What’s New in Fireware XTM v11.8

What’s New in Fireware XTM What’s New in Fireware XTM v11.8v11.8

WatchGuard Training

What’s New in XTM 11.8What’s New in XTM 11.8

Proxies and Services• DLP (Data Loss Prevention)

• YouTube for Schools WatchGuard AP Enhancements Authentication• Indirect LDAP Query Support

• SSO with the new Exchange Monitor

• SSO Port Tester Enhanced Support for IPv6 Updated Web UI• FireWatch

• Front Panel

WatchGuard Training 22

VPN• Branch Office VPN

Virtual Interface

• Management Tunnel over SSL

• SHA2 Support

• Mobile VPN with SSL VPN client password control

Other• Multiple PPPoE

sessions per interface

• Global setting to clear connections that use an SNAT action you modify.

XTM Data Loss PreventionXTM Data Loss Prevention

WatchGuard Training

What is DLP?What is DLP?

A service that prevents costly data breaches by scanning and detecting the transfer of sensitive information over email, web, and FTP.

DLP detects information in categories such as:• Financial Data (Bank routing numbers)

• HIPAA (PHI, patient forms)

• PII (Personally Identifiable Information) Drivers’ licenses Ethnicity terms National ID/insurance Email addresses Postal addresses


DLP — How it WorksDLP — How it Works

DLP scans proxied SMTP, FTP, and HTTP connections.• HTTPS can be scanned if deep inspection is enabled in the

HTTPS proxy action. DLP uses Sophos libraries for two purposes:

• Text Extraction Extracts plain text from over 30 file formats, including PDF, HTML,

Microsoft Word, Excel, Visio, and Project.

• Content Analysis Detects over 200 different patterns, known as content control rules


DLP — How it WorksDLP — How it Works

The same process handles AV scanning and DLP scanning.• When a proxy sends a scan request, it can be for AV, DLP, or

both.

• Each scan request includes a list of content control rules to use.

• AV scan result actions take precedence over DLP.


DLP — Content Control RulesDLP — Content Control Rules

Content control rules match a pattern multiple times.

The quantity for each rule is a measure of the weighted number of matches the rule must find to identify content as a DLP violation. • Because the DLP rules use multiple expressions to find matching text, and

use weights to adjust the rule sensitivity, the quantity shown does not always correspond exactly to the number of text matches required to trigger the rule.

• To see DLP rules and quantities go to http://www.watchguard.com/SecurityPortal.


Rule Name QuantityPostal addresses [Global] 100Postal addresses [USA] 100Email addresses [Global] 100Ethnicity terms [UK] 10Ethnicity terms [USA] 10Ethnicity terms [Canada] 10Social security numbers [USA] 10Passport details [Global] 5Telephone numbers [USA] 100Credit or debit card numbers with qualifying terms [Global] 10Credit or debit card numbers [Global] 10Personal health card number, Ontario [Canada] 1

http://www.watchguard.com/SecurityPortal

DLP – Support by ModelDLP – Support by Model

This table shows you signature set and text extraction available for each model.


Model Rule Set Text ExtractionXTM 25/26XTM 3 Series

Standard (140 rules) No

XTM 5 Series Standard (140 rules) 30 file types

XTM 8 SeriesXTM 1520/1525XTM 1050/2050XTM 2520XTMv

Enterprise (210 rules) 30 file types

DLP — Scanning and PerformanceDLP — Scanning and Performance

Available DLP rule sets vary by device• XTM 2, XTM 3, and XTM 5 Series (Standard)

• XTMv, XTM 8 Series and higher (Enterprise) Just as with AV, DLP scanning consumes resources Performance impact can vary by configuration• Performance varies by number and type of selected rules

• Avoid selecting unnecessary rules


DLP — Configuration WorkflowDLP — Configuration Workflow

Update feature key Enable Data Loss Prevention Add a DLP Sensor using the

wizard• Apply sensor to proxy policies

• Select content control rules

• Select actions to take when content is detected in email and

non-email traffic.


DLP - Configuration WorkflowDLP - Configuration Workflow

Edit Sensors• Enable/disable rules

• Configure sensor actions by source and destination

• Configure sensor settings Set actions for items that

cannot be scanned due to:– Size exceeds scan limit– Scan error– File is password protected

Set the file scan limit


DLP — Built-In SensorsDLP — Built-In Sensors

DLP includes two built-in sensors

• HIPAA Audit Sensor Detects content related

to compliance with HIPAA security standards

• PCI Audit Sensor Detects content related

to compliance with PCI security standards


YouTube for SchoolsYouTube for Schools

WatchGuard Training

YouTube for Schools — OverviewYouTube for Schools — Overview

YouTube Education Filter• Schools need YouTube, but want to be able to control access to

specific content

• YouTube created to support EDU-only content, instead of having schools deny YouTube overall

How it works• School administrator obtains ID from YouTube

They must log in using their school’s Google account. https://www.youtube.com/schools

• X-YouTube-Edu-Filter header added to HTTP requests HTTPS with DPI


https://www.youtube.com/schools

YouTube for Schools — ConfigurationYouTube for Schools — Configuration

Enable YouTube for Schoolsin the HTTP Proxy Action

Type the School ID


YouTube for Schools — ExampleYouTube for Schools — Example

HTTP request• Original request headers

GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1 Host: www.youtube.com

• New request headers GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1 X-YouTube-Edu-Filter: P4SHoKOOZOJDQU8PRSCXtA Host: www.youtube.com

By handling this on the XTM device, the school does not need to deal with configuration of various machines, including BYOD


http://www.youtube.com/

http://www.youtube.com/

AP EnhancementsAP Enhancements

WatchGuard Training

AP Enhancements — OverviewAP Enhancements — Overview

Select radio channel (72135)

Set maximum data rate Management VLAN tagging (71403)

“Updating” Status (72628)

New firmware


AP Enhancements — Radio SettingsAP Enhancements — Radio Settings


Preferred Channel • Update the list of

available AP channels.

• Select the preferred channel.

Rate• Set the maximum speed

at which wireless clients can send data.

AP Enhancements — Management VLAN AP Enhancements — Management VLAN TaggingTagging Enable management

VLAN tagging, and select amanagement VLAN ID.• After the AP device is

paired, management connections use the selected VLAN.

• An unpaired AP device cannot accept management connections on the VLAN.


““Updating” StatusUpdating” Status

New AP status in the Firebox System Manager Gateway Wireless Controller tab.• When you save an access point configuration to the

XTM device, the XTM device immediately sends the update to the affected AP devices. While the update is in progress, the AP device status changes to Updating.

• The update process can take up to a minute to complete.

• During this time wireless services might be interrupted on the AP device.


AP Firmware UpdateAP Firmware Update

The XTM OS update includes updated firmware for WatchGuard AP devices, to enable the new AP features.

Make sure that automatic updates are enabled in the Gateway Wireless Controller settings so the XTM device updates all paired AP devices.

If you don’t want to enable automatic updates, you can manually upgrade each AP device.• Download the AP device firmware

from the Software Downloads site.

• Connect to the web UI on the AP device to upgrade the firmware.


LDAP AuthenticationLDAP AuthenticationUsing Indirect QueriesUsing Indirect Queries

WatchGuard Training

LDAP — BackgroundLDAP — Background

LDAP Authentication using the “memberOf” group string, or other user attributes, queries the Directory Service for the user object, and identifies group membership based on this attribute of the user. This is considered a direct query.

Some LDAP services, like Novell, use other attributes of the user object to identify group membership. Others, such as OpenLDAP, do not have such an attribute at all unless you enable a “memberOf overlay”. This requires detailed knowledge of the LDAP service being used, or extending the schema.

An alternative to this is an indirect query, where the user is identified, and the entire directory is searched looking at attributes of all groups to find where the user is a member.


LDAP — How it WorksLDAP — How it Works

We’ve added support for indirect queries using Object Classes defined in these two RFCs:• RFC2256 — A summary of the X.500 User Schema for use with LDAPv3

defines Object Class “groupOfNames”. Users are identified in the “member” attribute of each group object.

• RFC2307 — An approach for using LDAP as a Network Information Service defines Object Classes “posixGroup” and “posixAccount”. The “gidNumber” attribute identifies each group object, and the “memberUid” attribute of each group identifies the users that are members of the group.

There are no visible UI changes to add support for indirect queries in Fireware XTM v11.8.• Triggered by the entry in the “Group String” attribute


LDAP — Using RFC2256 “groupOfNames”LDAP — Using RFC2256 “groupOfNames”

Object Class “groupOfNames” is used to manage groups. Users are identified using the “member” attribute of each group object.

Configure “member” as the Group String for LDAP.

XTM performs two search queries to identify groups:• First search — Identify the DN of this user.

• Second search — Identify all entries of groupOfNames where “member” attribute contains the user DN.

Extract the name, “cn” attribute, of each group returned by server.


LDAP — RFC2256 “groupOfNames” ExampleLDAP — RFC2256 “groupOfNames” Example

Example: User “user2” belongs to group called “market”. A “member” of groupOfNames object “market” includes the DN for

user2.


LDAP — Using RFC2307 “posixGroup”LDAP — Using RFC2307 “posixGroup”

Object class posixAccount and posixGroup are used to manage groups. Groups are identified by gidNumber and users by memberUid.

Configure “memberUid” or “gidNumber” as the group string for LDAP.


LDAP — Using RFC2307 “posixGroup”LDAP — Using RFC2307 “posixGroup”

Fireware XTM uses three search queries to retrieve group information.• First search: Identify DN, “uid”, “gidNumber” of the user.

• Second search: Get all entries of posixGroup from server with the filter “memberUid=<uid>”.

Extract the name, “cn” attriburte, of each group returned by the server.

• Third search: Get one entry of posixGroup from server with the filter “gidNumber=<gid_number>”.

Extract the name, “cn” attribute, of the posix primary group. This third search is required as LDAP servers will not return the posix

primary group, the group that matches the “gidNumber” seen for the user, in the second search.

Combine the groups from the second and third search.


LDAP — Case 3 Solution (continued, XTM Search)LDAP — Case 3 Solution (continued, XTM Search)

Example: User “pos_group1_user1” belongs to group “pos_group1” and “pos_group3”; its uid is “pos_group1_user1”, its gidNumber is 203.



memberUid of posixGroup “pos_group1” include user “pos_group1_user1”.



“gidNumber” of “pos_group3” is 203.


SSO Authentication Support SSO Authentication Support for Mac OS X for Mac OS X

WatchGuard Training

Enhanced SSO Support — OverviewEnhanced SSO Support — Overview

In Fireware XTM v11.8, Single Sign-On (SSO) support has been enhanced:• SSO now supports Mac OS X (RFE64443)

• SSO now supports iOS and Android

• The SSO Agent can now be used independently with greater accuracy To provide SSO functionality for these new use cases, the SSO

authentication solution includes two new components:• EM (Exchange Monitor)

• SSO Client for Mac OS X


Enhanced SSO Support — OverviewEnhanced SSO Support — Overview

Single Sign-On options, at a glance:


SSO Component Windows Mac OS X iOS Android

SSO Agent

SSO Client(Both a Windows and Mac OS X Client are available)

Event Log Monitor

Exchange Monitor

Enhanced SSO Support — Exchange Monitor (EM)Enhanced SSO Support — Exchange Monitor (EM)

EM takes advantage of the close relationship between Microsoft Exchange server and Active Directory server. • For example: An organization uses Microsoft Exchange Server and

Active Directory domain server. Everyday the first thing each employee does is to use their office equipment, including PC, laptop, iPhone, iPad and so on, to deal with emails. Afterwards, they access the internet. Users cannot log in their mailboxes until their domain accounts are authenticated by Exchange Server.

Exchange Monitor (EM)• Does not remove or replace the functionality of existing SSO

components. Instead, it extends SSO support of logon/logoff functionality to Mac OS X, IOS, Android, and Windows OS

• New component in XTM SSO software set

• Must be installed on the same server as Microsoft Exchange


Enhanced SSO Support — Exchange Monitor (EM)Enhanced SSO Support — Exchange Monitor (EM)

What is EM?• EM tightly integrates with Microsoft Exchange

• Works only in the environment in which Microsoft Exchange Server is deployed

• EM is similar to ELM, running as a Windows service process

• EM is responsible for: Monitoring the logon/logoff action for domain accounts Notifying the SSO Agent real-time Responding to the command request( “get user”) sent by the SSO Agent.


Enhanced SSO Support — SSO Client for Mac OS XEnhanced SSO Support — SSO Client for Mac OS X

What is the SSO Client for Mac OS X?• Works in an environment without Microsoft Exchange Server

• Similar to the SSO Client for Windows

• Install the client software on workstations in the domain that run Mac OS X

• Support Mac OS X 10.6+ Supports the use case in which a user logs on from his MacBook

with his Active Directory domain account.


Enhanced SSO Support — Other ChangesEnhanced SSO Support — Other Changes

Different SSO Contacts in UI Different way to get groups New Session check interval• Applies only to Exchange Monitor and OS X/Android/iOS users


Enhanced SSO Support — Agent Contact SettingsEnhanced SSO Support — Agent Contact Settings

In Fireware XTM v11.8, Agent Contacts include:• SSO client

• Event Log Monitor

• Exchange Monitor


Enhanced SSO Support — Group RetrievalEnhanced SSO Support — Group Retrieval

Before XTM v11.8, ELM/SSO clients returned group information to the SSO Agent.

With XTM v11.8, ELM/EM/SSO clients return user/domain/IP address information to the SSO Agent. The SSO Agent queries the AD server to get all groups.

Compatibility• XTM v11.8 SSO Agent works with pre-v11.8 SSO Client/ELM

• XTM v11.8 ELM/SSO Client/EM does NOT work with pre-v11.8 SSO Agent


Enhanced SSO Support — Session Check IntervalEnhanced SSO Support — Session Check Interval

The new Session Check Interval is used for non-Windows clients only. For non-Windows clients, logoff events are detected using Microsoft Exchange internal tables.

For any active client, Exchange Monitor saves the time of last activity.

Exchange Monitor sends logoff event information for any active non-Windows client to the SSO Agent if it cannot detect any activity in the time span specified in the Session Check Interval setting.

The default Session Check Interval is 40 minutes.


Enhanced SSO Support — Session Check IntervalEnhanced SSO Support — Session Check Interval

Why is the default Session Check Interval set to 40 minutes?• On Mac OS X mail clients, the default

setting for Check for New Messages setting is 30 minutes.

• Therefore, the Session Check Interval has to be more than 30 minutes.

In general, we recommend: Session Check Interval =

Max(Check for Message) + 2• Where Max(Check for Message) is

the maximum value of all non-Windows devices running a mail client. 2 minutes is the amount of time that EM requires to detect changes in the IIS log.

4343WatchGuard Training

Enhanced SSO Support — Test SSO PortEnhanced SSO Support — Test SSO Port

To verify that the SSO Agent can contact the Event Log Monitor and the Exchange Monitor, you can use the SSO Port Tester tool.• In the Clientless SSO Settings,

select Test SSO Port.

• In the SSO Port Tester, you can test IP addresses and ports for SSO.


IPv6 SupportIPv6 Support

WatchGuard Training

IPv6 SupportIPv6 Support

XTM v11.7.4 supported:• IPv6 addresses in packet filter

policies

• MAC access control for both IPv6 and IPv4 traffic

• Inspection of IPv6 traffic received and sent by the same interface

• IPv6 addresses in blocked sites and exceptions

• Blocked ports configuration applies to IPv6 traffic

• TCP SYN checking setting applies to IPv6 traffic


XTM v11.8 adds:• Authentication on

https://<IPv6 firebox>:4100 page is now possible

• DHCPv6 options available on interfaces that use IPv6

• IPv6 FireCluster Management addresses

• IPS and Application Control now apply to IPv6 networks

• Default Packet Handling options to block IPSec, IKE, ICMP, SYN, and UDP flood attacks now apply to IPv6 networks

IPv6 Support — AuthenticationIPv6 Support — Authentication

You can now authenticate to an XTM device configured with an IPv6 address (https://<IPv6 firebox>:4100)• Example: https://[2001::254]:4100


https://[2001::254]:4100/

IPv6 Support — AuthenticationIPv6 Support — Authentication

With Fireware XTM v11.8, users can now connect from an IPv6 address to the IPv6 address of XTM. But XTM still connects to its configured 3rd party authentication server by its IPv4 address.

Some authentication functions are NOT supported in this release:• Single Sign-On

• Terminal Services

• VPN

• Support FQDN for RADIUS and SecurID

• Automatic redirect of users to the authentication page


IPv6 Support — DHCPv6IPv6 Support — DHCPv6

Use DHCPv6 to request an IPv6 address for an external interface.• Select Enable DHCPv6 Client.

• Enable the Rapid Commit option if you want to use a rapid two-message exchange to get an IPv6 address.



Configure a DHCPv6 Server for a trusted or optional interface.



When you enable IPv6 for a trusted or optional interface, you can enable the DHCPv6 server on the interface, to assign IPv6 addresses to clients that connect.

Limitations for this release:• DHCPv6 is supported only on physical interfaces.

• DHCPv6 Server is not supported in Drop-in and Bridge mode.

• You cannot configure DHCPv6 for any external interface that uses PPPoE.


IPv6 Support — Flood Attack PreventionIPv6 Support — Flood Attack Prevention

Default Packet Handling flood attack prevention now applies to IPv6 traffic (ICMPv6, UDP, IKE, SYN, IPSec)


IPv6 Support — IPS and Application ControlIPv6 Support — IPS and Application Control

Intrusion Prevention Service and Application Control now apply to IPv6 traffic.


IPv6 Support — FireClusterIPv6 Support — FireCluster

The FireCluster now includes an option to configure an IPv6 management IP address. • This option is available only when

the FireCluster management interface has IPv6 enabled

You can use the IPv6 management address to connect directly to a cluster member for management.


IPv6 Support — FireClusterIPv6 Support — FireCluster

Not Supported• IPv6 cluster interface IP

address

• Failover for features that do not support IPv6, including:

Branch Office VPN Proxy Mobile VPN with IPSec Mobile VPN with SSL Mobile VPN with L2TP Mobile VPN with PPTP Dynamic Routing Multi-WAN


Supported• Active/Active

• Active/Passive

• Cluster management interface IP address

Branch Office VPN Virtual Branch Office VPN Virtual InterfaceInterface

WatchGuard Training

Branch Office VPN Virtual Interface Support (BOVPN Branch Office VPN Virtual Interface Support (BOVPN VIF)VIF) To provide more flexibility and capabilities, Fireware XTM now

supports the option to configure a Branch Office VPN as a virtual interface.

Fireware XTM uses GRE (Generic Routing Encapsulation) to create the VPN virtual interface.

When you configure a BOVPN virtual interface, the BOVPN virtual interface is included in the routes table. • You can add static routes for a BOVPN virtual interface

• The BOVPN virtual interface can participate in dynamic routing.

• The XTM device uses the routes table to determine whether to route a packet through the BOVPN virtual interface or through another interface.

Fireware XTM continues to support the existing branch office VPN functionality. You can simultaneously configure both types of branch office VPN.

BOVPN VIF helps customers meet the needs of three particular configuration scenarios, described next.


BOVPN VIF — Metric-based VPN Failover and BOVPN VIF — Metric-based VPN Failover and FailbackFailback Objective:• For two sites that are connected with an MPLS link, enable

traffic to automatically failover and failback to a secondary branch office VPN connection over an IP network.

Configuration Summary:• Configure the external interfaces for the primary

connection between the two sites over the MPLS network

• Configure a BOVPN virtual interface for the secondary link between the two sites.

• Add a BOVPN virtual interface static route, and set a high metric (such as 200) for the route.

How it works:• Because the BOVPN VIF route has a high metric, the XTM device uses

the MPLS route, when it is available. If the MPLS link is not available, the XTM device uses the BOVPN VIF route. When the MPLS route becomes available again, the XTM device automatically fails back to use that route, because it has a lower metric.


BOVPN VIF — Dynamic RoutingBOVPN VIF — Dynamic Routing


Objective: • Enable two sites to dynamically exchange

information about routes to multiple local networks through a VPN tunnel. This avoids the need to manually configure those routes.

Configuration Summary:• Configure a BOVPN VIF, add local and peer IP addresses.

• In the dynamic routing configuration, use the peer IP address from the BOVPN VIF configuration, with a /32 netmask.• OSPF example: network <peer_virtual_ip>/32 area 0.0.0.0

• BGP example: neighbor <peer_virtual_ip> remote-as 65535

• Use dynamic routing commands to configure which local networks each device propagates routes for.

How it Works:• The dynamic routing protocol enables each gateway to

automatically learn the routes to local networks propagated by the peer gateway through the BOVPN virtual interface.

BOVPN VIF — Policy-based BOVPNBOVPN VIF — Policy-based BOVPN

Objective: • At a site with two branch office gateways, send latency-

sensitive traffic, such as VoIP through the tunnel over the network with the lowest latency, and send all other traffic, such as FTP, through the other tunnel route.

Configuration Summary:• Configure two BOVPN virtual interfaces between the

sites. Do not add routes.

• In the SIP policy that handles VoIP traffic, enable policy-based routing to the BOVPN VIF with the lowest latency.

• For all other traffic, define routes (static or dynamic) and use the other BOVPN virtual interface.

How it Works:• The policy determines the source and destination

addresses. Although routes are not defined in the BOVPN virtual interface settings, the SIP policy uses policy-based routing to redirect traffic through the lower-latency tunnel.


BOVPN VIF — ConfigurationBOVPN VIF — Configuration

New BOVPN Virtual Interfaces option, shown here in Policy Manager:

New UI in VPN Settings:


BOVPN VIF — Add a New BOVPN Virtual InterfaceBOVPN VIF — Add a New BOVPN Virtual Interface

Device Name is assigned by the system.

Select “Start Phase1 tunnel…” when no VPN Routes are defined and the BOVPN virtual interface is used with either Policy-Based Routing or Dynamic Routing.


BOVPN VIF — Add a New BOVPN Virtual InterfaceBOVPN VIF — Add a New BOVPN Virtual Interface

Virtual Interface IP addresses are required when used with Dynamic Routing.

Add a static route in the VPN Routes tab of a BOVPN VIF, or select Network > Routes.

A BOVPN VIF is equivalent to one Security Association (SA).


IPv4 Host or Network Routes can be added to the BOVPN.

Or, you can add the route in Network > Routes.

Route Type must be BOVPN Virtual Interface Route.

The correct BOVPN Virtual Interface must be selected for the Route.

Metric can be configured for multi-path routes.

BOVPN VIF — Add Tunnel RoutesBOVPN VIF — Add Tunnel Routes

Using VPN Routes:

Using Network > Routes:


Management Tunnel over SSLManagement Tunnel over SSL

WatchGuard Training


Challenge• An administrator at the corporate headquarters of a distributed

organization wants to centrally manage multiple XTM devices from the corporate trusted network. They do not necessarily have control of the upstream routers and may or may not have a public IP address.

• While Fireware XTM already supported the creation of a special management tunnel for this situation using IPSec, many third party devices allow only ports 80, 443, and 53 by default, and IPSec was not an effective solution.

Solution• Fireware XTM v11.8 adds support for an SSL-based management tunnel

so you can use either IPSec or SSL.



If you use an SSL-based management method, consider:• General limitations of OpenSSL.

• There can be conflicts between the SSL Management Tunnel and the use of Mobile VPN with SSL. You can use both at the same time, but the XTM device must be able to differentiate between the management session and a Mobile VPN with SSL session.

• SSL builds virtual networks between devices, which means routes must be correctly configured.


Management Tunnel over SSL — ConfigurationManagement Tunnel over SSL — Configuration

From the Management Server, configure the Management Tunnel gateway Firebox.• The gateway Firebox must have a static

external IP address.

• In the Management Tunnel Settings, setthe Tunnel Type to:

SSL or IPSec SSL Only IPSec Only

• For an SSL tunnel, you must configure the SSL Server IP Address/Name.


Management Tunnel over SSL — ConfigurationManagement Tunnel over SSL — Configuration

From the Management Server, configure the remote XTM devices.• Each remote XTM device must have a dynamic external IP address.

• In the Management Tunnel Settings, set the Tunnel Type to SSL.

• For an SSL tunnel, you must also specifythese authentication settings:

SSL Tunnel ID — the Device Name of the hub device

SSL Tunnel Password

• The Management Server also updates these authentication settings on the gateway Firebox.



First, the SSL client device contacts the SSL server on port 443. After the tunnel is established, the remote client can successfully

contact the Management Server.• The new interface for this tunnel now available on the SSL client

firewall is called tun_mgmt_0.

• The Source IP will be the assigned virtual IP address.



Authentication process:• For SSL server:

1. A new local user group SSLVPN-Mgmt-Clients is created to ensure the remote SSL users using Mobile VPN client software do not overlap with the centralized management session.

2. In the SSL management tunnel, the Tunnel ID is the equivalent of the mobile VPN client username.

3. You cannot have the same username in both the SSLVPN-Mgmt-Clients group and in the SSLVPN-Users group.

• For SSL client: You only need to specify the Tunnel ID, SSL password, and the management

encryption and certificate details.


SHA2 SupportSHA2 Support

WatchGuard Training


Fireware XTM v11.8 adds support for SHA2 for branch office VPN, Mobile VPN with IPSec, and Mobile VPN with L2TP.

SHA2 is stronger than either SHA1 or MD5. Fireware XTM supports three variants of SHA2.• SHA2-256 — produces a 265 bit (32 byte) message digest.

• SHA2-384 — produces a 384 bit (48 byte) message digest.

• SHA2-512 — produces a 512 bit (64 byte) message digest SHA2 is supported only on XTM devices with hardware

cryptographic acceleration for SHA2. • SHA2 is not supported on XTM 21, 22, 23, 5 Series, 810, 820, 830,

1050, and 2050 devices.

• SHA2 appears as an option in the configuration only if it is supported on the hardware.



SHA2 is supported for• Branch Office VPN

• Mobile VPN with IPSec

• Mobile VPN with L2TP

For Mobile VPN with IPSec, SHA2 is supported for VPN connections from:• Shrew Soft VPN client v2.2.1 or higher

• WatchGuard IPSec Mobile VPN client v11.32 or higher.

• SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.


Mobile VPN with SSL Mobile VPN with SSL Password ControlPassword Control

WatchGuard Training

Mobile VPN with SSL Password ControlMobile VPN with SSL Password Control

A new check box in the Mobile VPN with SSL configuration controls whether the Mobile VPN with SSL client remembers the password.

The Remember connection details option is removed from the client.• The client always remembers the

Server and Username.

• The client remembers the Password only if you allow it in the Mobile VPN with SSL configuration.


Updated Web UIUpdated Web UI

WatchGuard Training

Updated Web UIUpdated Web UI

No longer dependent on Adobe Flash Player. Adobe Flex is replaced by HTML and JavaScript.

Mobile Ready — Responsive web interface is designed to provide optimal viewing experience for users on all types of devices such as desktop browsers, tablets and smart phones.

Improved Monitoring Capability — Dashboard and System Status sections now offer functionality similar to Firebox System Manager.


Web UI — Responsive DesignWeb UI — Responsive Design

The new Web UI is responsive to the size of the viewport it is being displayed in.

The layout of the user interface changes depending on the size of the browser window.

The lowest resolution is 320x768 in either portrait or landscape mode.

When a viewport drops below a width of 768 pixels (the width of a landscape phone or portrait mode on a tablet) the left navigation menu moves to the top provide space on the screen for the rest of the content.


Web UI — Responsive Design (continued)Web UI — Responsive Design (continued)

The form elements in pages respond to the width of the viewport.


Example page on a desktop viewport Equivalent page on

a smaller viewport

Web UI — Session ExpirationWeb UI — Session Expiration

If your login session expires (usually this is caused by the session timeout setting being triggered), you are immediately notified by an alert at the top of the screen.

This alert includes a login link to redirect you to the login page. After successful login, the browser displays the page you were on

before session expiration.


Web UI — Success Message and RedirectionWeb UI — Success Message and Redirection

During configuration changes, a successful save displays a success message at the top of the current parent page.


Web UI — Firewall PoliciesWeb UI — Firewall Policies

Actions• You can now clone actions directly from a policy.

• You can edit a non-default action or apply existing actions within the policy.


Web UI — Firewall Policies (continued)Web UI — Firewall Policies (continued)

Actions can now be created within the policy for:• Application Control

• Schedule

• Traffic Management

• Proxy


Web UI — System StatusWeb UI — System Status

Many System Status features have moved into the Dashboards. The table shows where features from the previous Web UI have

moved to in the new Web UI.


Web UI — System Status (continued)Web UI — System Status (continued)


Web UI — System Status CopyWeb UI — System Status Copy

Copy buttons have been removed from the UI. You can now select and copy text in the browser just as you would

on any other web page.


Web UI — Refresh Buttons and TimersWeb UI — Refresh Buttons and Timers

The Refresh button and timer controls have been removed from the System Status pages.

Pages with information that need to be actively refreshed are all in the Dashboard section.

The Dashboard pages all refresh every 30 seconds automatically with the exception of the Traffic Monitor, which refreshes every 5 seconds.


Web UI — Traffic MonitorWeb UI — Traffic Monitor

Refreshes every 5 seconds


Web UI — FireWatchWeb UI — FireWatch

FireWatch is a real-time, interactive report tool, that groups, aggregates, and filters statistics about the traffic through your XTM device in an easy-to-understand form.

FireWatch includes options to pivot, refine, and filter information about your firewall traffic.


Web UI — FireWatchWeb UI — FireWatch

Some of the information you can see at a glance includes:• Top Users

• Top Domains

• Application Usage

• Bandwidth Usage

• Firewall Traffic

• Security Service Activity

• Device State


Secondary PPPoE InterfacesSecondary PPPoE Interfaces

WatchGuard Training

Secondary PPPoE InterfacesSecondary PPPoE Interfaces

Secondary PPPoE interfaces enable a single external interface to support multiple simultaneous PPPoE connections.• Enable PPPoE on an external interface.

• Add up to 25 secondary PPPoE interfaces.

• Associate each secondary with a primary external interface that has PPPoE enabled.


Global Setting to Clear Active ConnectionsGlobal Setting to Clear Active Connections

By default, the XTM device does not clear active connections when you modify a static NAT action.

You can change the globalSNAT setting so that the XTM device clears active connections that use an SNAT action you modify.


Thank You!Thank You!


What’s New in Fireware XTM v11.8

Documents

Transcript of What’s New in Fireware XTM v11.8