Fireware v11.12.4 Release Notes
Fireware v11.12.4 Release Notes
Supported Devices
Firebox T10, T30, T50, T70, M200, M300, M370,
M400, M440, M470, M500, M570, M670, M4600,
M5600
XTM 3, 5, 8, 800, 1500, and 2500 Series
XTM 25, XTM 26, XTM 1050, XTM 2050
FireboxV, XTMv, Firebox Cloud, WatchGuard AP
Release Date:
7 June 2017
Release Notes Revision:
6 September 2017
Fireware OS Build
532064
WatchGuard System Manager Build
532064
WatchGuard AP Device Firmware
For AP100, AP102, AP200: Build 1.2.9.12
For AP300: Build 2.0.0.7
For AP120, AP320, AP322: Build 8.0.581
Introduction
WatchGuard is pleased to announce the release of Fireware v11.12.4 and WatchGuard System Manager
v11.12.4. In addition to resolving many outstanding bugs, this release also delivers these new features and
functions for our Firebox users:
l
l
l
l
l
l
l
l
Support for new Firebox M370, M470, M570, M670 models - Released on 15 August
APT Blocker region selection to meet the requirements of EU customers who want data to remain in
Europe
The Explicit Proxy has now been tested and verified to work with Chromebooks managed by the Google
Admin console, as documented in the new updated Explicit Proxy with Chromebook Integration Guide,
on the WatchGuard Technology Partners page
Improved log messages for HTTPS-proxy and SMTP-proxy SSL negotiation errors
Support for new AP420 devices - Coming soon!
Gateway Wireless Controller enhancements, as well as FireCluster support for many Gateway Wireless
Controller features
ConnectWise FireCluster Monitoring and Company ID lookup
Ability to manage Firebox Cloud with Dimension
For more information on the feature updates and bug fixes in this release, see the Enhancements and Resolved
Issues section. For more detailed information about the feature enhancements and functionality changes
included in Fireware v11.12.4, see Fireware Help or review What's New in Fireware v11.12.4.
Important Information about Firebox Certificates
Important Information about Firebox Certificates
SHA-1 is being deprecated by many popular web browsers, and WatchGuard recommends that you now use
SHA-256 certificates. Because of this, we have upgraded our default Firebox certificates. Starting with
Fireware v11.10.4, all newly generated default Firebox certificates use a 2048-bit key length. In addition, newly
generated default Proxy Server and Proxy Authority certificates use SHA-256 for their signature hash
algorithm. Starting with Fireware v11.10.5, all newly generated default Firebox certificates use SHA-256 for
their signature hash algorithm. New CSRs created from the Firebox also use SHA-256 for their signature hash
algorithm.
Default certificates are not automatically upgraded after you install Fireware v11.10.5 or later releases.
To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use the CLI commands described in the next section.
Before you regenerate the Proxy Server or Proxy Authority certification, there are some important things to
know.
The Proxy Server certificate is used for inbound HTTPS with content inspection and SMTP with TLS
inspection. The Proxy Authority certificate is used for outbound HTTPS with content inspection. The two
certificates are linked because the default Proxy Server certificate is signed by the default Proxy Authority
certificate. If you use the CLI to regenerate these certificates, after you upgrade, you must redistribute the new
Proxy Authority certificate to your clients or users will receive web browser warnings when they browse
HTTPS sites, if content inspection is enabled.
Also, if you use a third-party Proxy Server or Proxy Authority certificate:
l
l
l
The CLI command will not work unless you first delete either the Proxy Server or Proxy Authority
certificate. The CLI command will regenerate both the Proxy Server and Proxy Authority default
certificates.
If you originally used a third-party tool to create the CSR, you can simply re-import your existing thirdparty certificate and private key.
If you originally created your CSR from the Firebox, you must create a new CSR to be signed, and then
import a new third-party certificate.
CLI Commands to Regenerate Default Firebox Certificates
To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use these CLI commands:
l
l
l
l
To upgrade the default Proxy Authority and Proxy Server certificates for use with HTTPS content
inspection, you can use the CLI command: upgrade certificate proxy
To upgrade the Firebox web server certificate, use the CLI command: upgrade certificate web
To upgrade the SSLVPN certificate, use the CLI command: upgrade certificate sslvpn
To upgrade the 802.1x certificate, use the CLI command: upgrade certificate 8021x
For more information about the CLI, see the Command Line Interface Reference.
2
WatchGuard Technologies, Inc.
Before You Begin
Before You Begin
Before you install this release, make sure that you have:
l
l
l
A supported WatchGuard Firebox or XTM device. This device can be a WatchGuard Firebox T10, T30,
T50, T70, XTM 2 Series (models 25 and 26 only), 3 Series, 5 Series, 8 Series, 800 Series, XTM 1050,
XTM 1500 Series, XTM 2050 device, XTM 2500 Series, Firebox M200, M300, M370, M400, M440,
M470, M500, M570, M670, M4600, M5600. You can also use this version of Fireware on FireboxV or
XTMv (any edition), and Firebox Cloud for AWS.
The required hardware and software components as shown below. If you use WatchGuard System
Manager (WSM), make sure your WSM version is equal to or higher than the version of Fireware OS
installed on your Firebox or XTM device and the version of WSM installed on your Management Server.
Feature key for your Firebox or XTM device — If you upgrade your device from an earlier version of
Fireware OS, you can use your existing feature key. If you do not have a feature key for your device, you
can log in to the WatchGuard website to download it.
Note that you can install and use WatchGuard System Manager v11.12.x and all WSM server components with
devices running earlier versions of Fireware v11.x. In this case, we recommend that you use the product
documentation that matches your Fireware OS version.
If you have a new Firebox or XTM physical device, make sure you use the instructions in the Quick Start Guide
that shipped with your device. If this is a new FireboxV or XTMv installation, make sure you carefully review
Fireware Help for important installation and setup instructions. We also recommend that you review the
Hardware Guide for your Firebox or XTM device model. The Hardware Guide contains useful information about
your device interfaces, as well as information on resetting your device to factory default settings, if necessary.
Product documentation for all WatchGuard products is available on the WatchGuard web site at
http://www.watchguard.com/wgrd-help/documentation/overview.
Release Notes
3
Localization
Localization
This release includes localized management user interfaces (WSM application suite and Web UI) current as of
Fireware v11.11. UI changes introduced since v11.11 may remain in English. Supported languages are:
l
l
l
French (France)
Japanese
Spanish (Latin American)
Note that most data input must still be made using standard ASCII characters. You can use non-ASCII
characters in some areas of the UI, including:
l
l
l
Proxy deny message
Wireless hotspot title, terms and conditions, and message
WatchGuard Server Center users, groups, and role names
Any data returned from the device operating system (e.g. log data) is displayed in English only. Additionally, all
items in the Web UI System Status menu and any software components provided by third-party companies
remain in English.
Fireware Web UI
The Web UI will launch in the language you have set in your web browser by default.
WatchGuard System Manager
When you install WSM, you can choose what language packs you want to install. The language displayed in
WSM will match the language you select in your Microsoft Windows environment. For example, if you use
Windows 7 and want to use WSM in Japanese, go to Control Panel > Regions and Languages and select
Japanese on the Keyboards and Languages tab as your Display Language.
Dimension, WebCenter, Quarantine Web UI, and Wireless Hotspot
These web pages automatically display in whatever language preference you have set in your web browser.
Documentation
Localization updates are also available for Fireware Help, available on the WatchGuard website or as contextsensitive Help from the localized user interfaces.
4
WatchGuard Technologies, Inc.
Fireware and WSM v11.12.4 Operating System Compatibility
Fireware and WSM v11.12.4 Operating System Compatibility
Last revised: 7 June 2017
WSM/
FirewareComponent
Microsoft
Windows
7,8,8.1,
10
(32-bit&
64-bit)
Microsoft
Windows
Server
2012&
2012R2
(64-bit)
Microsoft
Windows
Server
2016
(64-bit)
MacOSX
v10.9,v10.10,
v10.11&
v10.12
Android
4.x
&5.x
iOS
v7, v8,
v9, &
v10
WatchGuard System
Manager
WatchGuard Servers
For information on WatchGuard
Dimension, see the Dimension Release
Notes.
Single Sign-On Agent
(Includes Event Log
Monitor)1
Single Sign-On Client
Single Sign-On Exchange
Monitor2
Terminal Services Agent3
Mobile VPN with IPSec
4
4
Mobile VPN with SSL
Notes about Microsoft Windows support:
l
Windows 8.x support does not include Windows RT.
The following browsers are supported for both Fireware Web UI and WebCenter (Javascript required):
l
IE 11 and later
l
Microsoft Edge
l
Firefox v22 and later
l
Safari 6 and later
l
Safari iOS 6 and later
l
Chrome v29 and later
Release Notes
5
Fireware and WSM v11.12.4 Operating System Compatibility
1The Server Core installation option is
supported for Windows Server 2016.
2Microsoft Exchange Server 2007 and 2010 are supported.
Microsoft Exchange Server 2013 is supported if you
install Windows Server 2012 or 2012 R2 and .NET Framework 3.5
3Terminal Services
support with manual or Single Sign-On authentication operates in a Microsoft Terminal
Services or Citrix XenApp 4.5, 5.0, 6.0, 6.5, 7.6, or 7.12 environment.
4Native (Cisco) IPSec
client and OpenVPN are supported for Mac OS and iOS. For Mac OS X 10.8 -10.12, we
also support the WatchGuard IPSec Mobile VPN Client for Mac, powered by NCP.
Authentication Support
This table gives you a quick view of the types of authentication servers supported by key features of Fireware.
Using an authentication server gives you the ability to configure user and group-based firewall and VPN policies
in your Firebox or XTM device configuration. With each type of third-party authentication server supported, you
can specify a backup server IP address for failover.
Fully supported by WatchGuard
customers
6
Not yet supported, but tested with success by WatchGuard
WatchGuard Technologies, Inc.
Fireware and WSM v11.12.4 Operating System Compatibility
Firebox
Active
1
Directory
LDAP
RADIUS
SecurID
2
2
3
Mobile VPN with IPSec/Shrew Soft
(Firebox-DB)
Local
Authentication
–
Mobile VPN with
IPSec/WatchGuard client (NCP)
Mobile VPN with IPSec for iOS and Mac
OS X native VPN client
Mobile VPN with IPSec for Android
devices
–
4
Mobile VPN with SSL for Windows
4
Mobile VPN with SSL for Mac
Mobile VPN with SSL for iOS and
Android devices
6
Mobile VPN with L2TP
Mobile VPN with PPTP
–
–
–
–
N/A
Built-in Authentication Web Page on
Port 4100
Single Sign-On Support (with or without
–
–
–
client software)
Terminal Services Manual
Authentication
Terminal Services Authentication with
Single Sign-On
5
–
–
–
–
5
–
–
–
–
Citrix Manual Authentication
Citrix Manual Authentication with Single
Sign-On
Release Notes
7
Fireware and WSM v11.12.4 Operating System Compatibility
1. Active Directory support includes both single domain and multi-domain support, unless otherwise noted.
2. RADIUS and SecurID support includes support for both one-time passphrases and challenge/response
3.
4.
5.
6.
authentication integrated with RADIUS. In many cases, SecurID can also be used with other RADIUS
implementations, including Vasco.
The Shrew Soft client does not support two-factor authentication.
Fireware supports RADIUS Filter ID 11 for group authentication.
Both single and multiple domain Active Directory configurations are supported. For information about the
supported Operating System compatibility for the WatchGuard TO Agent and SSO Agent, see the current
Fireware and WSM Operating System Compatibility table.
Active Directory authentication methods are supported only through a RADIUS server.
System Requirements
If you have WatchGuard System
Manager client software only
installed
If you install WatchGuard System
Manager and WatchGuard Server
software
Intel Core or Xeon
Intel Core or Xeon
2GHz
2GHz
Minimum Memory
1 GB
2 GB
Minimum Available
Disk Space
250 MB
1 GB
Minimum
Recommended
Screen Resolution
1024x768
1024x768
Minimum CPU
FireboxV System Requirements
With support for installation in both a VMware and a Hyper-V environment, a WatchGuard FireboxV virtual
machine can run on a VMware ESXi 5.5, 6.0, or 6.5 host, or on Windows Server 2012 R2 or 2016, or Hyper-V
Server 2012 R2 or 2016.
The hardware requirements for FireboxV are the same as for the hypervisor environment it runs in.
Each FireboxV virtual machine requires 5 GB of disk space. CPU and memory requirements vary by model:
FireboxV Model
vCPUs (maximum)
Memory (recommended)
Small
2
1024 MB
Medium
4
2048 MB
Large
8
4096 MB
Extra Large
16
4096 MB
System requirements for XTMv are included in Fireware Help.
8
WatchGuard Technologies, Inc.
Downloading Software
Downloading Software
You can download software from the WatchGuard Software Downloads Center.
There are several software files available for download with this release. See the descriptions below so you
know what software packages you will need for your upgrade.
WatchGuard System Manager
With this software package you can install WSM and the WatchGuard Server Center software:
WSM11_12_4.exe — Use this file to install WSM v11.12.4 or to upgrade WatchGuard System Manager
from an earlier version to WSM v11.12.4.
Fireware OS
If your Firebox is running Fireware v11.10 or later, you can upgrade the Fireware OS on your Firebox
automatically from the Fireware Web UI System > Upgrade OS page.
If you prefer to upgrade from Policy Manager, or from an earlier version of Fireware, you can use download the
Fireware OS image for your Firebox or XTM device. Use the .exe file if you want to install or upgrade the OS
using WSM. Use the .zip file if you want to install or upgrade the OS manually using Fireware Web UI. Use the
.ova or .vhd file to deploy a new XTMv device.
Release Notes
9
Downloading Software
If you have…
10
Select from these Fireware OS packages
Firebox M5600
Firebox_OS_M4600_M5600_11_12_4.exe
firebox_M4600_M5600_11_12_4.zip
Firebox M4600
Firebox_OS_M4600_M5600_11_12_4.exe
firebox_M4600_M5600_11_12_4.zip
XTM 2500 Series
XTM_OS_XTM800_1500_2500_11_12_4.exe
xtm_xtm800_1500_2500_11_12_4.zip
XTM 2050
XTM_OS_XTM2050_11_12_4.exe
xtm_xtm2050_11_12_4.zip
XTM 1500 Series
XTM_OS_XTM800_1500_2500_11_12_4.exe
xtm_xtm800_1500_2500_11_12_4.zip
XTM 1050
XTM_OS_XTM1050_11_12_4.exe
xtm_xtm1050_11_12_4.zip
XTM 800 Series
XTM_OS_XTM800_1500_2500_11_12_4.exe
xtm_xtm800_1500_2500_11_12_4.zip
XTM 8 Series
XTM_OS_XTM8_11_12_4.exe
xtm_xtm8_11_12_4.zip
Firebox M500
Firebox_OS_M400_M500_11_12_4.exe
firebox_M400_M500_11_12_4.zip
XTM 5 Series
XTM_OS_XTM5_11_12_4.exe
xtm_xtm5_11_12_4.zip
Firebox M670
Firebox_OS_M370_M470_M570_M670_11_12_4.exe
firebox_M370_M470_M570_M670_11_12_4.zip
Firebox M570
Firebox_OS_M370_M470_M570_M670_11_12_4.exe
firebox_M370_M470_M570_M670_11_12_4.zip
Firebox M470
Firebox_OS_M370_M470_M570_M670_11_12_4.exe
firebox_M370_M470_M570_M670_11_12_4.zip
Firebox M440
Firebox_OS_M440_11_12_4.exe
firebox_M440_11_12_4.zip
Firebox M400
Firebox_OS_M400_M500_11_12_4.exe
firebox_M400_M500_11_12_4.zip
Firebox M370
Firebox_OS_M370_M470_M570_M670_11_12_4.exe
firebox_M370_M470_M570_M670_11_12_4.zip
Firebox M300
Firebox_OS_M200_M300_11_12_4.exe
firebox_M200_M300_11_12_4.zip
Firebox M200
Firebox_OS_M200_M300_11_12_4.exe
firebox_M200_M300_11_12_4.zip
WatchGuard Technologies, Inc.
Downloading Software
If you have…
Select from these Fireware OS packages
XTM 330
XTM_OS_XTM330_11_12_4.exe
xtm_xtm330_11_12_4.zip
XTM 33
XTM_OS_XTM3_11_12_4.exe
xtm_xtm3_11_12_4.zip
XTM 2 Series
Models 25, 26
XTM_OS_XTM2A6_11_12_4.exe
xtm_xtm2a6_11_12_4.zip
Firebox T70
Firebox_OS_T70_11_12_4.exe
firebox_T70_11_12_4.zip
Firebox T50
Firebox_OS_T30_T50_11_12_4.exe
firebox_T30_T50_11_12_4.zip
Firebox T30
Firebox_OS_T30_T50_11_12_4.exe
firebox_T30_T50_11_12_4.zip
Firebox T10
Firebox_OS_T10_11_12_4.exe
firebox_T10_11_12_4.zip
FireboxV
All editions for VMware
FireboxV_11_12_4.ova
XTM_OS_FireboxV_11_12_4.exe
xtm_FireboxV_11_12_4.zip
FireboxV
All editions for Hyper-V
FireboxV_11_12_4_vhd.zip
XTM_OS_FireboxV_11_12_4.exe
xtm_FireboxV_11_12_4.zip
XTMv
All editions for VMware
xtmv_11_12_4.ova
XTM_OS_xtmv_11_12_4.exe
xtm_xtmv_11_12_4.zip
XTMv
All editions for Hyper-V
xtmv_11_12_4_vhd.zip
XTM_OS_XTMv_11_12_4.exe
xtm_xtmv_11_12_4.zip
Firebox Cloud
firebox_FireboxCloud_11_12_4.zip
Single Sign-On Software
These files are available for Single Sign-On.
l
l
l
l
l
WG-Authentication-Gateway_11_12_2.exe (SSO Agent software - required for Single Sign-On and
includes optional Event Log Monitor for clientless SSO)
WG-Authentication-Client_11_12_2.msi (SSO Client software for Windows)
WG-SSOCLIENT-MAC_11_12_2.dmg (SSO Client software for Mac OS X)
SSOExchangeMonitor_x86_11_11_2.exe (Exchange Monitor for 32-bit operating systems)
SSOExchangeMonitor_x64_11_11_2.exe (Exchange Monitor for 64-bit operating systems)
For information about how to install and set up Single Sign-On, see the product documentation.
Release Notes
11
Upgrade Notes
Terminal Services Authentication Software
This file was updated with the Fireware v11.12 release.
l
TO_AGENT_SETUP_11_12.exe (This installer includes both 32-bit and 64-bit file support.)
Mobile VPN with SSL Client for Windows and Mac
There are two files available for download if you use Mobile VPN with SSL and are both updated with this
release:
l
l
WG-MVPN-SSL_11_12_4.exe (Client software for Windows)
WG-MVPN-SSL_11_12_4.dmg (Client software for Mac)
Mobile VPN with IPSec client for Windows and Mac
There are several available files to download.
Shrew Soft Client
l
Shrew Soft Client 2.2.2 for Windows - No client license required.
WatchGuard IPSec Mobile VPN Clients
The current WatchGuard IPSec Mobile VPN Client for Windows is version 12.10.
l
WatchGuard IPSec Mobile VPN Client for Windows (32-bit), powered by NCP - There is a
license required for this premium client, with a 30-day free trial available with download.
l
WatchGuard IPSec Mobile VPN Client for Windows (64-bit), powered by NCP - There is a
license required for this premium client, with a 30-day free trial available with download.
This release includes an update to the IPSec Mobile VPN Client for Mac OS X. The updated Mac OS X client
remains version 2.0.5.
l
WatchGuard IPSec Mobile VPN Client for Mac OS X, powered by NCP - There is a license
required for this premium client, with a 30-day free trial available with download.
WatchGuard Mobile VPN License Server
l
WatchGuard Mobile VPN License Server (MVLS) v2.0, powered by NCP - Click here for more
information about MVLS.
Upgrade Notes
In addition to new features, there are other changes that affect the functionality of several existing features in
ways that you need to understand before you upgrade to v11.12 or higher. In this section, we review the impact
of some of these changes. For more information, see the What's New presentation for each release or Fireware
Help.
Gateway Wireless Controller and AP Device Security
Fireware v11.12.2 includes updates to the Gateway Wireless Controller to improve AP device security. Some
of these changes require that you take action after you upgrade so that all AP devices are trusted and use
secure passphrases.
12
WatchGuard Technologies, Inc.
Upgrade Notes
Gateway Wireless Controller now creates trust records for each AP device
Beginning with Fireware v11.12.2, to help prevent potential security issues from the use of factory reset,
unauthorized, or compromised AP devices in your deployment, the Gateway Wireless Controller now
creates trust records for each AP device. The Gateway Wireless Controller will not communicate with
an AP device that has no trust record. Wireless data functions will continue to work for a previously
configured AP device , but the Gateway Wireless Controller will not manage or monitor an AP device
with no trust record.
After the upgrade to Fireware v11.12.2, existing AP120, AP320, and AP322 devices in your deployment
will be automatically trusted.
After you upgrade to Fireware v11.12.2 you must manually trust any current AP100/102,
AP200, and AP300 devices in your deployment.
You must always trust your AP devices again if they are reset to factory default settings or if you reset
the trust store.
Secure Global AP Passphrase
Beginning with Fireware v11.12.2, the minimum length for the global AP passphrase is 8 characters. In
addition, the previous default AP passphrases (wgwap and watchguard) are no longer valid.
After you upgrade to Fireware v11.12.2, your previous global AP passphrase is maintained. If
your existing configuration uses the default passphrases or if the global AP passphrase is
shorter than 8 characters, you must choose a new global AP passphrase, or use the new
automatic AP passphrase security feature before you can save the Gateway Wireless
Controller configuration.
Automatic AP Passphrase Management
To increase security and improve passphrase management, the Gateway Wireless Controller can now
automatically create unique random passphrases for each AP device. This feature is disabled by
default. If you want to enable automatic AP passphrase management, you must disable the manual
global AP passphrase.
Blocked Sites Exceptions
When you upgrade the Firebox to Fireware v11.12.2 or higher, FQDNs for WatchGuard servers are
automatically added to the Blocked Sites Exceptions list in the configuration on the Firebox.
If you use Policy Manager to upgrade the Firebox, you must manually reload the configuration
from the Firebox in Policy Manager after the upgrade completes. This is to make sure that the
configuration in Policy Manager includes the Blocked Sites Exceptions that were added to the
Firebox as part of the upgrade.
Release Notes
13
Upgrade Notes
If you use Policy Manager to open a configuration file that was created before the Firebox was upgraded to
v11.12.2, and then save that configuration file to the Firebox, the old blocked sites configuration overwrites the
configuration on the Firebox, and FQDNs for WatchGuard servers are no longer on the Blocked Sites
Exceptions List.
TCP Port 4100 and the WatchGuard Authentication Policy
Beginning with Fireware v11.12, TCP port 4100 is used only for firewall user authentication. In earlier versions,
a WatchGuard Authentication policy was automatically added to your configuration file when you enabled
Mobile VPN with SSL. This policy allowed traffic over port 4100 and included the alias Any-External in the
policy From list. In Fireware v11.12, when you enable Mobile VPN with SSL, this policy is no longer created.
When you upgrade to Fireware v11.12, the External alias will be removed from your WatchGuard
Authentication policy in the configuration on the Firebox, even if you had manually added the alias previously
and regardless of whether Mobile VPN with SSL is enabled.
If you use Policy Manager to upgrade the Firebox, you must manually reload the configuration
from the Firebox in Policy Manager after the upgrade completes to avoid adding the alias back
with a subsequent configuration save (since Policy Manager is an offline configuration tool).
The Mobile VPN with SSL authentication and software download pages are no longer accessible at port 4100.
See Fireware Help for more information.
Setup Wizard Default Policies and Settings
You use the Web Setup Wizard or WSM Quick Setup Wizard to set up a Firebox with a basic configuration.
Beginning with Fireware v11.12, the setup wizards configure policies and enable most Subscription Services to
provide better security by default.
In Fireware v11.12 and higher, the setup wizards:
l
l
l
l
Configure FTP-proxy, HTTP-proxy, HTTPS-proxy policies
Configure DNS and Outgoing packet-filter policies
Enable licensed security services — Application Control, Gateway AntiVirus, WebBlocker, Intrusion
Prevention Service, Reputation Enabled Defense, Botnet Detection, Geolocation, APT Blocker
Recommend WebBlocker categories to block
The default policies and services that the setup wizards configure depend on the version of Fireware installed
on the Firebox, and on whether the Firebox feature key includes a license for subscription services. If your new
Firebox was manufactured with Fireware v11.11.x or lower, the setup wizards do not enable subscription
services, even if they are licensed in the feature key. To enable the security services and proxy policies with
recommended settings, upgrade the Firebox to Fireware v11.12 or higher, reset it to factory-default settings,
and then run the setup wizard again.
14
WatchGuard Technologies, Inc.
Upgrade to Fireware v11.12.4
Upgrade to Fireware v11.12.4
There is an upgrade issue that affects some Firebox M400/M500 and M440 devices. Please
review this knowledge base article carefully before you upgrade.
Before you upgrade to Fireware v11.12.4, your Firebox must be running:
- Fireware XTM v11.7.5
- Fireware XTM v11.8.4
- Fireware XTM v11.9 or higher
If you try to upgrade from Policy Manager and your Firebox is running an unsupported version,
the upgrade is prevented.
If you try to schedule an OS update of managed devices through a Management Server, the
upgrade is also prevented.
If you use the Fireware Web UI to upgrade your device, you see a warning, but it is possible to
continue so you must make sure your Firebox is running v11.7.5, v11.8.4, or v11.9.x, or
v11.10.x before you upgrade to Fireware v11.12.4 or your Firebox will be reset to a default
state.
Important Information about the upgrade process:
l
l
l
We recommend you use Fireware Web UI to upgrade to Fireware v11.12.4. You can also use Policy
Manager if you prefer.
We strongly recommend that you save a local copy of your Firebox configuration and create a Firebox
backup image before you upgrade. It is not possible to downgrade without these backup files.
If you use WatchGuard System Manager (WSM), make sure your WSM version is equal to or higher
than the version of Fireware OS installed on your Firebox and the version of WSM installed on your
Management Server. Also, make sure to upgrade WSM before you upgrade the version of Fireware OS
on your Firebox.
If you want to upgrade an XTM 2 Series, 3 Series, or 5 Series device, we recommend that you
reboot your Firebox before you upgrade. This clears your device memory and can prevent many
problems commonly associated with upgrades in those devices.
Release Notes
15
Upgrade to Fireware v11.12.4
Upgrade Notes for XTMv
You cannot upgrade an XTMv device to FireboxV. For Fireware v11.11 and higher, the XTMv device is a 64-bit
virtual machine. You cannot upgrade an XTMv device from Fireware v11.10.x or lower to Fireware v11.11 or
higher. Instead, you must use the OVA file to deploy a new 64-bit Fireware v11.11.x XTMv VM, and then use
Policy Manager to move the existing configuration from the 32-bit XTMv VM to the 64-bit XTMv VM. For more
information about how to move the configuration, see Fireware Help. For more information about how to deploy
a new XTMv VM, see the latest WatchGuard XTMv Setup Guide available here. When your XTMv instance has
been updated to v11.11 or higher, you can then use the usual upgrade procedure, as detailed below.
WatchGuard updated the certificate used to sign the .ova files with the release of Fireware
v11.11. When you deploy the OVF template, a certificate error may appear in the OVF template
details. This error occurs when the host machine is missing an intermediate certificate from
Symantic (Symantec Class 3 SHA256 Code Signing CA), and the Windows CryptoAPI was
unable to download it. To resolve this error, you can download and install the certificate from
Symantec.
Back Up Your WatchGuard Servers
It is not usually necessary to uninstall your previous v11.x server or client software when you upgrade to WSM
v11.12.4. You can install the v11.12.4 server and client software on top of your existing installation to upgrade
your WatchGuard software components. We do, however, strongly recommend that you back up your
WatchGuard Servers (for example, your WatchGuard Management Server) to a safe location before you
upgrade. You will need these backup files if you ever want to downgrade.
To back up your Management Server configuration, from the computer where you installed the Management
Server:
1. From WatchGuard Server Center, select Backup/Restore Management Server.
The WatchGuard Server Center Backup/Restore Wizard starts.
2. Click Next.
The Select an action screen appears.
3. Select Back up settings.
4. Click Next.
The Specify a backup file screen appears.
5. Click Browse to select a location for the backup file. Make sure you save the configuration file to a
location you can access later to restore the configuration.
6. Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete screen appears.
7. Click Finish to exit the wizard.
16
WatchGuard Technologies, Inc.
Upgrade to Fireware v11.12.4
Upgrade to Fireware v11.12.4 from Web UI
If your Firebox is running Fireware v11.10 or later, you can upgrade the Fireware OS on your Firebox
automatically from the System > Upgrade OS page. If your Firebox is running v11.9.x or earlier, use these
steps to upgrade:
1. Before you begin, save a local copy of your configuration file.
2. Go to System > Backup Image or use the USB Backup feature to back up your current device image.
3. On your management computer, launch the OS software file you downloaded from the WatchGuard
Software Downloads page.
If you use the Windows-based installer on a computer with a Windows 64-bit operating system, this
installation extracts an upgrade file called [product series]_[product code].sysa-dl to the default
location of C:\Program Files(x86)\Common Files\WatchGuard\resources\FirewareXTM\11.12.4\[model]
or [model][product_code].
On a computer with a Windows 32-bit operating system, the path is: C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.12.4
4. Connect to your Firebox with the Web UI and select System > Upgrade OS.
5. Browse to the location of the [product series]_[product code].sysa-dl from Step 2 and click Upgrade.
If you have already installed Fireware v11.12.4 on your computer, you must run the Fireware v11.12.4 installer
twice (once to remove v11.12.4 software and again to install v11.12.4).
Upgrade to Fireware v11.12.4 from WSM/Policy Manager
1. Before you begin, save a local copy of your configuration file.
2. Select File > Backup or use the USB Backup feature to back up your current device image.
3. On a management computer running a Windows 64-bit operating system, launch the OS executable file
you downloaded from the WatchGuard Portal. This installation extracts an upgrade file called [Firebox or
xtm series]_[product code].sysa-dl to the default location of C:\Program Files(x86)\Common
files\WatchGuard\resources\FirewareXTM\11.12.4\[model] or [model][product_code].
On a computer with a Windows 32-bit operating system, the path is: C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.12.4.
4. Install and open WatchGuard System Manager v11.12.4. Connect to your Firebox and launch Policy
Manager.
5. From Policy Manager, select File > Upgrade. When prompted, browse to and select the [product
series]_[product code].sysa-dl file from Step 2.
If you like to make updates to your Firebox configuration from a saved configuration file, make
sure you open the configuration from the Firebox and save it to a new file after you upgrade.
This is to make sure that you do not overwrite any configuration changes that were made as
part of the upgrade.
If you have already installed Fireware v11.12.4 on your computer, you must run the Fireware v11.12.4 installer
twice (once to remove v11.12.4 software and again to install v11.12.4).
Release Notes
17
Update AP Devices
Update AP Devices
Beginning with Fireware v11.12.4, AP firmware is no longer bundled with Fireware OS. All AP device firmware
is managed by the Gateway Wireless Controller on your Firebox. The Gateway Wireless Controller
automatically checks for new AP firmware updates and enables you to download the firmware directly from
WatchGuard servers.
There are no new AP firmware updates released with Fireware v11.12.4.
The current AP firmware versions for each AP device model are:
AP Device Model
Current Firmware Version
AP100, AP102, AP200
1.2.9.12
AP300
2.0.0.7
AP120, AP320, AP322
8.0.581
To manage AP firmware and download the latest AP firmware to your Firebox:
n
n
From Fireware Web UI, select Dashboard > Gateway Wireless Controller. From the Summary tab,
click Manage Firmware.
From Firebox System Manager, select the Gateway Wireless Controller tab, then click Manage
Firmware.
If you have enabled automatic AP device firmware updates in Gateway Wireless Controller, your AP devices
are automatically updated between midnight and 4:00am local time.
To manually update firmware on your AP devices:
1. On the Access Points tab, select one or more AP devices.
2. From the Actions drop-down list, click Upgrade.
3. Click Yes to confirm that you want to upgrade the AP device.
Upgrade your FireCluster to Fireware v11.12.4
There is an upgrade issue that affects some Firebox M400/M500 and M440 devices. Please
review this knowledge base article carefully before you upgrade.
Before you upgrade to Fireware v11.11 or higher, your Firebox must be running:
- Fireware XTM v11.7.5
- Fireware XTM v11.8.4
- Fireware XTM v11.9 or higher
If you try to upgrade from Policy Manager and your Firebox is running an unsupported version,
the upgrade is prevented.
If you try to schedule an OS update of managed devices through a Management Server, the
18
WatchGuard Technologies, Inc.
Upgrade your FireCluster to Fireware v11.12.4
upgrade is also prevented.
If you use the Fireware Web UI to upgrade your device, you see a warning, but it is possible to
continue so you must make sure your Firebox is running v11.7.5, v11.8.4, or v11.9.x before
you upgrade to Fireware v11.11.x or higher or your Firebox will be reset to a default state.
To upgrade a FireCluster from Fireware v11.3.x to Fireware v11.9.x or higher, you must
perform a manual upgrade. For manual upgrade steps, see this Knowledge Base article.
You can upgrade Fireware OS for a FireCluster from Policy Manager or Fireware Web UI. To upgrade a
FireCluster from Fireware v11.10.x or lower, we recommend you use Policy Manager.
As part of the upgrade process, each cluster member reboots and rejoins the cluster. Because the cluster
cannot do load balancing while a cluster member reboot is in progress, we recommend you upgrade an
active/active cluster at a time when the network traffic is lightest.
For information on how to upgrade your FireCluster, see this Help topic.
Release Notes
19
Downgrade Instructions
Downgrade Instructions
Downgrade from WSM v11.12.4 to WSM v11.x
If you want to revert from v11.12.4 to an earlier version of WSM, you must uninstall WSM v11.12.4. When you
uninstall, choose Yes when the uninstaller asks if you want to delete server configuration and data files. After
the server configuration and data files are deleted, you must restore the data and server configuration files you
backed up before you upgraded to WSM v11.12.4.
Next, install the same version of WSM that you used before you upgraded to WSM v11.12.4. The installer
should detect your existing server configuration and try to restart your servers from the Finish dialog box. If you
use a WatchGuard Management Server, use WatchGuard Server Center to restore the backup Management
Server configuration you created before you first upgraded to WSM v11.12.4. Verify that all WatchGuard
servers are running.
Downgrade from Fireware v11.12.4 to Fireware v11.x
If you use the Fireware Web UI or CLI to downgrade from Fireware v11.12.4 to an earlier
version, the downgrade process resets the network and security settings on your device to
their factory-default settings. The downgrade process does not change the device
passphrases and does not remove the feature keys and certificates.
If you want to downgrade from Fireware v11.12.4 to an earlier version of Fireware, the recommended method is
to use a backup image that you created before the upgrade to Fireware v11.12.4. With a backup image, you can
either:
l
l
Restore the full backup image you created when you upgraded to Fireware v11.12.4 to complete the
downgrade; or
Use the USB backup file you created before the upgrade as your auto-restore image, and then boot into
recovery mode with the USB drive plugged in to your device. This is not an option for XTMv users.
See the Fireware Help for more information about these downgrade procedures, and information about how to
downgrade if you do not have a backup image.
20
WatchGuard Technologies, Inc.
Enhancements and Resolved Issues in Fireware v11.12.4
Downgrade Restrictions
See this Knowledge Base article for a list of downgrade restrictions.
When you downgrade the Fireware OS on your Firebox or XTM device, the firmware on any
paired AP devices is not automatically downgraded. We recommend that you reset the AP
device to its factory-default settings to make sure that it can be managed by the older version of
Fireware OS.
Enhancements and Resolved Issues in Fireware v11.12.4
General
l
l
l
l
l
l
l
This release resolves an issue that caused Policy Manager to fail to save configurations to the Firebox
with the error message INTERNAL_ERROR:Element 'stp-port': This element is not
expected. [FBX-5410]
The Port Scan and IP Scan options now correctly indicate that thresholds are per-second in Policy
Manager and Web UI. [FBX-2097, FBX-2274]
This release resolves an issue with Management Server Templates in which only the first configured
object in GeoLocation Exceptions would apply.[FBX-4959]
This release resolves a memory leak in Management Server during the template save operation to a
Fully Managed appliance. [FBX-5626]
This release resolves a kernel crash on XTM 2500 series appliances that could cause the appliance to
lock up for a short period of time. [FBX-5661]
Dimension Command can now manage Firebox Cloud instances. [FBX-2339]
Dimension now shows an accurate error message when Firebox connection fail because of an
encryption key mismatch. [FBX-2077, 93010]
Proxies and Services
l
Failed authentication attempts to an FTP server are now correctly translated by the Explicit Proxy. [FBX2625]
l
l
l
l
l
l
l
Content Inspection now allows SSL scanners to establish connections at the highest accepted protocol
version. [FBX-2643]
When OCSP certificate validation is enabled, the HTTPS proxy now correctly disables certificates
when the responder requires that requests include Host Header information. [FBX-5060]
Log messages for the HTTPS and SMTP proxies now indicate if PFS is configured.[FBX-2095]
You can now select a Server Region for APT Blocker requests. This enables customers in the European
Union to comply with regulatory requirements and keep customer data in the EU. [FBX-1302, 91270]
The Quick Setup Wizard now sets the default IPS scan mode to Full. [FBX-4704]
TLS 1.3 connections now operate correctly when a Firebox HTTPS proxy policy has content inspection
disabled and is configured to allow non-compliant SSL connections. [93174]
The DNS proxy now supports all query types, with possible values from 1 through 65535. [92649]
Authentication and Single Sign-On (SSO)
l
With this release, the Start Time for authenticated users in Firebox System Manager and the Web UI is
now labeled Elapsed Time. [FBX-2774]
Release Notes
21
Enhancements and Resolved Issues in Fireware v11.12.4
l
l
l
This release adds SSO Agent/ELM support for Win2016 Core Server. [FBX-5247]
This release resolves an issue where unexpected restarts of the admd process on a FireCluster caused
Single Sign-On to fail. [FBX-5083]
This release resolves an issue that caused FireCluster to stop communicating with the SSO agent.
[FBX-5444]
l
This release resolves an issue that limited the number of Terminal Services Agents in Policy Manager to
32. You can now add up to 128 Terminal Services Agents. [FBX-1885]
VPN
l
l
l
l
l
l
Mobile VPN with SSL now includes VLAN Secondary Networks in routing configuration when you select
Allow access to all Trusted, Optional, and Custom networks. [FBX-2642]
This release resolves an error that caused IPSec VPNs to fail after you converted from an older
configuration files. [FBX-5377, FBX-2649, 92606]
Policy Based Routing no longer fails for VIF Tunnels if the VIF name exceeds 15 characters.[FBX-5443]
BOVPN tunnels are no longer interrupted when you globally disable modem failover. [FBX-2746,93044]
You can now use Web UI to modify an IKEv2 Branch Office VPN Gateway endpoint when more than
one endpoint is configured on the Branch Office VPN Gateway. [FBX-5430]
If you change one pre-shared key to an incorrect value in a Branch Office VPN Virtual Interface with
Amazon AWS configuration, the Virtual Interface now correctly fails over to the connection with a
correct pre-shared key. [FBX-5278]
Networking and Modem Support
l
l
l
l
l
l
This release improves PPPoE over VLAN performance with driver support for NIC VLAN offloading on
Firebox T Series devices . [FBX-2683]
Policy Manager no longer displays null in the PBR column when a Firebox has Link Aggregation
configured with external VLANs. [FBX-4962]
When you have Link Aggregation configured on your Firebox and have a network loop, it no longer
causes Firebox kernel panic. [FBX-2741]
A driver error has been resolved that prevented Ethernet interfaces from working correctly under heavy
load on XTM 800 and XTM 5 Series appliances. [FBX-5232, FBX-2444,85091]
Static NAT policies that include UDP 5060 no longer fail after a Firebox reboot. [FBX-5655]
This release resolves an issue that caused DynDNS to fail to update the IP address for a Firebox that
had DynDNS configured before Fireware v11.12.2. [FBX-5609]
FireCluster
l
This release resolves a crash that could cause a FireCluster failover.[FBX-4952]
Wireless
l
AP120, AP320, and AP322 devices no longer reboot as a result of SSID configuration changes. [FBX5422]
l
l
When you pair a new AP device with Gateway Wireless Controller, it is now automatically trusted if the
Trust Store is enabled. [FBX-5191]
If an untrusted AP device is paired with your Firebox, the Web UI displays a warning message. [FBX5186]
l
l
22
A FireCluster failover no longer causes an AP device managed through Gateway Wireless Controller to
restart. [FBX-3407,92455]
When you upgrade the Firebox to a new OS version, the Firebox no longer includes AP firmware in
storage. You can install AP firmware on your Firebox manually. [FBX-1674]
WatchGuard Technologies, Inc.
Enhancements and Resolved Issues in AP 8.0.581
Connectwise Integration
l
l
l
Connectwise does not create a ticket when you form a new FireCluster. [FBX-5550]
Connectwise Integration now supports a FireCluster configured in active/passive mode. [FBX-2246]
When you configure Connectwise Integration, you can now select the company name from a list if it
already exists in the server. [FBX-1801]
Enhancements and Resolved Issues in AP 8.0.581
l
l
If an AP device is detected as operational in an unsupported region, the operating region for the AP
device is set to the USA country code 841. [AP-31]
AP devices configured with a static IP address are now correctly discovered by Gateway Wireless
Controller. [AP-47]
Release Notes
23
Known Issues and Limitations
Known Issues and Limitations
Known issues for Fireware v11.12.4 and its management applications, including workarounds where available,
can be found on the Technical Search > Knowledge Base tab. To see known issues for a specific release, from
the Product & Version filters you can expand the Fireware version list and select the check box for v11.12.4.
Using the CLI
The Fireware CLI (Command Line Interface) is fully supported for v11.x releases. For information on how to
start and use the CLI, see the Command Line Reference Guide. You can download the latest CLI guide from
the documentation web site at http://www.watchguard.com/wgrd-help/documentation/xtm.
Technical Assistance
For technical assistance, contact WatchGuard Technical Support by telephone or log in to the WatchGuard
Portal on the Web at http://www.watchguard.com/wgrd-support/overview. When you contact Technical
Support, you must supply your registered Product Serial Number or Partner ID.
Phone Number
24
U.S. End Users
877.232.3531
International End Users
+1 206.613.0456
Authorized WatchGuard Resellers
206.521.8375
WatchGuard Technologies, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement