, 12a, 12b, 17a, 30a profiles
 ADSL1/2/2+
 DSL mode: Annex A
 DSL settings are automatically configured
•
There are no user-configurable DSL settings.
 The Firebox T10-D is supported only in
Europe, Australia, and New Zealand.
WatchGuard Training
67
Firebox T10-D ADSL
 ADSL service providers require the DSL device to use specific Virtual Path
Identifier (VPI) and Virtual Circuit Identifier (VCI) settings.
•
The Firebox T10-D supports eight VPI/VCI combinations:
•
•
•
•
•
VPI = 0, VCI = 35
VPI = 0, VCI = 38
VPI = 0, VCI = 100
VPI = 1, VCI = 32
•
•
•
•
VPI = 8, VCI = 32
VPI = 8, VCI = 35
VPI = 8, VCI = 36
VPI = 8, VCI = 48
If the connection fails with these VPI/VCI settings, the Firebox automatically polls
the ISP to try additional VPI/VCI combinations: 0/32, 0/33, 0/34, 0/50, 0/67, 1/33,
1/39, 1/50, 2/32, 8/67, 8/81, 14/24.
 If the ISP disables ATM OAM F5 ping responses, automatic polling cannot use these
alternate VPI/VCI combinations to establish a connection.
•
Work with your local WatchGuard Sales Engineer if you are interested in
exploring and testing DSL configurations that are not supported by default.
 For a list of VPI and VCI settings required by some service providers see:
Firebox T10-D VDSL and ADSL requirements by service provider
WatchGuard Training
68
Firebox T10-D VDSL
 For VDSL, the external interface must use a VLAN ID specified by the ISP.
 To configure the required VLAN:
•
•
Add an external VLAN, with the VLAN ID and external network settings
(PPPoE, static IP address, or DHCP).
Configure Interface 0 to send and receive tagged traffic for the external VLAN.
 For a list of VLAN IDs required by some service providers see:
Firebox T10-D VDSL and ADSL requirements by service provider
WatchGuard Training
69
Firebox T10-D DSL Status
 The Status Report tab in Firebox System Manager shows DSL status
•
•
•
DSL link status
DSL mode
DSL firmware version
 The same status information is available with the CLI command
diagnose hardware dsl
WatchGuard Training
70
What Else is New?
WatchGuard Training
71
VPN Troubleshooting Help
 New troubleshooting guides for Mobile VPN with IPSec, SSL, L2TP, and
PPTP.
•
•
Tips to help resolve the most common mobile VPN configuration issues.
Find them in the WatchGuard System Manager Help and Fireware XTM Web UI
Help for each mobile VPN type.
WatchGuard Training
72
Additional Resources
WatchGuard Training
73
Additional Resources
 Information about the new and enhanced features included in this release is
available from these resources on the Product Documentation pages of the
WatchGuard website:
•
From the Help systems:




•
WatchGuard System Manager Help — What’s New in This Release
Fireware XTM Web UI Help — What’s New in This Release
WatchGuard Dimension Help — What’s New in This Release
The What’s New in This Release topics also include information about features and
enhancements for recent previous releases.
From the What’s New presentation:
What’s New in Fireware XTM v11.9.4
WatchGuard Training
74
Thank You!
WatchGuard Training
75
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement