WatchGuard System Manager

Release Notes for WSM 8.0

Introduction

WatchGuard ® is pleased to release WatchGuard System Manager (WSM) 8.0. WSM is the next version of our unified management and monitoring software and delivers a host of new feature enhancements. One of the most significant advancements comes with availability of Fireware ™ Pro – the next generation security software system for the Firebox ® X Core and Firebox X Peak lines of security appliances. It represents the convergence of the WatchGuard Firebox System security capabilities with the WatchGuard Firebox Vclass advanced networking features.

New WatchGuard System Manager features

We made the VPN Manager Device view the default view for all the Firebox devices, log servers, and Management Servers in your network. From WatchGuard System Manager, you can start monitor and configuration tools such as Policy Manager, HostWatch, and the Firebox System Manager.

WatchGuard System Manager also includes:

„

Simple management of a network with more than one WatchGuard hardware platform:

„

„

• Firebox X Core

• Firebox X Edge (VPN management only)

• Firebox X Peak with Fireware Pro

• Firebox SOHO6 and Firebox SOHO6 Wireless (VPN management only)

• Firebox S6 and Firebox S6 Wireless (VPN management only)

A Management Server that operates on a Windows server instead of on a gateway Firebox. This solution is more scalable and flexible and lets you easily set up a large network with many offices and VPN tunnels.

Log messages in XML format.

Features introduced with Fireware Pro

The Fireware Pro appliance software improves WatchGuard’s ability to supply new features on the same hardware platform. Fireware Pro is available for all Firebox®X Core and Firebox X Peak devices. You can use

WatchGuard System Manager 8.0 to manage a Firebox with Fireware Pro appliance software. Fireware Pro is an upgrade for the Firebox X Core model line. Features of Fireware Pro include:

„

„

„

„

„

„

„

„

Enhancements to the Gateway AntiVirus service such as a feature to examine outgoing messages, to lock attachments with suspicious content, and better reports

Interface independence

Signature-based intrusion prevention with stateful signature matching

Multi-WAN for more flexibility and network connection time

Dynamic routing of these protocols: BGP, OSPF, RIPv1 and v2

Quality of Service (QoS) which uses “virtual pipes” to regulate the traffic to align with your business requirements

Support for Active Directory and LDAP authentication servers

Enhanced policy management interface for support of Fireware Pro features, and more granular control of your security policy

RELEASE NOTES MAY 12, 2005 PAGE 1

WATCHGUARD SYSTEM MANAGER WSM 8.0

„

Support for SNMP to monitor important device statistics. You can also transmit SNMP traps to SNMP servers.

For more information or to purchase the upgrade for a Firebox X Core device, contact your reseller or browse to the WatchGuard Web site.

Enhancements to WFS appliance software

The WatchGuard System Manager 8.0 includes WFS 7.4 appliance software. This version has two important features.

„

„

WSM 8.0 uses a Management Server that operates on a Windows server instead of on a gateway Firebox.

This allows for much more scalability and flexibility when you set up a large network with many locations.

The Log Server saves log messages in an XML format.

Changes in WFS Appliance Software 7.3 to 7.4

WatchGuard released the final version of WFS 7.3 on December 23, 2004. WatchGuard System Manager includes the WFS 7.4. This is the WFS 7.3 appliance software with some minor differences.

„

„

„

„

„

„

„

„

WFS 7.4 includes the SYNFlood (Hotfix 050209) and Link Negotiation (Hotfix 050216).

WFS 7.4 does not include the PPPoE (Hotfix 050330) hotfix. You can not install this hotfix on WFS 7.4. If you installed the hotfix and upgrade your device to WFS 7.4, you no longer have the corrections to the problems identified and resolved with this hotfix.

[5517]

WFS 7.4 does not include the Gateway AntiVirus for E-mail Engine Update version 0.8, 1.0.1. You can not install this update on WFS 7.4. If you installed the update and upgrade your device to WFS 7.4, your device will use the original Gateway AntiVirus for E-mail Engine.

WFS 7.4 requires that you move your DVCP server from the Firebox to a computer.

WFS 7.4 does not support Basic DVCP.

The Management Server is the computer you use as the DVCP server. It can not be a Firebox.

The VPN Manager is now known as the WatchGuard System Manager.

You can not use the WatchGuard System Manager to connect to a Firebox DVCP server with WFS 7.3 or earlier firmware. The WSM will only connect to WSM 8.0 DVCP servers. It will also connect directly to

Firebox devices with WFS 7.4 or Fireware 8.0 firmware.

Technical Assistance

For technical assistance, please contact WatchGuard Technical Support via telephone (see the numbers in the table below) or check the website at http://www.watchguard.com/support . When contacting Technical Support, please have your registered LiveSecurity® key, serial number, or Partner ID ready.

U.S. End Users

International End User

Authorized WatchGuard Resellers

Phone Number

877.232.3531

+1.206.613.0456

206.521.8375

RELEASE NOTES MAY 12, 2005 PAGE 2

WATCHGUARD SYSTEM MANAGER

Installation and Upgrade

WSM 8.0

Before installing the WatchGuard System Manager software, please read the information in the Known Issues section.

If you are migrating a DVCP server to a WSM 8.0 Management Server

Make sure you obtain the WatchGuard System Manager 8.0 HF050505WSM80 hotfix to correct an error that occurs when you migrate an existing DVCP server to the new WSM 8.0 Management Server. (You do not need this hotfix if you plan to set up a new Management Server instead of migrating a previous one, or if you do not want to use the WSM 8.0 Management Server.)

Also, you must have your VPN Manager license before you can migrate a DVCP server to a Management

Server. You can use a VPN Manager license or a WatchGuard System Manager license to increase the total number of devices managed by the Management Server.

To get and install the WSM 8.0 management station software

Use the instructions in the WSM 8.0 Upgrade Guide to install this release. You can find the Upgrade Guide posted on your LiveSecurity site at the same location as the software download and these Release Notes.

To get and install the MUVPN 7.3 client software

Follow the instructions in the MUVPN 7.3 release notes which are posted on your LiveSecurity site. This is not a new release. You do not need to upgrade your client computers.

To get and install Fireware Pro appliance software

Fireware Pro is available as an upgrade to the WatchGuard System Manager. Speak to your reseller or browse to the WatchGuard Web site for more information.

Platform Compatibility

Software Component

Fireware 8.0 Appliance Software

Install On

Firebox X500, X700, X1000, X2500, X5000, X6000, X8000

WFS 7.4 Appliance Software Firebox X500, X700, X1000, X2500, Firebox III

WatchGuard System Manager 8.0 Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, Windows 2003 Server

Server Components Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, Windows 2003 Server

WSM 8.0 System Requirements

Minimum required platform:

Pentium-III, 750MHz CPU

394MB RAM

300MB disk space for software (no data)

Recommended platform: Pentium-IV 1GHz

512MB RAM

300MB disk space for software

10+ GB for application data (logs)

RELEASE NOTES MAY 12, 2005 PAGE 3

WATCHGUARD SYSTEM MANAGER

Before You Start

„

„

„

„

„

„

This software release is an important step forward for WatchGuard management software and appliance firmware. There are significant changes and enhancements to the software you install on the management station. We also introduce the new, next generation firmware for the Firebox X called Fireware 8.0.

Please read the Known Issues and Limitations section below for important information about limits to this release. You can also learn more about known issues and methods to avoid these possible issues.

Before you install this release, make sure that you have:

One or more Firebox III, Firebox X Core and Firebox X Peak devices

An Ethernet cable

The installation software for the management station

The documentation we include to help you install and use this product

A backup copy your current WFS 7.x configuration file

A full backup of the Firebox X WFS image

WSM 8.0

Known Issues and Limitations

The following are known issues with this release of the WatchGuard System Manager. Where available, we include a way to work around the issue.

Upgrade

„

The Management Server Setup Wizard can not convert all the Basic DVCP tunnels that you have in your network. It can only convert the tunnels that use the gateway Firebox as one of the endpoints. Tunnels which do not use the DVCP server as an endpoint do not appear in the Management Server after you migrate. For more information, see the WSM 8.0 Upgrade Instructions.

[4888]

WatchGuard System Manager

„

„

The certificate information for your gateway Firebox does not appear in WatchGuard System Manager until you select Update Device for that appliance.

[403]

When you install an additional WatchGuard server component on a management station, the new server does not appear in the toolbar.

[4616]

Workaround: Disable the WatchGuard toolbar, and then enable the toolbar again.

Management Server

„

„

„

„

The time on the computer which you use for WatchGuard servers (Log Server, WebBlocker Server, and

Management Server) must be the same as the Firebox device(s) which connects to them. We recommend that you use network time protocol (NTP) to do this.

[5356, 3464, 5585]

If you frequently update Managed Firebox Clients, your CRL can get large. You can use the CA manager to delete old entries.

[5563]

You can only set the Key Bits property for Client Certificates with the Management Server Configuration

Wizard.

[3980]

On the Management Server, you can enter an invalid value for the Publication Interval of the Certificate

Revocation List.

[3996]

Workaround: Only use positive integers for the Publication Interval setting.

RELEASE NOTES MAY 12, 2005 PAGE 4

WATCHGUARD SYSTEM MANAGER

„

WSM 8.0

In some conditions, a managed Firebox can not connect to the Management Server. This can occur if the

Firebox does not download the certificate correctly.

[4401]

Workaround: Change the Management Server Distribution IP Address and update the Firebox client.

Virtual Private Networking, DVCP, Management Server

„

In some conditions, Internet Explorer 5.0 can not open the WatchGuard Certificate Authority Web page.

[3714]

Logging

„

The Roll Log Files by File Size and Roll Log Files by Time Interval options do not work correctly. The Log

Server rolls the log file at intervals which do not match the values you set for these features.

[5615]

„

The tool to convert log files from WFS 7.x format to XML does not convert all log messages. It only converts log messages that the system uses for Historical Reports or LogViewer.

[301]

Feedback

To provide input about the software, documentation, or help systems associated with this release, we encourage you to contact us at any time at [email protected]

. We look forward to hearing your feedback and comments.

RELEASE NOTES MAY 12, 2005 PAGE 5