Download - What’s New in Fireware XTM v11.8.1
What’s New in What’s New in Fireware XTM v11.8.1Fireware XTM v11.8.1
WatchGuard Training
What’s New in XTM 11.8.1What’s New in XTM 11.8.1
Networking Enhancements• Secondary networks for VLANs [40123]
• Support for static NAT and server load balancing for traffic through an Optional interface [39793]
• PPPoE client IP address enforcement [73382]
• DHCP Force Renew support on external interfaces [61383]
• Sierra Wireless 320U 3G/4G modem support [74572]
• Bridge XTM wireless Access Points to the same network [76381] XTMv Enhancements• XTMv on ESXi now supports active/passive FireCluster [72105]
WatchGuard AP Device Management Enhancements• New AP status of Discovered in the Gateway Wireless Controller
[77081]
• Ability to upgrade an AP device from the Gateway Wireless Controller [73497]
• Automatic AP device firmware upgrades are now staggered [77738]WatchGuard Training 22
What’s New in XTM 11.8.1What’s New in XTM 11.8.1
Authentication Enhancements• Customize the Authentication Portal page [42587]
• Case-sensitivity disabled for Firebox-DB user names [61132] HTTPS-Proxy Enhancements• Allow only SSL compliant traffic through the HTTPS-proxy [76197]
WebBlocker Enhancements• Improved WebBlocker local override page [66930]
Management Server Enhancements• Management Server Clustering [41220]
• Compare versions of configuration files & force users to comment on changes to configuration files and templates [77204]
Monitoring & Reporting Enhancements• Download a diagnostic log file from the Web UI [77638]
• New Web Traffic Summary report [76985]
WatchGuard Training 33
Networking EnhancementsNetworking Enhancements
WatchGuard Training 44
Secondary Networks for VLANsSecondary Networks for VLANs
You can now configure a secondary network for a VLAN interface. • Configure these settings on the Secondary tab in the VLAN
configuration.
• Supported for Trusted, Optional, and External VLAN interfaces.
• Secondary IP addresses are often used for Static NAT on external interfaces or network migration and router consolidation on trusted or optional interfaces.
WatchGuard Training 55
SNAT from Optional to TrustedSNAT from Optional to Trusted
In a Static NAT action or Server Load Balancing NAT action, you can now select an External or Optional interface.
This enables you to do static NAT or server load balancing for traffic from the optional network to the trusted network.
WatchGuard Training 66
PPPoE Client IP Address EnforcementPPPoE Client IP Address Enforcement
WatchGuard Training 77
PPPoE advanced settings include an option to enforce the client static IP address.
When this option is selected:• The XTM device sends the
configured PPPoE client IP address to the PPPoE server.
• The XTM device uses the configured client IP address, even if another IP address is obtained from the server.
PPPoE client address enforcement is useful for clients of ISPs that provide multiple static IP addresses. This new option is useful if the ISP does not respond with the address included in the client request.
DHCP Force RenewDHCP Force Renew
WatchGuard Training 88
When you configure the external interface as a DHCP client, you can optionally enable the XTM device to respond to DHCP Force Renew messages. • The FORCERENEW message
requests the DHCP client to renew it's leased IP address sooner than it ordinarily would.
• You can optionally specify a shared key that must match the key in the FORCERENEW request.
Additional 3G/4G Modem SupportAdditional 3G/4G Modem Support
Sierra Wireless 320U 3G/4G USB modem is now supported for modem failover.
To see a complete list of supported modems, see this Knowledge Base article: http://customers.watchguard.com/articles/Article/Supported-3G-4G-USB-devices
WatchGuard Training 99
Bridge XTM Wireless Access Points to the Same Bridge XTM Wireless Access Points to the Same InterfaceInterface On an XTM wireless device, you can now bridge Wireless Access
Point 1 and Wireless Access Point 2 to the same XTM device interface.
WatchGuard Training 1010
XTMv EnhancementsXTMv Enhancements
WatchGuard Training 1111
FireCluster on XTMvFireCluster on XTMv
You can configure two XTMv devices as an active/passive FireCluster on VMware vSphere ESXi
vSwitch configuration requirements:• The vSwitch connected to an
external interface must accept MAC address changes.
• The vSwitch connected to theFireCluster management interface must have promiscuous mode enabled.
WatchGuard Training 1212
AP Device Management EnhancementsAP Device Management Enhancements
WatchGuard Training 1313
Staggered AP Device Firmware Automatic UpgradesStaggered AP Device Firmware Automatic Upgrades
WatchGuard Training 1414
Automatic upgrades of AP device firmware are now staggered.• If automatic upgrade is
enabled in the Gateway Wireless Controller settings, the automatic upgrade of AP devices does not occur simultaneously.
• If there are multiple paired AP devices, the AP device firmware upgrades occur one at a time for each AP device, five minutes apart.
Update AP Device Firmware for a Single AP DeviceUpdate AP Device Firmware for a Single AP Device
You can now upgrade the firmware on a single AP device from the Gateway Wireless Controller tab in Firebox System Manager.• You can see the version
of AP firmware availableon the XTM device.
• You can see the versionof AP firmware currentlyinstalled on each APdevice.
• Click Upgrade to upgradethe AP firmware to theavailable version.
In Fireware XTM Web UI,this option is available inthe Gateway Wireless Controller Dashboard.
WatchGuard Training 1515
New AP Device Status — New AP Device Status — DiscoveredDiscovered
The Gateway Wireless Controller now shows a status of Discovered for a paired AP device that is connected, but it not yet Online.• After an AP device
restarts, the statusis Discovered when the XTM device has successfully communicated to an AP device, butthe AP device isnot yet online.
WatchGuard Training 1616
Authentication EnhancementsAuthentication Enhancements
WatchGuard Training 1717
Customize the Authentication PortalCustomize the Authentication Portal
WatchGuard Training 1818
You can now configure the look and feel of the Authentication Portal page from Fireware XTM Web UI and Policy Manager.• Add custom logo
• Add custom welcome message or disclaimer
• Specify the page title
• Select custom colors
• Select custom fonts
Disable Case-Sensitivity for Firebox-DB User NamesDisable Case-Sensitivity for Firebox-DB User Names
WatchGuard Training 1919
For users created for Firebox Authentication (to the Firebox-DB Authentication Server), you can now disable case-sensitivity for user names
Users can type their user names with any capitalization and still authenticate
HTTPS-Proxy EnhancementsHTTPS-Proxy Enhancements
WatchGuard Training 2020
HTTPS-Proxy — Allow only SSL Compliant TrafficHTTPS-Proxy — Allow only SSL Compliant Traffic
WatchGuard Training 2121
By default, when you enable the HTTPS proxy, it allows SSL traffic matching any SSL version.
When this new option is selected, the HTTPS proxy allows only traffic that matches one of these SSL versions:• SSL_V2=0x200
• SSL_V3=0x300
• TLS_V1=0x301
• TLS_V11=0x302
• TLS_V12=0x303 This new option can be useful if you
want to deny traffic that is not HTTP over SSL.
This option is not necessary or available when deep packet inspection is enabled in your HTTPS proxy configuration.
WebBlocker EnhancementsWebBlocker Enhancements
WatchGuard Training 2222
WebBlocker Local Override PageWebBlocker Local Override Page
The Local Override authentication form that users see in the web browser when access to a web page is denied by WebBlocker has been formatted to match the deny message.
WatchGuard Training 2323
Management Server EnhancementsManagement Server Enhancements
WatchGuard Training 2424
Management Server ClusteringManagement Server Clustering
Create clusters of WatchGuard Management Servers for failover and redundancy
Uses the native Microsoft Failover Cluster service support for high availability
Configure each WatchGuard Management Server independently and then use the command line to complete the setup of the servers in a failover cluster
WatchGuard Training 2525
New Configuration Management SettingsNew Configuration Management Settings
WatchGuard Training 2626
In WatchGuard Server Center > Management Server, the setting to force users to make a comment before saving changes to a device or configuration template has been moved to a new Configuration Management tab.
In the Comment Template list, optionally type the instructions to appear in the Comments dialog box, which users see when they save the configuration file or a configuration template to the Management Server.
Compare Configuration File VersionsCompare Configuration File Versions
WatchGuard Training 2727
In WSM, for a device configuration file, run a Difference Report to see the changes between versions of the configuration in the Configuration History.
The Difference Report includes all changes made to the configuration.
Monitoring & Reporting EnhancementsMonitoring & Reporting Enhancements
WatchGuard Training 2828
Download Diagnostic Log File from the Web UIDownload Diagnostic Log File from the Web UI
WatchGuard Training 2929
Fireware XTM Web UI now supports download of a diagnostic log file (support.tgz)
Enable diagnostic logging and download the support.tgz file1. Select System >
Configuration File.2. Click Download the
Support Logs. Review the file for
diagnostic, packet trace information about your XTM device
Web Traffic Summary ReportWeb Traffic Summary Report
The Web Traffic Summary report has been added to WatchGuard System Manager Log and Report Manager. This report (already available with Dimension) offers a high-level view of:• Top web sites visited by clients, in a bar chart
• Top web categories visited by clients, in a pie chart
WatchGuard Training 3030
Thank You!Thank You!
WatchGuard Training 3131