Fireware XTM V11.3 - WatchGuard Technologies

Fireware XTM V11.3 - WatchGuard Technologies
Fireware XTM v11.3.1
Release Notes for XTM 2, 5, and 8 Series, XTM 1050, and Firebox
X Peak, Core and Edge e-Series Appliances
Fireware XTM OS Build 283254
WatchGuard System Manager Build 283106
Release Notes Revision Date: August 31, 2010
Introduction
Fireware XTM v11.3.1 is the newest software release for the WatchGuard XTM and Firebox
e-Series appliances. Fireware XTM v11.3.1 demonstrates a continuing commitment to
quality to WatchGuard customers, with a significant number of bug fixes and
enhancements, including:

Localization of the Web UI into Korean and Traditional Chinese

A new IPSec Global VPN configuration setting allows IPSec VPN to use the
routing table to determine whether to send a packet through the IPSec VPN
tunnel. When used in conjunction with dynamic routing, this new setting enables
the XTM device to use the IPSec BOVPN tunnel for failover if another route
(such as a private network route) becomes unavailable.

The SSL VPN client can now connect if the local user does not have
administrative privileges on their computer.
See the Resolved Issues section below for a complete list of resolved issues.
Before You Start
Before you install this release, make sure that you have:

A Firebox X Core or Peak e-Series device running Fireware v10.2.x or higher, a
Firebox X Edge e-Series device running v10.2.9 or higher, or a WatchGuard XTM
1050 or XTM 8, 5, or 2 Series device. If this is a new device, make sure you
follow the instructions in the Quick Start Guide that ships with your device before
you try to upgrade to v11.3.1.

The required hardware and software components as shown in the Systems
Requirements table below.

An active LiveSecurity subscription.

Feature key for your Firebox or XTM device – If you upgrade your Firebox eSeries from an earlier version of Fireware or Edge appliance software, you can
use your existing feature key.

Reputation Enabled Defense is included in the UTM Security Subscription
bundles for XTM appliances. There is no new charge for existing XTM appliance
RELEASE NOTES
AUGUST 31, 2010
PAGE 1
FIREWARE XTM V11.3.1
customers with security subscription bundles, but, you must download an
updated feature key to be able to use the Reputation Enabled Defense service.
You can do this using the Synchronize Feature Key option available in FSM or
the Get Feature Key option in the Web UI.

Updated online documentation system for this product is available at
www.watchguard.com/help/documentation

See the Resolved Issues section below for a complete list of resolved issues.
Fireware XTM and WSM v11.3.1 Operating System
Compatibility
RELEASE NOTES
AUGUST 31, 2010
PAGE 2
FIREWARE XTM V11.3.1
System Requirements
If you have WatchGuard
System Manager client
software only installed
If you install WatchGuard
System Manager and
WatchGuard Server
software
Intel Pentium IV
Intel Pentium IV
1GHz
2GHz
Minimum Memory
1 GB
2 GB
Minimum Available Disk
Space
250 MB
1 GB
Minimum Recommended
Screen Resolution
1024x768
1024x768
Minimum CPU
Localization
The Fireware XTM management user interfaces (WSM application suite and Web UI) have
been localized for the v11.3 release. Supported languages are:

Chinese (Simplified, PRC)

French (France)

Japanese

Spanish (Latin American)
Note In addition to these languages, we have introduced localized Web UI support
for Korean and Traditional Chinese with the v11.3.1 release. Only the Web UI
itself has been localized. WSM, and all help files and user documentation,
remain in English.
Note that most data input must still be made using standard ASCII characters. You can use
non-ASCII characters in some areas of the UI, including:

Proxy deny message

Wireless hotspot title, terms and conditions, and message

WatchGuard Server Center users, groups, and role names
Any data returned from the device operating system (e.g. log data) is displayed in English
only. Additionally, all items in the Web UI System Status menu and any software
components provided by third-party companies remain in English.
Fireware XTM Web UI
The Web UI will launch in the language you have set in your web browser by default. The
name of the currently selected language is shown at the top of each page. To change to a
RELEASE NOTES
AUGUST 31, 2010
PAGE 3
FIREWARE XTM V11.3.1
different language, click the language name that appears. A drop-down list of languages
appears and you can select the language you want to use.
WatchGuard System Manager
When you install WSM, you can choose what language packs you want to install. The
language displayed in WSM will match the language you select in your Microsoft Windows
environment. For example, if you use Windows XP and want to use WSM in Japanese, go
to Control Panel > Regional and Language Options and select Japanese from the language
list.
Reporting Web UI, CA Manager, Quarantine Web UI, and Wireless Hotspot
These web pages automatically display in whatever language preference you have set in
your web browser.
Downloading Software
1.
Go to the LiveSecurity web site’s Software Downloads page at
http://www.watchguard.com/archive/softwarecenter.asp
2.
Log in to the LiveSecurity web site. Then, select the product line you use and look
for the Fireware XTM software download section.
There are several software files available for download. See the descriptions below so you
know what software packages you will need for your upgrade.
WatchGuard System Manager
All users can now download the WatchGuard System Manager software. With this software
package you can install WSM and the WatchGuard Server Center software:

WSM11_3_1s.exe - Use this file to upgrade WatchGuard System Manager from
v10.2.x or v11.x to WSM v11.3.1.
Fireware XTM OS
Select the correct Fireware XTM OS image for your hardware.
If you have….
Select this Fireware XTM OS package
XTM 1050
XTM_OS_1050_11_3_1.exe
XTM_OS_XTM8_11_3_1.exe
XTM_OS_XTM5_11_3_1.exe
XTM_OS_XTM2_11_3_1.exe
XTM_OS_Core_Peak_11_3_1.exe
XTM 8 Series
XTM 5 Series
XTM 2 Series
Firebox X Core or Peak e-Series
If you want to downgrade a Firebox X Core or Peak
e-Series from Fireware XTM v11.3.1 to Fireware
v10.2.x, you must download this file:
utm_core_peakdown2fw.zip
RELEASE NOTES
AUGUST 31, 2010
PAGE 4
FIREWARE XTM V11.3.1
If you have….
Select this Fireware XTM OS package
Firebox X Edge e-Series
XTM_OS_Edge_11_3_1.exe - use this file to
upgrade your OS and configuration from v11.0.2 to
v11.3.1.
edge_11_3_1.exe - use this file to upgrade
your OS and configuration from v10.2.9 or higher to
Fireware XTM.
XTM_edge_11_3_1.zip - use this file to
upgrade your OS from v10.2.9 or higher to
Fireware XTM. No configuration conversion is
possible if you use this file. You can also use this
file to upgrade from previous versions of XTM 11 to
v11.3.1.
Recovery Mode Software
To use the USB automatic restore feature, you must download and install a new recovery
mode software image for your XTM device. The file name is
utm_[Firebox_model]_sysb-dl.zip and you can find recovery mode upgrade
instructions later in these release notes. There is no new Recovery Mode software for eSeries devices.
Single Sign-on Software
There are two files available for download if you use Single Sign-on:

WG-Authentication-Gateway.exe (SSO Agent software - required for
Single Sign-on)

WG-Authentication-Client.msi (SSO Client software - optional)
For information about how to install and set up Single Sign-on, see the product
documentation.
Mobile VPN with SSL Client for Windows and Macintosh
There are two files available for download if you use Mobile VPN with SSL:

WG-MVPN-SSL.exe (Client software for Windows)

WG-MVPN-SSL.dmg (Client software for Macintosh)
Upgrade from Fireware XTM v11.x to v11.3.1
Before you upgrade from Fireware XTM v11.x to Fireware XTM v11.3.1, go to the
WatchGuard Software Downloads Center. Download and save the file that matches the
WatchGuard device you want to upgrade. You can use Policy Manager or the Web UI to
complete the upgrade procedure. We strongly recommend that you back up your device
configuration before you upgrade.
RELEASE NOTES
AUGUST 31, 2010
PAGE 5
FIREWARE XTM V11.3.1
Note If you are currently running v11.0 or v11.0.1 on your Firebox X Edge e-Series,
you must upgrade to v11.0.2 before you upgrade to v11.3.1 to avoid possible
file system corruption. This issue does not apply to any other model.
From the Web UI:
1. Go to System > Backup Image and back up your current configuration file.
2.
On your management computer, launch the OS executable file you downloaded
from the WatchGuard Software Downloads Center. This installation extracts an
upgrade file called utm_[Firebox_model].sysa-dl to the default location of
C:\Program Files\Common
files\WatchGuard\resources\FirewareXTM\11.3.1\[Firebox_model]
3.
Connect to your Firebox with the Web UI and select System > Upgrade OS.
4.
Browse to the location of the utm_[Firebox_model].sysa-dl file from Step 1
and click Upgrade.
From Policy Manager:
1. From File > Backup, back up your current configuration file.
2.
On your management computer, launch the OS executable file you downloaded
from the WatchGuard Software Downloads Center. This installation extracts an
upgrade file called utm_[Firebox_model].sysa-dl to the default location of
C:\Program Files\Common
files\WatchGuard\resources\FirewareXTM\11.3.1\[Firebox_model]
3.
Open WatchGuard System Manager v11.3.1. Connect to your Firebox and launch
Policy Manager.
4.
From Policy Manager, select File > Upgrade. When prompted, browse to and
select the utm_[Firebox_model].sysa-dl file from Step 1.
Upgrade WatchGuard server software
It is not necessary to uninstall your v11.0.x server or client software when you update from
v11.0.1 or higher to Fireware XTM v11.3.1. You can install the v11.3.1 server and client
software on top of your existing installation to upgrade your WatchGuard software
components.
Downgrade from Fireware XTM v11.3.x to v11.x
If you want to downgrade from Fireware XTM v11.3.1 to an earlier version of Fireware XTM,
you either:

Restore a previously created full backup image to complete the downgrade; or

Reset your Firebox or XTM device to its factory-default settings and then run the
Quick Setup Wizard with the older version of Fireware XTM already installed on
your management computer.
RELEASE NOTES
AUGUST 31, 2010
PAGE 6
FIREWARE XTM V11.3.1
Installation and Upgrade Instructions for Firebox X
Edge OS v10.2.9 or higher
Before you install Fireware XTM v11.x software, read the information in the Known Issues
section below.
Note To upgrade your Firebox X Edge e-Series to Fireware XTM from Edge v10.x
or earlier, you must have Edge v10.2.9 or higher installed on your Edge.
Any Edge devices that are centrally managed with a WatchGuard
Management Server must be updated individually using the process in these
release notes. You cannot use the Scheduled Firmware Updates feature to
update a device from Edge v10.x to Fireware XTM v11.x.
Upgrade your Firebox X Edge e-Series v10.2.9 or higher to Fireware
XTM v11.x
Your Edge must have Firebox X Edge v10.2.9 or higher installed before you can upgrade to
Fireware XTM v11.x. To upgrade your Edge, connect to your Edge from a Windows-based
computer on a local (not routed) network behind the Edge on which you have administrator
privileges. You can also upgrade your Edge from a computer on an external network (see
the specific instructions below for more information).
The Update Wizard updates the operating system on your Edge and converts your Edge
configuration to be compatible with Fireware XTM. The wizard converts all predefined and
custom policies, security subscriptions, authentication settings, network settings, NAT
settings, branch office VPNs, default threat protection settings, and logging and time
settings. If you do not use the wizard (i.e. if you update directly from the v10.2.9 or higher
web interface using the "sysa-dl" file), your configuration is not converted and your Edge
reverts to its default configuration when the upgrade to Fireware XTM is complete.
Note The new Web UI is available only on port 8080 by default. You can change
this port in the Web UI after you complete the Update Wizard. To connect to
the Edge after it has been successfully updated, you must connect to the
Edge with this URL:
https://<IP address of your Edge>:8080
Note The default credentials for the Edge are: admin/readwrite and status/readonly.
After you upgrade your Edge to Fireware XTM, you must use the user name
admin when you want to log in to the Edge with read/write privileges.
Note After you upgrade your Edge from v10.2.9 or higher to v11.x, you must enable
each type of Mobile VPN that you used in your previous Edge configuration
again. This includes Mobile VPN with IPSec, SSL, or PPTP.
The Update Wizard does not convert some features. After you finish this procedure,
examine your configuration for the following features, which are not converted by the
Update Wizard:
RELEASE NOTES
AUGUST 31, 2010
PAGE 7
FIREWARE XTM V11.3.1

MAC access control lists

Traffic Management

VLANs

Modem settings

Mobile VPN with IPSec

Mobile VPN with SSL

Mobile VPN with PPTP

SNMP

Single Sign-On
To upgrade your Firebox X Edge from v10.2.9 or higher to Fireware XTM v11.x
from a local Windows computer:
1. Connect to your Edge System Status page and select Administration > Backup
to back up your existing Edge configuration file.
2.
Run the edge_11_3_1.exe file you downloaded from the software download site.
The Firebox X Edge Update Wizard starts.
3.
Use the Firebox X Edge Update Wizard to load Fireware XTM v11.3.1 on your
Edge and convert your configuration file to v11.3.1. This upgrade can take as
much as 10 minutes. Do not disconnect the power to your Edge during the
upgrade.
4.
When the wizard is complete, you can connect to the Fireware XTM Web UI on
your Edge with the URL https://<IP address of Edge>:8080.
5.
If you want to use WSM and Policy Manager with your Edge, you must install
WSM software. To install WSM, download the WSM11_3_1s.exe file from the
software download site.
To upgrade your Firebox X Edge from v10.2.9 or higher to Fireware XTM v11.x
from a local non-Windows computer:
Note If you upgrade your Edge to Fireware XTM from a non-Windows-based
computer or from any computer using the XTM_edge_11_3_1.zip file, your
Edge configuration will be reset to its factory default settings when the
upgrade is complete.
1.
Connect to your Edge System Status page and select Administration > Backup
to back up your existing Edge configuration file.
2.
Decompress the XTM_edge_11_3_1.zip file you downloaded from the software
download site.
3.
On the System Status page, click Update.
4.
Click Browse. Find and select the utm_edge.sysa-dl file, then click Open.
5.
Click Update. To complete the installation, you must restart the Firebox X Edge.
When the update is complete the System Status page shows Fireware XTM
v11_3_1.
RELEASE NOTES
AUGUST 31, 2010
PAGE 8
FIREWARE XTM V11.3.1
To upgrade your Firebox X Edge from v10.2.9 or higher to Fireware XTM v11.x
from a Windows computer on the external network:
To upgrade your Edge from a computer on the external network, you can use the same
instructions as for a local Windows computer, except you must know:

Before you try to upgrade the Edge, the Edge must be configured to allow
WatchGuard System Manager (WSM) access. To enable WSM access, go to
Administration > WSM Access.

The Update Wizard prompts you for a WSM Access passphrase. The WSM
Access passphrase is the configuration passphrase you set when you enable
WSM access on the Edge.

The upgrade can take as much as 20 minutes to complete.

When the upgrade is complete, you can connect to the Edge from the external
network only with WatchGuard System Manager or the CLI. To enable external
connections from the Web UI, you must edit the WatchGuard Web UI policy with
Policy Manager or the CLI.
Downgrade Firebox X Edge e-Series from Fireware XTM v11.x to
v10.2.9
Before you downgrade a Firebox X Edge e-Series from Fireware XTM v11 to Firebox X
Edge v10.2.9 or higher, go to the WatchGuard Software Downloads Center. Download and
save the file that matches the version of Edge software to which you want to downgrade.
You can use Policy Manager or the Web UI to complete the downgrade procedure.
From the Web UI:
1. Connect to your Edge System Status page and select System > Upgrade OS.
2.
Browse to and select the yakfw.sysa-dl file that you saved. Click Upgrade.
This restores the operating system version you selected. The Edge will reboot and
become active with the configuration that was in use on the Edge immediately
before the upgrade to v11.
After the downgrade, make sure to use the correct URL to connect to the Edge device (a URL
that does not specify port 8080).
3.
RELEASE NOTES
You can also choose to restore the backup configuration file you saved before you
upgraded to v11.
AUGUST 31, 2010
PAGE 9
FIREWARE XTM V11.3.1
Installation and Upgrade Instructions for Firebox X
Core/Peak e-Series with Fireware v10.2.x
Before you install the WSM and Fireware XTM v11.3.1 software, read the information in the
Known Issues section below.
Note Before you upgrade a new Firebox X Core or Peak e-Series to Fireware XTM
v11.x, you must first run the v10.2.x Quick Setup Wizard. After the basic
v10.2.x configuration has been saved to your Firebox, use the upgrade
instructions below to upgrade to Fireware XTM v11.x.
Note If your Firebox X Core or Peak e-Series device uses a Fireware version older
than v10.2, you must first upgrade your Firebox to Fireware v10.2.x before
you can upgrade to Fireware XTM v11.x.
1.
We strongly advise you to back up your current Fireware v10.2.x or higher system
configuration before you upgrade. From Policy Manager, select File > Backup to
back up your existing Fireware configuration file and Fireware image.
2.
Close all other programs on your management computer.
3.
It is not necessary to uninstall previous versions of WSM unless you have installed
WatchGuard v10.2.x or earlier server software on your computer. If you have
installed server software, uninstall WSM using these instructions:
From the Windows Start Menu, select Control Panel > Add/Remove Software to
uninstall your previous version of WSM. When the WSM installer starts, select the
option to Modify current installation by adding or removing components and
click Next. Clear the Server Software check box and, if you use any WatchGuard
servers, select No when asked if you want to delete server configuration files from
these servers. Make sure that you restart your computer to complete the uninstall
process.
4.
Launch WSM11_3_1s.exe and use the on-screen procedure to install the
software. When you run the WSM v11.2 installation program, select the options to
install WSM client software and the appropriate WSM server software.
5.
After the WSM11_3_1s.exe install program is complete, launch
XTM_OS_Core_Peak_11_3_1.exe and use the on-screen procedure to install
the Firebox XTM software image.
6.
Open WSM v11.3.1 and select File > Connect to Device. The Connect to
Firebox dialog box appears. In the Name/IP address text box, type the IP address
of your Firebox. Click OK.
7.
Launch Policy Manager. Click Yes when prompted to upgrade to v11.3.1.
8.
Click Yes to convert the configuration file to v11.3.1.
9.
From Policy Manager, select File > Upgrade.
10. When the Save dialog box appears, click Save. Click Yes to save the file to your
management computer.
RELEASE NOTES
AUGUST 31, 2010
PAGE 10
FIREWARE XTM V11.3.1
11. When the Upgrade dialog box appears, type your configuration passphrase and
click OK.
12. Click OK.
The default path is C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.3.1\Core_Peak\
FW110203BNNNNNN.wgu where "NNNNNN" is the release build number.
13. Click OK.
14. Click Yes to upgrade your Firebox now.
15. Click Yes when asked to create a Firebox backup image.
16. Type an encryption key to encrypt the backup file. Click OK.
If you get an error, click OK or Cancel and continue with the procedure.
When the backup and upgrade are finished, the Firebox reboots.
Downgrade your Firebox X Core/Peak e-Series from Fireware XTM
v11.x to Fireware v10.2.x
To downgrade from Fireware XTM to Fireware, you must download a special downgrade file
from the software downloads page. The file is called utm_core_peakdown2fw.zip and
downgrades your device to Fireware v10.2.8. Once your Firebox is downgraded to v10.2.8,
you can then restore your Fireware configuration, or upgrade to v10.2.9 or higher and try
the upgrade to Fireware XTM again.
1.
Before you downgrade your Firebox X Core or Peak e-Series from Fireware XTM
v11 to Fireware v10.2.8, you must browse to the WatchGuard Software Downloads
page. Download and save the utm_core_peakdown2fw.zip file and extract
the contents to your WSM management computer. Then:
2.
Open WSM v11.x. Connect to your Firebox and launch Policy Manager.
3.
From Policy Manager, select File > Upgrade. When prompted, browse to and
select the utm_core_peakdown2fw.sysa-dl file that you saved.
During the downgrade procedure, the Storage LED on the front of the Firebox will blink
rapidly. When the downgrade procedure is complete, the Firebox will start v10.2.8 with the
configuration file you had before the upgrade to v11.x. The version number appears as
"10.2.8dwn" to indicate that it is a downgrade. We recommend that you restore your
previous v10.2.x backup after you downgrade from v11.x, or install any released v10.2.x
operating system before you perform another upgrade to v11.x.
Upgrade HA to FireCluster
WSM v11.x includes a HA upgrade wizard to help you upgrade the software on both your
HA devices so you can enable FireCluster. With FireCluster, you can choose to configure
your two devices in an active/passive cluster or an active/active cluster. Before you begin
the upgrade process, we strongly recommend that you connect to the online help at
http://www.watchguard.com/help/docs/wsm/11/en-US/index.html and read the chapter
about FireCluster. There are important differences in license requirements and network
integration you must understand before you implement FireCluster. Note that the HA
upgrade wizard helps you to update the OS on your HA devices. You must reconfigure the
devices for FireCluster manually when the upgrade is complete.
RELEASE NOTES
AUGUST 31, 2010
PAGE 11
FIREWARE XTM V11.3.1
If you are in routed mode and have HA enabled in your Fireware v10.2.x configuration file,
WSM launches the HA Upgrade Wizard automatically when you select File > Upgrade from
Policy Manager. The Wizard upgrades the OS on your first HA device, then puts it in a
factory-default state until the second HA box is updated. The Wizard then prompts you to
upgrade your second device.
As soon as the second device is upgraded, the FireCluster Setup Wizard will launch to help
you enable and configure your FireCluster. When you complete the Setup Wizard, you must
save your configuration to the active device. Then, you must reboot both devices in your
FireCluster.
As with High Availability in Fireware v10.x, you cannot enable FireCluster if any external
interface is configured to use DHCP or PPPoE.
Upgrade the Recovery Mode Software Image
To use the USB automatic restore feature, you must upgrade the recovery mode software
image on your XTM device. This upgrade is only necessary if you use the USB automatic
restore feature, which is available only for XTM devices. If, for any reason, you downgrade
the OS version on your XTM device from v11.3.1 to an earlier version of Fireware XTM OS,
there is no need to downgrade the Recovery Mode Software Image. The v11.3.1 Recovery
Mode Software image works with earlier versions of Fireware XTM OS.
Note If you upgraded the recovery mode software image on your XTM device for
Fireware XTM v11.3, you do not need to upgrade it again for v11.3.1.
To upgrade the recovery mode image:
From the Web UI:
1. Copy the Recovery Mode upgrade file for your model of XTM device from the
Software Downloads Center to your management computer.
2.
Extract the contents of the .zip file.
3.
Connect to your XTM device with the Web UI and select System > Upgrade OS.
4.
Browse to the location of the utm_[Firebox_model].sysb-dl file you
extracted in Step 2 and click Upgrade.
From Policy Manager:
1. Copy the Recovery Mode upgrade file for your model of XTM device from the
Software Downloads Center to your management computer.
2.
Extract the contents of the .zip file.
3.
Open WatchGuard System Manager v11.3.1. Connect to your XTM device and
launch Policy Manager.
4.
From Policy Manager, select File > Upgrade. When prompted, browse to and
select the utm_[Firebox_model].sysb-dl file you extracted in Step 2.
RELEASE NOTES
AUGUST 31, 2010
PAGE 12
FIREWARE XTM V11.3.1
Mobile VPN Client Software
With Fireware XTM v11.3.1, WatchGuard is releasing new Mobile VPN with SSL clients.
Mobile VPN with IPSec
There is no new Mobile VPN with IPSec client available for v11.3.1. You can continue to
use the Mobile VPN with IPSec v11.2.3 client available on the Software Downloads page.
Mobile VPN with SSL client for Windows and Mac
The v11.3.1 Mobile VPN with SSL client is integrated into the Fireware XTM v11.3.1 OS.
When an SSL client computer running an earlier version of the client software connects to a
Firebox running v11.3.1, the user sees a prompt to upgrade the SSL client version to 5.5 for
Windows and 5.3 for Mac. Select Yes to upgrade the Mobile VPN client version to v11.3.1.
There is a Known Issue for customers who upgrade from Fireware XTM v11.2.1 to v11.3.1.
For v11.2.1 users, the upgrade process described above will fail. To upgrade the client
software from v11.2.1 to v11.3.1, you have two options:

Use your web browser to connect to https://<IP address of your Firebox or XTM
device>/sslvpn.html. You can then download the new installer and install it
manually.

Download the client software from the Software Downloads page and email it to
your users to install on their computers.
If you are running Fireware XTM, Mobile VPN with SSL continues to operate if the user
chooses not to upgrade, however, the user does not receive the fixes available in the
v11.3.1 Mobile VPN with SSL client. When you upgrade from Fireware or Edge OS to
Fireware XTM, you must upgrade your Mobile VPN with SSL client.
RELEASE NOTES
AUGUST 31, 2010
PAGE 13
FIREWARE XTM V11.3.1
Resolved Issues in Fireware XTM v11.3.1
The Fireware XTM v11.3.1 release resolves a number of problems found in earlier Fireware
XTM v11.x releases.
General
 This release resolves an issue that caused the logging process on a Firebox or
XTM device to crash. [55676]

This release resolves an issue that caused the Firebox or XTM device to crash
when used with PPPoE. [43811]

Notification for blocked sites now works correctly. [45148]

The unlock.exe program now supports non-ASCII characters in the file name.
[42599]

This release resolves an issue that caused authentication to fail with the log
message: wgcgi timeout after prcs msg error. [44887]

Traffic and management connections no longer stop when you retrieve a
support.tgz file from a Firebox or XTM device running under a heavy connection
load. [44956]
Fireware v10.x to Fireware XTM v11.x Upgrade Issues
 A problem that caused the error message "INTERNAL_ERROR: The element
''backup-firebox-ip'' has a length of 19" to appear when you
upgrade from Fireware v10.x to Fireware XTM v11.x has been resolved. [42653]

When you upgrade a centrally managed Firebox X Edge from v10.x to Fireware
XTM v11.x, the traffic control, WebBlocker custom profiles, and the Allow all
traffic trusted<->optional settings are now correctly preserved during the
upgrade. [43712]

When you upgrade a Firebox X Edge from v10.x to v11.x, IKE Keep-Alive is no
longer enabled during the upgrade if it was not previously enabled in your v10.x
configuration. [44219]

A problem that caused a Management Server upgrade from Fireware v10.x to
Fireware XTM v11.x to fail because of long managed alias names has been
resolved. [44232]
Fireware XTM Web UI
 You can now successfully open and use Bandwidth Meter from the Web UI with
no syntax errors. [41911]

You can now successfully add WebBlocker exceptions from the Fireware XTM
Web UI with no "Code 8: Error 9" error message. [43744]

The Fireware XTM Web UI login window now appears correctly when you use
Safari on Mac OS X "Snow Leopard" without the need to refresh the browser.
[42791]
RELEASE NOTES
AUGUST 31, 2010
PAGE 14
FIREWARE XTM V11.3.1
WatchGuard System Manager
 You can now successfully install WatchGuard System Manager when Microsoft
SQL Server 2008 Management Studio is running on your computer. [44981]
WatchGuard Servers
 Email released from the Quarantine Server is now correctly delivered to all
recipients, instead of just the first recipient in the list. [43875]

The Quarantine Server can now handle the apostrophe character ( ' ) in email
addresses. [56221]

The Quarantine Server can now handle the dash character ( - ) in email
addresses. [45267]

The Quarantine Server automatic scheduled user notification no longer stops
after 2-3 days with a pyadapter exception error. [56109]

A problem that caused the Report Server to occasionally fail to complete reports
has been resolved. [45486]

The default log level for WatchGuard System Manager server applications has
been set back to "Warning" instead of "Debug" to keep unnecessary log
messages from accumulating. [56290]

The Reporting Web UI now works correctly after you upgrade WatchGuard
Server Center from v11.2.x to v11.3.x [55879]

We have resolved an issue that caused Report Server instability when you
generate the Denied Packet by Client report for a large set of log messages.
[56344]

A problem that caused the WatchGuard Server Center restore function to
sometimes fail to restore a backup file with an exception error has been resolved.
[55984]

You can now use the Reporting Web UI to access archived reports when the
report generation time on the Report Server is set to a time later than 12:00 pm.
[56286]

The installation of WatchGuard Server components no longer fails with the error:
"Management server failed during -unconfig mode 1". [44238]

The Management Server no longer fails to start after you restore a backup file on
a computer on which the log directory specified in the WatchGuard Server Center
configuration does not exist. If the log directory path does not exist, the default
directory path will be used. [44380]

The Log Server backup process no longer fails when you use a non-English OS
and the default Log Server configuration settings. [44563]

The Management Server no longer fails after you restore a backup file created
with WatchGuard Server Center v10.2.x to a v11.x Management Server. [43201]
Policy Manager
 You can now successfully configure a bridge interface with a user-defined name.
[55827]
RELEASE NOTES
AUGUST 31, 2010
PAGE 15
FIREWARE XTM V11.3.1

You can now connect to and make configuration changes to a Firebox or XTM
device running Fireware XTM v11.1 from a management computer running WSM
v11.3.x. [55834]

The FTP proxy setting to restrict the maximum number of failed logins per
connection now operates correctly. [55721]
Authentication
 Web Server certificates are now correctly imported and displayed in Firebox
System Manager. [55758]
Firecluster
 The stability of an active/active FireCluster running under a heavy connection
load has been improved. [55728]

The passive device in an active/passive FireCluster no longer becomes
unreachable when you change the management IP address of the backup
master. [56064]

In an active/active FireCluster, the Mobile VPN with SSL "Bridge VPN traffic"
option now operates correctly. [40608]
Networking
 DF settings are now available when your Firebox or XTM device is configured in
drop-in or bridge mode, in addition to routed mode. This setting is available on
the Advanced tab of an interface configured as External. [44258]

On the XTM 2 Series, traffic no longer fails across bridged interfaces when the
bridge consists of Ethernet ports eth0 - eth2 and eth3- eth5. [55737]

You can now configure the Firebox X Edge e-Series and XTM 2 Series devices to
forward DNS queries. Note that you can only enable this feature with the CLI; it is
not available in Policy Manager or the Web UI. [42709]

It is now possible to add up to 200 traffic management objects.

A previously expired connection can no longer be re-opened when traffic
matching the expired session is received. [45286]

The blocked site limit has been increased from 154 to 1000. [40362]

If a WINS server address is not defined in the configuration, the Firebox or XTM
device now keeps the WINS server address blank when using DHCP. [41622]

When using a dynamic NAT entry from one VLAN to another VLAN, the Source
IP address is no longer the primary external IP address of the Firebox. [43838]

After a proxy connection is closed, the Firebox or XTM device continues to
accept and drop lingering connections from the remote server for a short period
of time. This is done to prevent "auto-block packets not handled" from occurring
due to a late reply packet from the server for a closed connection. [43866]

1-to-1 NAT now takes precedence when policy-based dynamic NAT is configured
to use "Set source IP". [44257]

A Gratuitous ARP is now issued when you change the MAC address in the
Network Interface setting to "override MAC address". [55799]
RELEASE NOTES
AUGUST 31, 2010
[55796]
PAGE 16
FIREWARE XTM V11.3.1

The Firebox or XTM device will now send a Gratuitous ARP (GARP) every hour
for interface IP addresses. The GARP is performed each hour to make sure
connected devices have correct ARP entries for the Firebox IP addresses. [55811]

The Firebox or XTM device now correctly supports the number of allowed
authenticated users per model. [56012]

NAT loopback will now operate correctly when the connecting client uses a zero
route branch office VPN tunnel. [45149]

Connection rate limiting now operates correctly for inbound traffic. [43023]
Proxies
 We no longer support SSL v2 in the HTTPS proxy in order to better comply with
PCI scans. [55908]

This release resolves an issue that caused attachments sent through proxies to
become corrupted. [40829, 55736, 56207]

We have improved the stability of our proxy technology. These changes fix
problems that caused some proxy processes to crash. [44786, 45209, 55601,
55663,55693,55794, 55813, 45458]

This release resolves an issue that caused AV scans to fail after reboot. [56043]

When an email is quarantined as spam by the SMTP proxy, a "200 OK"
message is now sent to the sending server. [44224]

The H.323 ALG media channel timeout no longer causes calls to be dropped
after 900 seconds. [44945]

The H.323 ALG now correctly deletes expired connections. [44573]
Security Services
 This release resolves several problems that caused spamBlocker to crash. [43787,
44194, 44518]

This release resolves an issue that caused Internet Explorer to display "friendly
HTTP error messages" instead of the WebBlocker deny message if the deny
message did not have enough characters in it. [44893]

The RED daemon no longer crashes on the passive device in an active/passive
FireCluster. [56141]

The IPS security service no longer adds IP addresses to the blocked sites list
when it is configured only to drop traffic. [45281]

The WebBlocker Override feature now operates correctly with VLAN interfaces.
[43632]
Logging
 In proxy traffic log messages, the network interface name now appears correctly
as the name you assign the interface and not as a network alias. [56243]

RELEASE NOTES
A Firebox or XTM device now generates a log message when the maximum
number of concurrent packet filter connections has been reached. [41801]
AUGUST 31, 2010
PAGE 17
FIREWARE XTM V11.3.1

A problem that caused log files to fill with many unnecessary log messages such
as "Output interface break on name lookup failure for
index=0" has been resolved. [42472]

A problem that caused log files to fill with many unnecessary log messages such
as "wgaccount: wgac_get: Invalid policy ID x requested" has
been resolved. [42333]

The LogViewer refresh feature now works correctly when used together with a
LogViewer custom filter. [44164, 55831]
Branch Office VPN
 A configuration setting was added to allow IPSec VPN to use the routing table to
determine whether to send a packet through the IPSec VPN tunnel. When used
in conjunction with dynamic routing, this new Global VPN setting enables the
XTM device to use the IPSec BOVPN tunnel for failover if another route (such as
a private network route) becomes unavailable. [56306]

1-to-1 NAT traffic within a branch office VPN tunnel now passes correctly when
VPN failover is not configured. [56163]

This release improves branch office VPN IPSec throughput of fragmented
packets. [42706]
Mobile VPN with IPSec
 The Firebox or XTM device can now correctly assign IP addresses from the
IPSec VPN address pool when the range of IP addresses it assigns is part of the
trusted network and you use Active Directory authentication. [55684]
Mobile VPN with SSL
 A problem that caused the download of the Mobile VPN with SSL client software
to be very slow has been resolved. [44597]

A licensing problem has been fixed on the XTM 2 Series wired devices that
restricted the number of concurrent SSL VPN users. [55764]

When you configure Mobile VPN with SSL authentication to a third-party
authentication server, users can no longer connect with SSL VPN if they are not
part of the SSLVPN-Users group. [36197, 41309]

The SSL VPN client can now connect if the local user does not have
administrative privileges on their computer. [41273] Administrative privileges are still
required for installation.

The SSL VPN client no longer disconnects after one hour when configured with a
Firebox-DB authentication server. [56102]

The session timeout setting for SSL VPN connections authenticated to an Active
Directory server has been increased. [44165]
RELEASE NOTES
AUGUST 31, 2010
PAGE 18
FIREWARE XTM V11.3.1
Fireware/Edge v10.x Features Not Supported in
Fireware XTM
See the Product/Feature Matrix later in this document for a list of features supported in
Fireware XTM and notes about changes in feature implementation for our Firebox X Edge,
Core, and Peak e-Series devices. When you review this list of changes in feature
implementation, it is important to understand that a few features that have been supported
in previous releases of Fireware or Edge appliance software are NOT supported in
Fireware XTM OS. These features are limited to:

The Firebox X Edge no longer includes an FTP server.

We no longer support Microsoft Windows 2000.

The Web UI no longer supports multiple read-write administration sessions. The
second user who tries to establish a read-write administrator connection to a
Firebox is denied.

The TFTP Proxy has been removed. We now offer a pre-defined TFTP packet
filter.

SIP and H.323 packet filters are no longer supported. Users can now use the SIP
and H.323 application layer gateways (called Proxies in v10.x).

Administrators that log in to the Web UI do not automatically get access through
the Firebox. They must additionally authenticate through the port 4100
authentication portal.

VPN support (branch office VPN, Mobile VPN with IPSec, SSL, or PPTP) is not
available on Firebox X Edge e-Series devices when you use the serial modem or
when you enable your external interface as a wireless interface.

Fireware XTM v11.x does not include the ability to create a BOVPN tunnel that is
specific to a port and protocol, or the ability to select multiple tunnel routes in a
tunnel to be grouped into one Phase 2 Security Association. Fireware XTM 11
always creates one individual Phase 2 SA for each tunnel route in a tunnel.

If you have configured custom event notification rules, these rules are dropped
from your configuration when you upgrade from Fireware v10.x to Fireware XTM.
Features Supported Only on XTM Devices
There are several features available only for WatchGuard XTM devices, and not available
on Firebox X e-Series devices. These features include:

Reputation Enabled Defense

USB backup and restore
RELEASE NOTES
AUGUST 31, 2010
PAGE 19
FIREWARE XTM V11.3.1
Known Issues and Limitations
These are known issues for Fireware XTM v11.3.1 and all management applications.
Where available, we include a way to work around the issue.
General
 To power off an XTM 5 Series device, you must press and hold the rear power
switch for 4-5 seconds. [42459]

On an XTM 5 Series device, the link light for network interface 0 remains lit when
the device is powered off using the rear power switch. [42388]

For XTM 5 Series devices, Interface 0 does not support Auto-MDIX and does not
automatically sense cable polarity.

An XTM 2 Series device can take up to 5 minutes to reboot.

If your Firebox X Edge e-Series device is connected to a modem, it may not boot
correctly if you try to set your Edge to its factory default settings. [30284]

When you use the Policy Manager > File > Backup or Restore features, the
process can take a long time but does complete successfully. [35450]

Policy Manager opens the locally stored copy of your configuration, instead of the
configuration from the device, when you use a status passphrase with a "-"
character as the first character in the passphrase (for example: "-1234567").
[42616]
Workaround:
Do not use the "-" character as the first character in your status or
configuration passphrase.
Upgrade Issues
 After you upgrade a Firebox X Edge from v10.2.x, it is important to know that you
must use the user name "admin" when you want read/write access to the Edge.
In versions older than v11.0 of Edge appliance software, you could use a name
other than "admin" in your administrative credentials, but this is no longer
possible in Fireware XTM. You must log in to the Edge with the user name
"admin" and the read/write passphrase you set during the upgrade.

The disk space occupied by data in the Report Server database before you
upgrade to v11.2.x is not freed until after the number of days specified in the
Keep reports on the Report Server setting in your Report Server configuration.
Because of this, the Report Server database consumes more disk space until this
number of days pass.

If you upgrade to Fireware XTM from an earlier version of Fireware and used a
branch office VPN Phase 2 encryption setting of None, this setting is not
correctly converted during the configuration upgrade. You must edit your Phase 2
encryption setting manually when the upgrade is complete to select an
appropriate encryption setting.
RELEASE NOTES
AUGUST 31, 2010
PAGE 20
FIREWARE XTM V11.3.1

If you have special characters (, ;) in the policy names of your v10.x
configuration, you must remove them from your policy names after you upgrade
to Fireware XTM v11 so that reporting and monitoring operate correctly. [36577]

In WSM v10.x, you could create a Traffic Management action that set both
incoming and outgoing traffic bandwidth for an external interface. This action
could operate on a policy that managed traffic to and from a trusted network. To
reproduce this feature in Fireware XTM v11.x, you must create a Traffic
Management action that sets the maximum upload speed on the external
interface and the maximum download speed on the trusted interface.

The Firebox X Edge Require user authentication and Trusted Hosts features
do not exist in Fireware XTM, because of the increased granularity available
when you configure policies for Edge users. During the Edge upgrade, the users
are added to a local group called Local-Users. If you previously had Require
user authentication enabled, you must use this group in your policies to enforce
user authentication. The Trusted Hosts feature is no longer necessary.

The DNS suffix and second DNS server entries are not converted when you
upgrade from v10.2.x to v11.x on Firebox X Edge e-Series. [40774]
Workaround:
Add the DNS suffix and second DNS entries again after you upgrade to
v11.x.
WatchGuard System Manager
 There can be problems when you add, update, or delete a server installation
from WatchGuard Server Center if WatchGuard System Manager is installed on a
Windows 7 computer that has “XP Compatibility Mode” enabled. [56355]
Workaround:
Make sure that Windows XP compatibility mode is not enabled on the
WSM v11.x executable file. To verify, locate the wsm.exe file in Windows
Explorer. Right-click on the executable file, select Properties, and click the
Compatibility tab.

Remote managed Firebox devices configured in Drop-in Mode may not be able
to connect to a Management Server that is behind a gateway Firebox also
configured in Drop-in Mode. [33056]

If you restore a backup image to a managed client device managed by a
Management Server, it is possible that the shared secret becomes out of sync.
Workaround:
Connect to the Management Server from WSM. Select the managed
device and select Update Device. Select the radio button Reset server
configuration (IP address/ Hostname, shared secret).

You cannot uninstall WatchGuard System Manager successfully when the
WatchGuard Server Center is running on a computer using 64-bit Windows Vista.
[39078]
RELEASE NOTES
AUGUST 31, 2010
PAGE 21
FIREWARE XTM V11.3.1
Workaround:
Exit the WatchGuard Server Center before you start the uninstall WSM.
You can then uninstall WatchGuard System Manager successfully.
Web UI
 The Fireware XTM Web UI does not support the configuration of some features.
These features include:
 FireCluster
 Full proxy configuration options
 The editing of static NAT rules
 Certificate export
 You cannot turn on or off notification of BOVPN events
 You cannot add or remove static ARP entries to the device ARP table
 You cannot get the encrypted Mobile VPN with IPSec end-user
configuration profile, known as the .wgx file. The Web UI generates only a
plain-text version of the end-user configuration profile, with file extension
.ini.
 You cannot edit the name of a policy, use a custom address in a policy, or
use Host Name (DNS lookup) to add an IP address to a policy.

If you configure a policy in the Web UI with a status of Disabled, then open
Policy Manager and make a change to the same policy, the action assigned to
the policy when it denies packets is changed to Send TCP RST. [34118]

If you use the Web UI to edit an existing proxy policy that has alarm settings
enabled, the alarm settings may be disabled when you save your configuration.
[38585]

You cannot create read-only Mobile VPN with IPSec configuration files with the
Web UI. [39176]
WatchGuard Server Center
 If the WatchGuard Server Center is open when you uninstall WSM, you see
multiple warning messages to close the application, instead of just a single
warning. [36901]
Command Line Interface (CLI)
 The CLI does not support the configuration of some features:
 You cannot add or edit a proxy action.
 You cannot get the encrypted Mobile VPN with IPSec end-user
configuration profile, known as the .wgx file. The CLI generates only a
plain-text version of the end-user configuration profile, with file extension
.ini.

RELEASE NOTES
The CLI performs minimal input validation for many commands.
AUGUST 31, 2010
PAGE 22
FIREWARE XTM V11.3.1
Logging and Reporting
 The scheduled group reports to .pdf format option does not work. [44679]

You cannot use a v11.x Report Server with a v10.x Log Server. You must
upgrade both servers for reporting to work correctly. You can, however, use v11.x
Report Manager with a v10.x Report Server.

LogViewer always generates PDFs in English, regardless of the language you
view LogViewer in. Also, unicode characters that cannot be displayed in the
default font may not appear correctly in the PDF. [41244]
Multi-WAN
 When you enable the Multi-WAN Immediate failback option for WAN failover,
some traffic may fail over gradually. [42363]
Networking
 You cannot bridge a wireless access point to an interface configured as trusted or
optional if that network interface is already part of a bridge. [39603]

You cannot bridge a wireless interface to a VLAN interface.

The Web Setup Wizard can fail if your computer is directly connected to an XTM
2 Series device as a DHCP client when you start the Web Setup Wizard. This
can occur because the computer cannot get an IP address quickly enough after
the device reboots during the wizard. [42550]
[41977]
Workaround:
1. If your computer is directly connected to the XTM 2 Series device during
the Web Setup Wizard, use a static IP address on your computer.
2. Use a switch or hub between your computer and the XTM 2 Series
device when you run the Web Setup Wizard.

When a secondary network is configured for an XTM 2 Series device configured
in Drop-In Mode, it can sometimes take a few minutes for computers that connect
to the secondary network to appear in the ARP list of the XTM 2 Series. [42731]

After you enable the MAC access control list or add a new MAC address, you
must reboot your Firebox before the change takes effect. [39987]

You must make sure that any disabled network interfaces do not have the same
IP address as any active network interface or routing problems can occur. [37807]

If you enable the MAC/IP binding with the Only allow traffic sent from or to
these MAC/IP addresses check box, but do not add any entries to the table, the
MAC/IP binding feature does not become active. This is to help make sure
administrators do not accidently block themselves from their own Firebox. [36934]

The option to release or renew a DHCP lease manually when the external
interface is configured to use DHCP is missing in v11.x. [37478]

Any network interfaces that are part of a bridge configuration disconnect and reconnect automatically when you save a configuration from a computer on the
bridge network that includes configuration changes to a network interface. [39474]
RELEASE NOTES
AUGUST 31, 2010
PAGE 23
FIREWARE XTM V11.3.1

When you change the IP address of a VLAN configured on an external interface
from static to PPPoE and the Firebox cannot get a PPPoE address, Firebox
System Manager and the Web UI may continue to show the previously used
static IP address. [39374]

When you configure your Firebox with a Mixed Routing Mode configuration, any
bridged interfaces show their interface and default gateway IP address as 0.0.0.0
in the Web UI. [39389]

When you configure your Firebox in Bridge Mode, the LCD display on your
Firebox shows the IP address of the bridged interfaces as 0.0.0.0. [39324]

When you configure your Firebox in Bridge Mode, the HTTP redirect feature is
configurable from the user interface but does not work in this release. [38870]

Static MAC/IP address binding does not work when your Firebox is configured in
Bridge mode. [36900]

When your Firebox is configured to use Bridge mode, the physical interface of
the Firebox does not appear correctly in log messages. Instead, the interface is
represented as "tbrX". [36783]

When you change your configuration mode from Mixed Routing to Bridge or from
Bridge to Mixed Routing, the CLI and Web UI may continue to show the previous
configuration mode. [38896]

The dynamic routing of RIPv1 does not work. [40880]

IPSec Pass-Through does not work when you configure static NAT for the IPSec
traffic. [41249]

When an IP address is added to the Temporary Blocked Site list by the
administrator through the Firebox System Manager > Blocked Sites tab, the
expiration time is constantly reset when traffic is received from the IP address.
[42089]

NAT loopback does not work together with Server Load Balancing. [41090]
Firebox X Edge e-Series Wireless
 When a Firebox X Edge e-Series is configured as both a wireless access point
and as a Mobile VPN with SSL endpoint, the wireless connection does not work
correctly if the SSL VPN address pool is configured on the same subnet as the
wireless access point. [42429]

When you set the external interface as a wireless client and configure static NAT
to use the Eth0 interface as its source IP address, inbound static NAT does not
operate correctly. [38239]

The MAC Address Override feature is not available on a Firebox X Edge that has
a wireless interfaced configured as an external interface. [38241]
FireCluster
 When you have an active/active FireCluster and use the WebBlocker Override
feature, you may be prompted to enter your override password twice. [39263]
RELEASE NOTES
AUGUST 31, 2010
PAGE 24
FIREWARE XTM V11.3.1

Every network interface enabled in a FireCluster is automatically monitored by
FireCluster. You must make sure that all enabled interfaces are physically
connected to a network device.

If you use HP ProCurve switches, you cannot configure your FireCluster in
active/active mode because these switches do not support the addition of static
ARP entries. [41396]

FireCluster is not supported if you use either a Drop-in or Bridge network
configuration mode on your WatchGuard devices. [37287]

If you use the Mobile VPN with IPSec client from the same network as the
external network address configured on your FireCluster, some traffic may not go
through the VPN tunnel. [38672]

Mobile VPN with PPTP users do not appear in Firebox System Manager when
you are connected to a passive FireCluster member. PPTP is only connected to
the active Firebox when using an active/passive FireCluster. [36467]

FireCluster does not support dynamic routing. [39442]
Authentication
 For the Authentication Redirect feature to operate correctly, HTTP or HTTPS
traffic cannot be allowed through an outgoing policy based on IP addresses or
aliases that contain IP addresses. The Authentication Redirect feature operates
only when policies for port 80 and 443 are configured for user or user group
authentication. [37241]
Proxies
 The ability to use an HTTP caching proxy server is not available in conjunction
with the TCP-UDP Proxy. [44260]

Application Blocker can only block the initial login to Skype. It cannot block traffic
for a Skype client that has previously logged in. If a user with a laptop logs in to
Skype when the computer is not connected to your network, and then the user
connects to your network while the Skype client is still active, Application Blocker
cannot block the Skype traffic until the user exits and logs out of the Skype
application.

Application Blocker does not stop all BitTorrent connections. It does stop most
connections, which causes BitTorrent throughput to be significantly
reduced. [44288]

You cannot make a SIP-based call from Polycom PVX softphone behind a
Firebox to a Polycom PVX on the external network. [38567]
Workaround:
You can use the H.323 protocol instead of SIP.
Security Subscriptions
 You cannot use a WebBlocker Server through a branch office VPN tunnel. [56319]

RELEASE NOTES
To optimize performance of web browsing on the Firebox X Edge e-Series,
Gateway AntiVirus does not scan the following content types when used with the
AUGUST 31, 2010
PAGE 25
FIREWARE XTM V11.3.1
HTTP proxy: text/*, image/*, audio/*, video/*, application/javascript, application/xjavascript, and application/x-shockwave-flash. The content types appear in the
HTTP-Client proxy action configuration for the Edge, but Gateway AV does not
scan for these content types. All other content types, including executable files,
are scanned. Gateway AntiVirus also does not use code emulation capabilities of
the AV engine on Firebox X Edge e-series appliances.
Certificates
 DSA algorithm-based digital certificates are not supported in this release. [38758]
Workaround:
Use RSA algorithm-based digital certificates.
Mobile VPN with SSL
 Users who try to upgrade their Mobile VPN with SSL client from Fireware XTM
v11.2.1 to a later version of Fireware XTM will fail. The failure does not damage
the v11.2.1 client installation. [43970]
Workaround:
To upgrade your Mobile VPN with SSL client from v11.2.1 to v11.3, use
your web browser to connect to https://<IP address of a Firebox or XTM
device>/sslvpn.html. You can then download and install the new client
software. Or, you can download the client software from the Software
Downloads page and email it your users to install on their computer.

The Macintosh SSL VPN client may not be able to connect to a Firebox when the
authentication algorithm is set to SHA 256. [35724]

When the Macintosh SSL VPN client disconnects or is stopped manually, the
client disables the AirPort wireless adapter on the Mac. [39914]
Mobile VPN with IPSec
 A continuous FTP session over a Mobile VPN with IPSec connection could get
terminated if an IPSec rekey occurs during the FTP transfer. [32769]
Workaround:
Increase the rekey byte count.

When you use the Web UI or CLI to configure Mobile VPN with IPSec user
profiles, user groups with extended authentication may show incorrectly as
Firebox Local Authentication groups. [39695]
Branch Office VPN
 A branch office VPN tunnel does not pass traffic if an inbound static NAT policy
that includes IP 50 and IP 51 protocols exists for the external IP address of the
Firebox or XTM device. [41822]

RELEASE NOTES
Managed branch office VPN tunnels cannot be established if the CRL distribution
point (for example, the WatchGuard Management Server or a third-party CRL
distribution site you use) is offline. [55946]
AUGUST 31, 2010
PAGE 26
FIREWARE XTM V11.3.1

The use of Any in a BOVPN tunnel route is changed in Fireware XTM. If a branch
office VPN tunnel uses Any for the Local part of a tunnel route, Fireware XTM
interprets this to mean network 0.0.0.0 and subnet mask 0.0.0.0 (in slash
notation, 0.0.0.0/0). If the remote IPSec peer does not send 0.0.0.0/0 as its
Phase 2 ID, Phase 2 negotiations fail. [40098]
Workaround:
Do not use Any for the Local or the Remote part of the tunnel route.
Change the Local part of your tunnel route. Type the IP addresses of
computers behind the Firebox that actually participate in the tunnel routing.
Contact the administrator of the remote IPSec peer to determine what that
device uses for the Remote part of its tunnel route (or the Remote part of
its Phase 2 ID).

The VPN Keep-Alive feature is not available for the Firebox X Edge e-Series.
[37769]

If you have a large number of branch office VPN tunnels in your configuration,
the tunnels may take a long time to appear in Policy Manager. [35919]

When you set the Phase 2 SA expiration to zero by setting both the Life-time and
Life-size values to 0, the Firebox changes the rekey life-time to 8 hours. [37209]
Using the CLI
The Fireware XTM CLI (Command Line Interface) is fully supported for v11.x releases. For
information on how to start and use the CLI, see the CLI Command Reference Guide,
which has been updated for this release. You can download the CLI guide from the
documentation web site at http://www.watchguard.com/help/documentation/xtm.asp.
Technical Assistance
For technical assistance, contact WatchGuard Technical Support by telephone or on the
Web at http://www.watchguard.com/support. When you contact Technical Support, you
must supply your registered Product Serial Number, LiveSecurity key or Partner ID.
Phone Number
U.S. End Users
877.232.3531
International End Users
+1 206.613.0456
Authorized WatchGuard Resellers
206.521.8375
RELEASE NOTES
AUGUST 31, 2010
PAGE 27
FIREWARE XTM V11.3.1
Resolved Issues in Fireware XTM v11.3
General
 A memory leak in the HTTPS proxy has been resolved. [44028, 39582]

A problem that caused the Firebox to become stuck in recovery mode after
upgrade has been resolved. [42549, 45210]

Policy Manager now displays the Single Sign-On Authentication settings dialogue
box correctly in Windows with a resolution of 1280x800. When you use a
resolution that cannot display a dialogue box correctly, Policy Manager adds an
automatic scroll bar to the dialogue box. [43214]

RST packets are no longer sent when the default packet handling option to "Send
an error message to clients whose connections are disabled" setting is disabled.
[41527]
Networking

ICMP flood protection now works correctly. [44904]

The DDoS Client/Server Quota setting is no longer applied between bridged
interfaces. [42307]

The Server Load Balancing feature has been improved so that servers are no
longer considered to be down unless there is no response to probe packets.
[44293]

For XTM 8 series and XTM 1050, we have increased the received buffer on the
Network Interface Cards to prevent packet loss under a high rate of traffic. [44950]

A corrupted /etc/wg/localtime file no longer causes an XTM device to stop
passing traffic. [44957]

It is no longer possible to set interface link speed to 1000 Mpbs, Half Duplex.
[43068]
Firebox System Manager (FSM)
 Manually configured blocked sites now appear correctly in Firebox System
Manager. [44025]

You can now add an IP address to the Blocked Sites list correctly from Firebox
System Manager. [42763]
Web UI

You can now use international characters in the Fireware XTM Web UI. [42896]

The Fireware XTM Web UI now supports the manual ordering of policies. [35169]
Authentication
 Authentication to XTM 2 Series and Firebox X Edge e-Series no longer fails with
the log message: admd adm: wgapi:failed to parse request Debug
admd Error, prcs msg error! Debug [44887]
RELEASE NOTES
AUGUST 31, 2010
PAGE 28
FIREWARE XTM V11.3.1

The Active Directory search algorithm has changed in v11.3. For Active Directory
authentication, the baseObject that the Firebox uses when it looks for the cn
attributes tied to the objectSids must now be the root container for the domain
(as specified in any domain component configured for the Search Base in Policy
Manager). [40482]
Branch Office VPN
 Decrypted ESP packets are now correctly handled when you use static NAT in a
branch office VPN tunnel. [43660]

Branch office VPN tunnels no longer fail when you use an interface configured as
"external" for FireCluster management. [44646]
Mobile VPN with SSL

You can no longer connect to the Firebox or XTM device when the default SSL
policy is disabled. [42027]

The client password no longer appears in clear text when you use the Mobile
VPN client for Mac OS v10.6 and look at the debug log messages. [43739]

The Mobile VPN with SSL IP address pool is now handled correctly when your
Firebox or XTM device is part of a FireCluster. [44607]

Mobile VPN with SSL now works correctly after a FireCluster upgrade. [42776]

The Mobile VPN with SSL client can now authenticate correctly when the
passphrase contains a space. [44196]

You can now configure the Mobile VPN with SSL configuration port to use UDP.
[41128]

The Mobile VPN with SSL windows client now successfully reconnects after you
reauthenticate. [42648]

The Mobile VPN with SSL client can now successfully establish a connection to
the new Master device after a FireCluster failover. [42774]

Mobile VPN with SSL connections are now successfully established after an
active/passive FireCluster failover. [43051]

The Mobile VPN with SSL Mac client no longer fails to connect with a Failed
to create the curl config file //curlconfig error message. [44292]

You no longer need to reboot your Firebox or XTM device when you change your
SSL configuration option from Routed Network Traffic to Bridge Network
Traffic. [36159]
Mobile VPN with PPTP

You can no longer connect to the Firebox or XTM device when the default PPTP
policy is disabled. [42618, 41816]

The available PPTP event logs now match the available event logs in Fireware
v10.x. [42278]

PPTP connection reliability has been improved to single devices and to a
FireCluster, with or without NAT. [43785]

PPTP traffic no longer drops after a FireCluster failover.
RELEASE NOTES
AUGUST 31, 2010
[42779]
PAGE 29
FIREWARE XTM V11.3.1
Logging

The configuration options for log deletion have been removed from the
WatchGuard Server Center Log Server tab. The Log Server now stores log data
until the size of the log database reaches 95% of the maximum log database size
you specify in your configuration. When this threshold is met, the Log Server
drops a number of the fixed-size partitions until the database size is less than
95% of the maximum database size. You must have the automatic backup
feature enabled to preserve the data that is deleted.

You can now manually back up and restore the log database.

It is now possible to view archived log data in LogViewer without the need to
restore archived log files.

Diagnostic log messages no longer include many copies of the log messages:
local0.warn kernel: dev_hard_start_xmit: reseting data
pointer
local0.warn kernel: eth0: copy skb to add MARVEL header [44806]

Log messages with content "firewall fwd_crt_io: ..." no longer show in
a log file unless you have turned on debug logging. [43831]

Notification for the connection rate limit now works correctly.

Both LogViewer and the Log Server now correctly validate the presence of
search criteria. [44727]

Logging for IPS can now be correctly enabled and disabled. [44312]

Unnecessary messages about " ======found unknown tag: 8004" are no longer
generated when you restore a backup log file. [44566]
[42901]
Report Server
 The Report Server now handles the change from an external database to the
built-in database correctly. [44008]
Wireless
 The wireless access point no longer fails to start if you configure the wireless
region setting to Default. [44730]
FireCluster
 Active/passive Cluster failover time has been improved. [44259]

Physical interfaces configured as part of a VLAN are now "cluster aware." These
interfaces are now monitored and trigger a cluster failover if they fail. [44368]

Multiple failover events on VLAN interfaces no longer cause an interruption in
traffic. [45137]

Firebox and XTM devices now respond to ARP requests for IP addresses
configured as part of a PPTP pool in an active/passive FireCluster. [44465]

ARP requests for 1-to-1 NAT entries are now handled correctly in an
active/passive FireCluster. [44667]
RELEASE NOTES
AUGUST 31, 2010
PAGE 30
FIREWARE XTM V11.3.1

Gateway AV/IPS signatures now synchronize correctly when a FireCluster is
formed. [40296]

A problem that caused FireCluster instability in a cluster that has been active for
a long period of time has been resolved. [42336]
Proxies

The SMTP proxy no longer stops processing email in certain customer
environments. [41728, 44261]

Several problems that occurred when you configure IPS server protection on a
proxy policy configured to protect an internal HTTP server have been resolved.
[41664, 42684]

The Firebox no longer locks up when you download large files from a website
using BitTorrent through the TCP-UDP proxy. [41620]

The maximum value for the idle timeout setting in the SIP and H.323 application
layer gateway policies has been increased to 3600 seconds. [44601]

Firebox X Edge e-Series devices no longer lock up after you enable security
services. [42186]

The web site http://research.microsoft.com now loads correctly through the HTTP
proxy with a default proxy action. [43444]

A problem that caused a stack trace on Firebox X Edge e-Series devices running
subscription services has been resolved. [43841]

The default HTTP proxy action now correctly blocks Windows executable files.
[40799]

The FTP proxy now correctly blocks login attempts from the same source over
multiple connections that exceed the limit of 5. [42303]

Cisco 7940 phones now work correctly with the SIP application layer gateway.
[42829]

The mime_error log field in log messages now includes information to explain the
error. [41711]

When a site is on the HTTP proxy exception list as a trusted site, connections to
that site are no longer scanned with IPS. [44195]
Security Subscription Services
 This release resolves an issue that caused all proxy traffic to stop after several
hours when Gateway AV/IPS is enabled. [43656]

When you select the Show Signatures option in Firebox System Manager >
Subscription Services > IPS, only signatures used on that appliance are
displayed. [42410]

When you increase the maximum file size for spam scoring to a value larger than
200K, spamBlocker now correctly scores email messages. [44837]

HTTP connections no longer fail on certain Firebox X Core e-Series devices
when HTTP, HTTPS, and SMTP proxy policies are all configured to use both
Gateway AV and IPS. [43930]
RELEASE NOTES
AUGUST 31, 2010
PAGE 31
FIREWARE XTM V11.3.1

You can now use the WebBlocker Override password to get access to a web site
if your WebBlocker Server is unavailable. [38242]

This release resolves a problem that caused the proxy connection table to
become full if the Quarantine Server is unavailable. [41504]
Resolved Issues in Fireware XTM v11.2.3
Upgrade Issues
 The TCP-UDP proxy configuration IM and P2P settings are now correctly
converted during an upgrade from Fireware v10.x. [41949]

CSRs (certificate signing requests) and private keys are now removed during an
upgrade from Fireware v10.x. [39894]

A custom proxy deny message no longer causes device lockup and problems
with saving the configuration after an upgrade. [42507]

After an upgrade of a managed device from Fireware v10.2.x, the Management
Server no longer fails with error: "Element 'unknown': This element is not
expected" when you try to add the upgraded device. [41978]

Drop-in mode now operates correctly after an upgrade from Fireware v10.x. [41512]

Mobile VPN with SSL Active Directory authentication requests are now correctly
processed through a BOVPN tunnel after an upgrade from Fireware v10.x. [41716]

NTP and DNS requests now operate correctly through a BOVPN tunnel after an
upgrade from Fireware v10.x. [41991]

An upgrade from Fireware XTM v11.1 to Fireware XTM v11.2.3 no longer creates
pending SSLVPN certificates that cause Mobile VPN with SSL connects to fail.
[42586]
General
 When you start a Firebox X Core or Peak e-Series appliance in recovery mode,
the LCD display now correctly displays the "Recovery Mode" message. [43590]

For Firebox X Edge models that limit the maximum number of IP addresses with
outbound access, the IP addresses with outbound access are automatically
timed out once per hour. [42539]

A UDP flood to port 0 no longer causes loss of the management connection to
the device. [42665]

Firebox X Edge e-Series devices now can forward DNS queries. [42709]

On Firebox X Edge e-Series devices, the WINS server is no longer automatically
set to the same IP address as the primary DNS server when no WINS server was
configured. [41622]

Firebox X Edge e-Series Wireless devices no longer fail to assign DHCP
addresses to connected wireless clients. [42386]
RELEASE NOTES
AUGUST 31, 2010
PAGE 32
FIREWARE XTM V11.3.1
Authentication
 The web server on the Firebox or XTM device now sends the full certificate chain
when a third party certificate is used. [43295]
Branch Office VPN
 1-to-1 NAT now operates correctly for a manual BOVPN tunnel. [42796]

Dynamic NAT now works correctly for Branch Office VPN tunnel switching traffic.
[43572]

BOVPN failover now operates correctly between a Firebox that uses Fireware
v10.x and a Firebox or XTM device that use Fireware 11.2.3. [42316]

Managed BOVPN tunnels no longer fail on an XTM 1050 active/passive
FireCluster. [43370]

If the remote side of a branch office VPN tunnel is configured with multiple WANs
and the local side is configured to use PPPoE, the VPN traffic from the remote
side no longer stops if the PPPoE dynamic IP address is changed on the local
side [42669]

The iked process no longer crashes after a WAN failover when a large number
of BOVPN tunnels cannot be established. [43592]

BOVPN kernel log messages "kernel esp_input:" no longer appear in the log
files. [42712]
Mobile VPN with SSL

The log message "wgagent Start tag expected, '<' not found" no longer appears
when passing SSLVPN traffic. [42220]

Mobile VPN with SSL and Mobile VPN with PPTP now operate correctly on an
XTM 505 device. [42218]

A dash (-) in an Active Directory password no longer causes Mobile VPN with
SSL connections to fail. [43663]

For an upgrade of the Mobile VPN with SSL client from v10.x to v11, the upgrade
process now displays a message to indicate that the upgrade was successful.
[40715]

Mobile VPN with SSL now supports SecurID authentication new pin mode. [40828]

The Mobile VPN with SSL client no longer crashes on Snow Leopard (Mac OS X
10.6.2). [42548]
Mobile VPN with IPSec

The "§" symbol is now supported in Mobile VPN with IPSec passphrases when
you use Active Directory authentication. [41884]
Networking

A configuration with a large number of VLANs, all with DHCP enabled, no longer
causes a stack trace to appear in Traffic Monitor. [42620]

An incoming PPTP policy with 1-to-1 or static NAT no longer causes PPTP
sessions to disconnect. [42204]
RELEASE NOTES
AUGUST 31, 2010
PAGE 33
FIREWARE XTM V11.3.1

A Traffic Management action to set the maximum bandwidth on the Trusted
interface no longer limits the maximum bandwidth on the External interface.
[42760]
WatchGuard System Manager
 Policy Manager now opens when the Status password contains a space. [42823]

WatchGuard System Manager can now manage a device that contains "&" in the
System > Device Configuration settings. [41551]
Firebox System Manager (FSM)
 The Traffic Meter on the FSM Front Panel now uses the correct scale for the
device model. [42870]

Traffic Monitor no longer displays a refresh error after a FireCluster failover of the
cluster master. [42775]

FSM no longer incorrectly shows GMT Summer Time on the Front Panel and in
log files. [43812]

FSM Status Report now shows the bridge MAC address table. [40977]

Firebox System Manager no longer disconnects when you open the FSM Status
Report. [43355]

Branch office VPN routes now appear in the FSM Status Report. [41604]

Mobile VPN with SSL tunnels now correctly appear on the FSM Front Panel
when your Firebox or XTM is configured to bridge VPN traffic. [42663]
Web UI

You can now add external VLAN interfaces to a policy-based routing
configuration from the Fireware XTM Web UI. [42308]

The Web UI now correctly stops you from using non-ASCII backup image
passwords, which are not allowed in Policy Manager. [42043]
Quarantine Server

You can now successfully delete and forward selected email from the Email
Quarantine report. [42885]

The date and time now appear correctly in the Email Quarantine report when
viewed from an Italian client OS. [43721]
Log Server

Logging for FireCluster no longer fails after you upgrade to Fireware to Fireware
XTM v11.x. [42892]

The Log Collector process no longer hangs or crashes when many devices are
connected with a high rate of incoming log messages. [43631]

You can now successfully back up a Log Server to a remote computer. [42892]
Report Server
 Report Server can now resolve host names on select reports. [42725]
RELEASE NOTES
AUGUST 31, 2010
PAGE 34
FIREWARE XTM V11.3.1

The data on the Gateway Antivirus reports now matches the data for Gateway AV
in Firebox System Manager. [40940]

Report Server now operates correctly when your admin passphrase has a special
character in it. [42652]

The User Authentication Report now generates correctly and for the appropriate
time period. [43275]
FireCluster
 With Fireware v11.2.3, the way MAC addresses are assigned for an
active/passive FireCluster has changed. After you upgrade an active/passive
FireCluster to v11.2.3, it could be necessary to flush the ARP cache of connected
network switches or routers to update the MAC address. Active/passive
FireCluster now uses a virtual MAC address to give faster cluster member
failover.

An active/passive FireCluster no longer stops passing packets after a reboot.
[42792]

You can now connect to FireCluster management IP addresses from a different
subnet. [43931]

Security subscriptions no longer stop working when a passive device in an
active/passive FireCluster has expired licenses. [41717]

spamBlocker now scores spam on an active/passive failover if the device in
passive mode does not have an active spamBlocker feature key. [41694]

Signatures now sync correctly when a cluster member joins an active/active
FireCluster. [42717]

The devices in an active/passive FireCluster no longer take a very long time to
boot. [43368]

The backup member of a FireCluster now correctly becomes active after a
failover. [41996]
Proxies

The WebBlocker process no longer crashes when you save changes to a
WebBlocker action. [42074]

The log files for customers who use an active/passive FireCluster no longer fill up
with log messages that refer to "kernel SM: ACK transmit failed". [42869]

A problem that caused an "eip: 0xb7826e2d" CFM stack trace on the XTM 1050
has been resolved. [43657]

The HTTPS proxy now returns a complete and valid chain of trust, including all
intermediate CAs. [42661]

Certificates are now handled correctly when you use the HTTPS proxy to protect
an HTTPS server. [42229]

A problem that caused HTML and JavaScript to display as garbled text during the
download of a web page has been resolved. [42764]

1-to-1 NAT traffic is no longer blocked as unhandled external packets because of
a corrupt SMTP proxy policy. [41271]
RELEASE NOTES
AUGUST 31, 2010
PAGE 35
FIREWARE XTM V11.3.1

A problem that caused a process to crash when the SIP proxy was enabled has
been resolved. [41127]

Proxy diagnostic log messages no longer multiple copies of the incorrect log
message "unable to parse license info". [42484]

Spam exceptions are no longer blocked by spamBlocker when BDAT/Chunking is
enabled after you upgrade from v11.1 to v11.2. [42680]

The Gateway AV and IPS version information is now updated correctly after a
Gateway AV or IPS update. [42687, 42188, 43234]

Gateway AV now correctly detects and blocks .js files as viruses. [42509]
Resolved Issues in Fireware XTM v11.2.1 and v11.2.2

It is no longer possible to save configuration changes to the Firebox or XTM
device with the Escape key and the configuration passphrase. [42609]

Per-policy and global NAT settings now apply correctly to IPSec traffic. [39366]

This release includes improvements to the Single Sign-on agent software that
affected customers with a large number (>1000) of Single Sign-on users. [42406,
42407, 42408]

WatchGuard System Manager and Firebox System Manager connections no
longer fail after you upgrade your device from Fireware v10.2.11 to Fireware XTM
v11.x. [41806]

Ping traffic through a branch office VPN tunnel configured to a Firebox or XTM
device configured for multi-WAN is now encrypted correctly. [42617]

The external IP address of a Firebox X Edge e-Series device is no longer
counted as an active IP address in the Outbound Access List. [42581]

The Firebox X Edge e-Series no longer includes VPN traffic in the results on the
Outbound Access List. [42582]

DHCP relay now works correctly with multiple VLANs.

Firebox System Manager no longer fails with the error " Missing data for
XPATH /network/wan/failback_status/failback_status" when
connected through an active/passive FireCluster configured with multi-WAN.
[42288]
[42334]

The Management Server now correctly handles Edge configuration templates
that have properties with values longer than 1023 characters. [42630]

The Fireware to Fireware XTM upgrade process now correctly upgrades Mobile
VPN resource entries with zero route functionality enabled. [42216]

This release resolves an issue that caused management connections to fail after
several days of device uptime. [40768]
Proxies
 The H.323 ALG no longer drops a call when the call is on hold longer than the
timeout setting. [40370]
RELEASE NOTES
AUGUST 31, 2010
PAGE 36
FIREWARE XTM V11.3.1

The H.323 ALG no longer times out when audio and video content is being sent
between Polycom systems. [40377]

The H.323 ALG no longer fails with kernel panic error (EIP: 0060:
[<380112c6>]) when dynamic NAT is not used. [40757]

NetMeeting to NetMeeting connections configured to use the H.323 ALG no
longer time out when audio and video content is being sent. [40692]

Trusted phones configured to use the SIP ALG can now make correctly renegotiate connections when a call is put on hold several times. [40447]

The SIP ALG now correctly recognizes the hold signal and maintains audio and
video content after a long hold period. [40100]

The HTTP proxy now supports more possible characters in the customizable
deny message. [42566]

Multi-byte languages are now supported in SMTP notification messages. [38335]

The SMTP proxy now correctly recognizes multi-byte attachment file names.
[39559]

You can now add user email addresses longer than 32 characters to the
Quarantine Server. [42283]
Mobile User with SSL
 The Mobile VPN with SSL client upgrade no longer fails when the client is used
with CryptoCard two-factor authentication. [42467]

The Force users to authenticate after a connection is lost option now works
correctly. [42470]

You can now correctly save changes to the Mobile VPN with SSL Advanced
configuration. [42426]
Web UI
 The Firebox X Edge Outbound Access List feature is now available for both wired
and wireless devices. [42602]

The Web UI can now correctly display third-party certificates. [41324]

The HTTP proxy now includes configuration for Application Blocker in the Web
UI. [40331]
WatchGuard Servers
 Symantec Backup Exec backups no longer fail because of an embedded "..\" in
the registry keys of the WatchGuard server products. [40010]

Report Manager now displays the correct counts for "bytes_in" and "bytes_out".
[42628]

Report Manager now correctly displays reports after you upgrade your device
from Fireware v10.x to Fireware XTM. [42651]

On-demand reports generated with the Reporting Web UI now correctly handle
the date for non-English locales and generate without error. [42522]
RELEASE NOTES
AUGUST 31, 2010
PAGE 37
FIREWARE XTM V11.3.1

Report start and end dates that cross a month boundary are now handled
correctly in the Reporting Web UI. [42547]

The Reporting Web UI no longer gives an HTTP 403 error when the WSM Report
Server is installed in a non-default location. [42552]

It is no longer necessary to restart the Report Server and Log Server when you
restart the PostgreSQL database. [35063]
Resolved Issues in Fireware XTM v11.2
Upgrade Issues
 The upgrade from a Firebox X Edge e-Series v10.2.9 or higher to Fireware XTM
v11.2 no longer fails if a custom policy is used. [41704] [41809]

When you upgrade a Firebox X Edge e-Series from v10.2.9 or higher to v11.2,
the upgrade no longer fails if the alias Wireless Guest Network is used in the
From field of a policy. [41098]

This release resolves an issue that prevented the successful upgrade from
Fireware v10.2.8 configured to use High Availability to Fireware XTM v11.x.
[41908]

It is no longer necessary to remove custom TFTP packet filter policies from your
Fireware v10.2.x configuration before you upgrade to Fireware XTM. [39817]
General
 You can now schedule a weekly reboot of your Firebox or XTM device. [40860]

This release resolves an OpenSSL TLS renegotiation vulnerability, CVE-20093555 TLS: MITM attacks via session renegotiation. [41353]

This release resolve an issue that caused the Firebox to crash with a stack trace:
eip: c015217a free_block() crash. [41853]

WatchGuard Service Center now correctly uninstalls on 64bit Windows 2008
Server. [41275]
Authentication
 When you enable the Authentication Settings > Limit users to a single login
session check box, you can now prevent a second login attempt from
disconnecting the first authenticated session with the same user name. [38024]

This release resolves a problem that caused the admd process to fail if a user
that belonged to more than 10 groups authenticated to the Firebox. [40987]
Proxies
 The SMTP proxy no longer strips attachments from a Yahoo® mail account
because of improper content type formats used by Yahoo. [41710]
RELEASE NOTES
AUGUST 31, 2010
PAGE 38
FIREWARE XTM V11.3.1

The HTTPS proxy now correctly matches Gmail® to the WebBlocker categories
Web-Based email and Chat. [41607]

FTP traffic no longer fails through an HTTP Proxy with a "line parsing error" when
a caching proxy server is used. [41483]

Microsoft® Outlook communication that uses RPC over HTTPS no longer fails
when you have deep packet inspection enabled in your HTTPS proxy. [37503]

When you use Deep Packet Inspection with the HTTPS proxy and the time it
takes to download a file exceeds the HTTPS proxy action Idle Timeout setting,
the file download no longer fails. [41289]
Subscription Services
 The WebBlocker Override feature now works on XTM 8 Series devices
configured in Bridge Mode. [41321]
Wireless
 This release resolves a problem where the networkd process sometimes crashed
and all wireless connections failed. [40418]

WPA-PSK passphrases can now include as many as 63 characters. [40780]
Networking
 You can now use static NAT with PPPoE when you use IP addresses that are not
part of the primary external network. [40506]

The feature to block port and address space probes has been enhanced to
improve the detection of slow port and IP scans. [41775]

DHCP Relay now works correctly when sent through a Branch Office VPN on a
Firebox or XTM device configured to use PPPoE. [41702 ]

You can now schedule a time to automatically restart the PPPoE connection.
[39624]

SNMP traffic generated by a device on a trusted or optional interface now passes
through the Firebox to an external network. [41399]

If you edit a static MAC entry and then change the MAC address, the change
now takes effect. [40738]
Multi-WAN
 When you change your multi-WAN configuration mode from Failover to Routing
Table, the routing table is now correctly updated without the need for a reboot.
[41696]

This release resolves an issue that prevented multi-WAN Round Robin with
equal weights to operate correctly with a Fireware XTM Standard license. [41695]

When you use Multi-WAN together with Branch Office VPN, VPN tunnel traffic
now routes through the correct external interface. [41971] [41953]
FireCluster
 Network traffic routed among interfaces is no longer disrupted when you use
active/passive FireCluster. [41530]
RELEASE NOTES
AUGUST 31, 2010
PAGE 39
FIREWARE XTM V11.3.1

The sessiond process no longer crashes when you enable FireCluster. [41124]

The subnet mask on the backup master management IP address is no longer
automatically set to /8 or /16. [41281]

You can now manage WatchGuard devices configured in a FireCluster through a
Branch Office VPN tunnel. [39732]

When you configure an active/passive FireCluster, the Firebox now sends a
GARP for 1-to-1 NAT IP addresses that are not configured as secondary network
addresses on an external interface. [40688]

IPSec Pass-through now works correctly with an active/passive FireCluster. [41373]
Branch Office VPN
 Fragmented traffic over a Branch Office VPN no longer fails when the external
interface is configured as a VLAN. [41535]

BOVPN Failover now completes when you disconnect the Ethernet cable from
the primary external interface. [41677]

The Firebox no longer locks up when there is a high volume of fragmented UDP
packets sent over a branch office VPN tunnel configured to use AES encryption
in phase 2. [41475] [41229]
Mobile VPN
 Proxy ARP is now enabled for the IP addresses assigned to Mobile VPN with
SSL clients connected to the Firebox. [40989]

The SSL VPN Client for Macintosh® now supports v10.6 (Snow Leopard). [40953]

The Mobile VPN with IPSec v11.2 client correctly supports the use of certificates
for authentication. [41464]

If you have an underscore "_" in the group name, the Mobile VPN with IPSec
connection now passes traffic correctly. [40858]

If the PPTP client option, Include Windows logon domain, is selected, the
PPTP connection to the Firebox now operates correctly. [40856]
Web UI
 You can now add a static NAT entry that uses a secondary external IP address.
[41663]

The option to configure diagnostic logging is now available in the Web UI. [39212]

This release resolves an issue that caused the Web UI to display "Code: 0
Error: 0" when you add a branch office VPN gateway. [41286]

This release resolves an issue that caused the Web UI to display "Code: 0
Error: 0 when you configure Gateway AV or IPS. [41518]
Policy Manager
 The error HTTP response code: 500 no longer occurs when you save your
configuration multiple times in a short amount of time. [41266]
RELEASE NOTES
AUGUST 31, 2010
PAGE 40
FIREWARE XTM V11.3.1
Firebox System Manager
 When you connect HostWatch to a Firebox that has many connections,
HostWatch no longer shows a blank connection list. [40772] [41721]

This release resolves an issue that caused a Java null pointer exception when
the Front Panel display refreshes. [41156]

The Security Subscriptions tab now correctly displays statistics if the feature key
contains a combination of expired and active licenses. [41400]
Management Server
 You can now log in to the Management Server if you have configured a managed
device that has a device name that is the same as a user name configured with
an "administrator" role on the Management Server. [39692]

The Apache.exe process no longer crashes when you apply a BOVPN
managed policy with more than18 ports in the policy. [41395]
Centralized Management
 When you use a custom alias in a policy template, the alias no longer changes to
none when the template is updated. [41272]
Log Server
 This release resolves an issue that caused the Windows Event log file to fill up
with the error message: Error (9235), database error: ERROR:
invalid byte sequence for encoding. [40983]

The Log Server no longer fails to start if the partition on the hard drive selected
for the Log Server become full. [40995]

LogViewer no longer freezes if you move the scroll bar very quickly.
[39461]
Certificates
 WSM connections no longer fail when you use third-party certificates for your
web server. [41248]
Resolved Issues in Fireware XTM v11.1
General
 The WSM Quick Setup Wizard now allows you to enter a feature key that
contains a model upgrade for Edge e-Series. [40405]

Fireware XTM v11.1 resolves a cross site scripting vulnerability found in the web
server used with the authentication applet. [40332]

Fireware XTM v11.1 resolves a cross site scripting vulnerability found in the
WatchGuard servers' Apache HTTP server implementation. [40581]

The lighttpd version used by Fireware XTM has been upgraded to v1.4.22 to
resolve several reported vulnerabilities. [38808]
RELEASE NOTES
AUGUST 31, 2010
PAGE 41
FIREWARE XTM V11.3.1

The ISC DHCP server version has been upgraded to v4.1.0p1 to resolve several
reported vulnerabilities. [40032]

HostWatch now shows VLAN traffic. [40401]

You can now right-click in Firebox System Manager > Traffic Monitor to add an IP
address to the blocked sites list. [40488]

ServiceWatch now correctly displays bandwidth for auto-generated BOVPN
policies created by the WatchGuard Management Server. [40364]
Authentication
 The Authentication redirect feature now works when you use a wireless guest
network on the Firebox X Edge e-Series. [40029]

This release resolves an issue that causes Active Directory authentication to fail
with the following log message: user="test1" domain=TESTQAWIN2K30.
[40786]
Proxies
 You can now enable notification for Application Blocker. [40422]

Application Blocker has been enhanced to add support for Winny, a popular peer
to peer application used in Japan. [35027]

You can now unlock a file with an "&" in the file name with the unlock.exe
utility. [40718]

This release resolves several reported issues in which certain web applications
did not work through the HTTP Proxy. [40293] [38121] [40392]

This release resolves an issue that caused FTP proxy traffic to stop after a multiWAN failover. [37965]
Subscription Services
 Subscription services now update when you use an internal HTTP proxy server.
[40517]

WebBlocker override now works on Firebox X e-Series devices configured in
Bridge Mode. [39283]

The Quarantine Server client now accepts [email protected]
email format. [39743]
Networking
 You can now use either Policy Manager or the Web UI to add multicast
addresses in a policy. [39947, 39948]

If you enable a network interface and change the Interface Name (Alias) at the
same time you enable the interface, the interface now becomes active without
the need for a reboot.[39815]

When you use multi-WAN, DNS servers with static IP addresses on WAN 1 are
now used even when other external interfaces use DNS servers from an ISP
through PPPoE or DHCP. [40322]

DHCP relay through a branch office VPN tunnel now works. [40844]
RELEASE NOTES
AUGUST 31, 2010
PAGE 42
FIREWARE XTM V11.3.1

You can now change the MTU of an external interface configured with PPPoE.
[40705]

The DHCP server now works when there are multiple VLANs in the configuration.
[40556]

Server Load Balancing now works when the internal server IP addresses are on
different subnets. [41041]

We have made enhancements to the Server Load Balancing server status
detection mechanism. [40300] [40519]

The Server Load Balancing Stickiness function has been improved to maintain a
sticky connection state until the idle timeout is reached. [40297]

Static MAC address binding now works when your device is configured in Bridge
Mode. [40665]

This release resolves an issue that prevented some Windows computers from
getting an IP address via DHCP when your device is configured in Drop-In Mode.
[40184]

The Blocked Ports and Blocked Sites features now apply only to traffic on an
external interface. [39918]
Multi-WAN
 Several multi-WAN issues related to PPPoE and branch office and Mobile VPN
have been resolved. [40007]

Multi-WAN now works when the source IP address for incoming traffic is on the
same network subnet as one of the external interfaces of the Firebox. [41026]

This release resolves an issue that caused the external interfaces to become
inactive when you used multi-WAN configured in Round-robin mode. [40357]
FireCluster
 Firebox devices with a model upgrade in the feature key can now join a
FireCluster. [39370]
Branch Office VPN
 The choice of Any has been removed from the Tunnel Route Settings Local and
Remote drop-down menu. The Web UI now shows "any (0.0.0.0/0)". [40409]

This release resolves an issue that caused the IKED process to crash and all
IPSec tunnels to fail. [40442]
Mobile VPN
 The Windows SSL VPN client has been updated to support Window7 and
Windows 64-bit operating systems. [39841]

This release resolves an issue that caused SSL VPN to fail to connect after an
upgrade from v10.2.x to v11.0.x. When this problem occurred, the SSL VPN
client logs showed: sslvpn State: initialization of prerequisites
Debug. [40408]

This release resolves several reported vulnerabilities in the SSL VPN client for
Mac. [40292]
RELEASE NOTES
AUGUST 31, 2010
PAGE 43
FIREWARE XTM V11.3.1

Mobile VPN with PPTP and SSL now continue to work when the LiveSecurity
subscription is expired in your Firebox feature key. [41045]

When you disconnect the Mobile VPN with SSL client from one Firebox and then
connect to a different Firebox, the SSL VPN profile is now updated to show the
new connection. [41052]

The Mobile VPN with IPSec v11.1 client supports Windows 7 (32-bit and 64-bit)
and contains additional bug fixes.
Web UI
 You can now export your device configuration with the Web UI. [35234]

The Web UI now prevents the use of custom SSL VPN ports that conflict with
ports used by the Firebox. [39382]
Policy Manager
 The Firebox no longer becomes unresponsive if you use more than 28
characters in a proxy policy name. [40679]

The alias "Firebox" is now treated the same as other aliases the Firebox
determines policy precedence. [38891]
Management Server
 When a Firebox is in Full Management Mode and you clear the Enable TCP Syn
Checking check box, TCP Syn Checking is now correctly disabled. [40853]

When a Firebox is under centralized management, an update from the
WatchGuard Management Server no longer overwrites any blocked sites
configured manually on the Firebox. [40312]

You can now right-click on a device and add that device to a folder. [36077]

The ability to schedule a reboot time is now available from the Management
Server. [38230]

You can now perform a mass update of managed devices to force all selected
appliances to check for a configuration update. [36958]

The Management Server now sorts the IPSec-action-list and abs-ipsec-action-list
for tunnels created by the Management Server. The IPSec actions for Manual
BOVPN tunnels are left in the order sorted by the user. Manual tunnels are
always placed at the top of the list, followed by the sorted list of the tunnels
created by the Management Server.

For each firewall policy template in use, there is now a single firewall policy
created in the appliance configuration. As an example, if you have three tunnels
(to different endpoints) that all use the same firewall policy template, there is a
single firewall policy with the attributes set in the template. If there are two
firewall policy templates in use, then two firewall policies are created. [38877]
Report Server
 If you use an IIS server to serve published reports, you no longer get an error
about missing files. [39319]
RELEASE NOTES
AUGUST 31, 2010
PAGE 44
FIREWARE XTM V11.3.1
Log Server
 The performance of the LogViewer Search function has been improved in v11.1.
To facilitate the performance improvements, a log database migration will occur
when you upgrade from v11.0.x to v11.1. During the migration, all log messages
generated for a particular device are not visible until the migration is finished.
[38833]
Certificates
 You can now import a CRL in DER format into Firebox System Manager. [36643]

This release resolves a memory leak that occurred when you used 3rd-party
certificates on the Firebox and kept WatchGuard System Manager or Firebox
System Manager connected. [41008]

WatchGuard System Manager and Firebox System Manager no longer display
the certificates status as valid even if a certificate is invalid. [40378]
Resolved Issues in Fireware XTM v11.0.2
General
 The Fireware XTM OS installer now installs SNMP MIB files in C:\Documents
and Settings\All Users\Shared WatchGuard\SNMP. [40283]

Time zones using GMT -1 now operate correctly. [39984]

The on-demand report "Top Client by Send and Received" now runs correctly.
[40652]

The Quarantine Server Email Notification text box now allows more than 32
characters. [40339]

Firebox System Manager no longer displays Trial Subscription Service licenses
as "unlicensed." [40005]

This release resolves an issue that caused incorrect time on the Firebox X Edge
e-Series (up to 15 minutes a day). [40099]

You can now enable logging for traffic sent from the Firebox. The new logging
option is available in Policy Manager under Setup > Logging > Diagnostic Log
Level > Turn on logging of traffic sent by the Firebox itself. [40066]
Authentication
 The Active Directory server optional settings now apply to Mobile VPN with IPSec
clients. [33083]

This release resolves an issue in which an Authentication Redirect loop occurred
when the same user had multiple authenticated sessions to the Firebox from the
same IP address and one of the sessions was terminated by the Firebox. [39739]

When you use Active Directory authentication with userPrincipalName or
sAMAccountName for the Login Attribute and a Searching User configured, the
Firebox no longer allows authentication attempts to succeed with invalid
usernames. [40386]
RELEASE NOTES
AUGUST 31, 2010
PAGE 45
FIREWARE XTM V11.3.1
Proxies
 The spamd process no longer restarts when you make changes to your
spamBlocker settings. [39893]
Networking
 1-to-1 NAT configured from an optional network to an external network now
works correctly. [40025]

The ARP Spoof Attack threshold has been increased to prevent false detection of
ARP spoof attacks from Linux servers using multiple NIC cards on the same
subnet (also known as ARP flux). [40122]
Multi-WAN
 This release resolves an issue that caused the Firebox to reboot every 2 minutes
when multi-WAN is configured in round-robin mode. [40038]

This release resolves an issue that prevented an external interface from
becoming active again after ping or TCP interface monitoring failed. [40682]

Multi-WAN interfaces configured with dynamic IP addresses now respond
correctly to ping packets and management connections. [39870]

The Firebox no longer routes traffic out all external interfaces when you select
only one external interface in your multi-WAN Routing Table configuration. [39968]

The method to determine Multi-WAN sticky connections has been improved to
look at both the destination IP address and the source IP address. [39970]

This release resolves an issue that caused the WAN Fail Back button to appear
in FSM even though the WAN failback had already occurred. [38722]

When you configure multi-WAN interface monitoring by domain name, the
Firebox now does a DNS lookup after the first failed TCP or ping probe. [40578]
FireCluster
 You can now connect to the Management IP address of the Backup Master
Firebox or Passive Firebox from a trusted or optional interface when the
Management IP address is on an external interface. [40372]

When you configure an Active/Passive FireCluster, you no longer need to have
active security subscriptions licenses on the Passive Firebox. [40096]
Branch Office VPN
 Fireware XTM now includes the ability to configure inbound dynamic NAT in a
branch office VPN tunnel. [40027]

You can now configure BOVPN tunnel Phase 2 encryption settings as "Null".
[38176]

The Web UI now allows you to configure BOVPN tunnel settings, and set the
Phase 2 key expiration lifetime to "0". [39869]

You can now enable 1-to-1 NAT for a BOVPN tunnel when the tunnel direction is
set to incoming. [40103]
RELEASE NOTES
AUGUST 31, 2010
PAGE 46
FIREWARE XTM V11.3.1
Mobile VPN
 When you use individual users in a Mobile VPN with IPSec policy, Fireware XTM
no longer limits the connection to the first user in the policy. [40114]

When the idle timeout is reached for a Mobile VPN connection, Fireware XTM
now correctly disconnects the user. This allows the client to re-connect and pass
traffic. This issue applies to Mobile VPN with PPTP, IPSec, and SSL. [40497] [40529]

PPTP connections are no longer disconnected when you modify a static NAT
configuration. [39774]
Web UI
 When a licensed feature is expired, the Web UI now shows the feature as
expired instead of showing a negative number. [40537]

You can now use the Web UI to configure a DNS server for the DHCP settings of
a wireless guest account. [39980]

You can now configure MAC Address Override for an external interface. [40012]
Policy Manager
 When you edit a Traffic Management action associated with a firewall policy, the
selected Traffic Management action no longer resets to "Defaults (No Limits)".
[39586]

When you configure policy-based routing for a VLAN that is configured on an
external interface, Policy Manager now shows the correct configuration. [39491]
Management Server
 When FireCluster is configured on a managed device and then disabled, the
Management Server now correctly shows the device as not having FireCluster
enabled. [39875]

The Management Server Setup Wizard no longer imports the external secondary
IP addresses. [40242]

When a Scheduled OS Update is in process and the Management Server tries
to update a remote device that is not available, the update now times out after 60
seconds to prevent delaying the rest of the device OS updates. [39771]

The Cleanup Tasks option no longer removes tasks that are still active or in the
scheduled state. [39874]

The Scheduled Feature Key Synchronization wizard now remembers the
previously selected devices. [39873]

The Scheduled Feature Key Synchronization feature now shows only supported
devices. [39872]

When you drag a device onto a Policy Template to change its configuration mode
from basic management to full management, a "Login Failure" error no longer
occurs. [40108]

When you use role-based administration, a user with Device Monitor privileges
can no longer remove a managed BOVPN tunnel. [40236]
RELEASE NOTES
AUGUST 31, 2010
PAGE 47
FIREWARE XTM V11.3.1

When a managed device has never contacted the Management Server, the
update status for that device now shows as "Pending" instead of "Complete (Jan
01, 1970 08:00:00)". [39786]
Upgrade from version 10.2.x Issues
 When you upgrade from Edge v10.2.9 or higher, custom policies are now
correctly shown in the XTM Custom Folder. [40489]

This release resolves an issue in which WatchGuard System Manager was not
able to connect to a Firebox X Core or Peak e-Series device after you upgraded
from v10.2.x to v11.0.1 when PPTP was enabled. [39981]
Resolved Issues in Fireware XTM v11.0.1

Automatic Gateway AV updates on the XTM 1050 now work correctly.

Incoming connections that use a Static NAT rule in the To field of the policy no
longer fail when your configuration also contains a matching 1-to-1 NAT rule.
[39878]
[39895]

When you upgrade your Firebox X Edge e-Series to Fireware XTM, Dynamic
NAT is now enabled for any non-RFC1918 addresses on the trusted or optional
interface. [39919]

Active Directory and LDAP authentication are now correctly enabled when you
upgrade from v10.2.x to v11 and do not save the configuration to your device
again. [39937]

The Firebox X Edge MAC address override feature is now correctly converted
during the Fireware XTM upgrade. [39950]

You can now correctly add multiple managed BOVPN tunnels and gateways after
you upgrade to Fireware XTM. [39958]

After you upgrade a Firebox X Edge e-Series from v10.2.9 or higher, PFS is no
longer disabled in the BOVPN tunnel settings. [39898]

WebBlocker on a Firebox X Edge e-Series no longer shows the log message
"http-proxy failed to send urif request to 'default'" and stops working after you
upgrade to Fireware XTM. [39913]

A problem that caused the Firebox to crash with log messages that include the
text "[email protected]" has been fixed. [39741]

An issue that caused WebBlocker to stop working on Firebox X Core/Peak eSeries devices because of invalid WebBlocker exceptions after an upgrade to
Fireware XTM has been fixed. [39892]

WebBlocker no longer stops working correctly on a Firebox X Edge e-Series after
you upgrade from v10.2.9 or higher if a custom WebBlocker server URL was
used. [40004]
RELEASE NOTES
AUGUST 31, 2010
PAGE 48
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement