What

1
Whats New inFireware XTM v11.5.1
2
New Features in Fireware XTM v11.5.1

• Major Changes
• IPv6 Network Configuration and Routing
• FIPS 140-2
• Dynamic Routing Enhancements
• Clientless SSO
• Log and Report Manager
• Log Server UTC Timestamp Conversion
• ConnectWise Integration
• SMTP-Proxy TLS Encryption

3
New Features in Fireware XTM v11.5.1

• Minor Changes
• Debug Logging Per Proxy Action (60099)
• WSM Management Server Search (62143)
• iOS Mobile VPN with IPSec (41602)
• Export Auto-Blocked Sites (62511)
• Negotiate PPPoE Client IP Address (61930)
• New Platforms
• XTM 330
• XTM 2050

4
IPv6
5
IPv6 Refresher

• WatchGuard IPv6 http//www.watchguard.com/ipv6/i
  ndex.asp
• Hype or Reality Video and PPT
• Security Implications Video and PPT
• What to Expect Video and PPT
• IPv6 is manageable
• If you impose a false minimum of a /24 on IPv4
• Subnetting IPv4 /8 IPv6 /48

25611900454500030200F8FFFE2167CF
6
IPv6 in 11.5.1

• If it routes, the traffic will passNo security
  policies, features, or configurations are applied
• Static configuration of IPv6 addresses and DNS
• Router Advertisement for stateless address
  auto-configuration
• Static routes

7
IPv6 Certifications

• IPv6 Ready
• Phase 1, Silver Logo, was in v11.4.2
• Phase 2, Gold Logo, Core is in this release
• The Phase 2 Logo is a requirement for extended
  test categories, including
• IPSec
• IKEv2
• MIPv6
• NEMO
• DHCPv6
• SIP
• SNMP-MIBs
• MLDv2

8

• IPv6 Roadmap

Future Features
Authentication, SSO, Terminal Service
DHCP Server/Relay for trusted/optional interface
Transparent bridge and drop-in mode
Traffic management and QoS
4-to-6 transition tunnel
Proxy and security services (WebBloker, GAV, )
Application Control and IPS
Mobile User VPN
Cluster
IPv6 Planned Features
Static configuration of IPv6 addresses
Router Advertisement for stateless address auto-configuration
Static routes and DNS servers
DHCPv6 client for external interface
V6 policies
Blocked sites/ports, and auto-block
Default threat protection
BOVPN 6-in6, 6-in-4, 4-in-6
6-to-4 transition tunnel
9
FIPS 140-2
10
FIPS Support in Fireware XTM

• FIPS 140-2
• Federal Information Processing Standards
  Publication 140-2, Security Requirements for
  Cryptographic Modules
• Describes the NIST requirements and standards for
  cryptographic modules for use by federal
  government departments and agencies
• Defines four security levels
• WatchGuard XTM
• XTM Devices and Fireware XTM are designed to meet
  the overall requirements for FIPS 140-2 Level 2
  security, when configured in a FIPS-compliant
  manner

11
FIPS Support in Fireware XTM

• FIPS Mode
• You must use the CLI to enable FIPS mode on an
  XTM device
• When the XTM device operates in FIPS mode, each
  time the device is powered on, it runs a set of
  self-tests required by the FIPS 140-2
  specification
• If any of the tests fail, the XTM device writes a
  message to the log file and shuts down
• If you start the device in safe mode or recovery
  mode, the device is not in FIPS mode
• Use the CLI command fips enable to enable FIPS
  mode operation
• You can use the CLI command show fips to
  determine if the XTM device is configured in FIPS
  mode

12
FIPS Mode Constraints

• FIPS Mode does not enforce a FIPS compliant
  configuration
• Configure the Admin and Status administrative
  accounts to use passwords with a minimum of 8
  characters
• When you configure VPN tunnels, you must choose
  only FIPS-approved authentication and encryption
  algorithmsSHA-1, SHA-256, SHA-512, 3DES,
  AES-128, AES-192, and AES-256.
• When you configure VPN tunnels, you must choose
  Diffie-Hellman Group 2 or Group 5 for IKE Phase 1
  negotiation
• Use a minimum of 1024-bits for all RSA keys
• Do not configure FireCluster for high
  availability
• Do not use Mobile VPN with PPTP
• Do not use PPPoE
• Do not use WatchGuard System Manager to manage
  the device
• For access to Fireware XTM Web UI, the web
  browser must be configured to use only TLS 1.0
  and FIPS approved cipher suites
• For network access to the CLI, clients must use
  SSH V2.0 protocol

13
Dynamic Routing Enhancements
14
Dynamic Routing Enhancements

• FireCluster is now supported
• Configuration validation ensures working
  configuration
• Enhanced troubleshooting capabilities
• Enable debugging at runtime
• Obtain more logs from Quagga
• Enhanced output in the Firebox System Manager
  Status Report

15
Dynamic Routing Diagnostic Logging

• Change the Diagnostic Log Level setting for
  Dynamic Routing to the Debug level to see
  detailed log messages from all log levels.

16
Clientless Single Sign-On (SSO)
17
Clientless SSO

• Use the SSO Agent and Event Log Monitor for SSO,
  without the SSO Client
• Support for both single domain and multiple
  domains
• Provides the same accuracy as the SSO Client
  solution
• Token Groups
• SSO Client
• SSO ELM
• Manual Authentication with samAccountName
• Group Attribute
• Manual Authentication and Non-Active Directory
• Does not return nested groups

18
Clientless SSO Process

• Install the SSO Agent on your network.
• Install the Event Log Monitor on each domain
  controller in your network.
• The Event Log Monitor collects user credentials
  when users log on to the domain.
• The SSO Agent queries the Event Log Monitor
  for user credentials.

19
Clientless SSO Work Flow
20
Clientless SSO Contact Priority

• Select whether the SSO Agent first contacts the
  Event Log Monitor or the SSO Client for user
  credentials.

21
Clientless SSO Supported OS

• Use clientless SSO with these operating systems

Operating System Windows XP SP2/SP3(32-Bit) Windows Vista(32-Bit) Windows 7(32-Bit) Windows Server 2003(32-Bit) Windows Server 2003(64-Bit) Windows Server 2008(32-Bit) Windows Server 2008 2008 R2(64-Bit)
SSO Agent ? ? ? ? ? ? ?
Event Log Monitor ? ? ? ?
22
Log and Report Manager
23
Log and Report Manager

• Log Viewer and Report Manager are replaced in
  v11.5.1 with the new Log and Report Manager web
  UI.
• Select either the Log Viewer or Report Manager
  icon in WatchGuard System Manager to launch the
  default web browser. The user is prompted to
  connect to the WatchGuard Log Server or Report
  Server with administrative credentials.

24
Log and Report Manager View Logs

• Select the Actions drop-down list at the right to
  choose a time filter for the log display, or
  select a Timeslice Analysis to show a summary of
  log types recorded over time.

25
Log and Report Manager View Logs
26
Log and Report Manager View Reports

• Select REPORTS gt Devices to see a list of devices
  with reports on the Report Server.
• Select a device to see the report options.

27
Log and Report Manager View Reports

• View Available Reports
• Select Daily or Weekly time filters, and specify
  a date range.
• Select the tab for a report type Dashboard,
  Traffic, Web, Mail, Services, Device, and Detail.
• To generate Per Client and On-Demand Reports for
  devices, click a link at the right side of the
  page.

28
Log and Report Manager On-Demand Reports

• Select the Start and End date and time, the type
  of report to generate, and click Run Report to
  generate an On-Demand report.

29
Log and Report Manager On-Demand Reports

• Reports include graphical and textual summary
  information

30
Log Server and Report ServerUTC Time Conversion
31
Log and Report Server Upgrade

• When the Log Server or Report Server is upgraded
  to v11.5.1, the server database is upgraded to
  PostgreSQL 8.2.21.
• If an external Log Server or Report Server
  database is used instead of the built-in
  database, the user must manually upgrade the
  server to PostgreSQL 8.2.21 before the Log Server
  or Report Server is upgraded.

32
Log and Report Server UTC Conversion

• Previously, the Log and Report Server database
  used the timestamp of the host server. In
  v11.5.1, the UTC time stamp is used for log
  messages.
• When an existing server is upgraded to v11.5.1,
  the log message time stamps are converted from
  the old format to UTC format.This can take some
  time depending on the size of the log database.
• An audit log is written when the conversion
  process starts and finishes.
• If email notification is enabled, notifications
  are sent when conversion starts and when
  conversion is complete.

33
ConnectWise Integration
34
ConnectWise Integration

• Your v11.5.1 Report Server can send specific
  reports it generates to the third-party
  ConnectWise service to be included in the reports
  ConnectWise produces.
• The Report Server must be configured with the
  information for a ConnectWise server and
  ConnectWise account.

35
ConnectWise Integration

• In the Report Server Server Settings, enable
  ConnectWise integration and add the information
  for the ConnectWise server and ConnectWise
  account.
• Make sure to import the CA certificate for your
  ConnectWise server to your Report Server.

36
ConnectWise Integration

• Create a Report Schedule and specify the reports
  to generate and send to ConnectWise.
• Reports available for ConnectWise integration
  include
• Firebox Statistics
• Intrusion Prevention Service Summary
• WebBlocker Summary
• Most Popular Domains
• To send reports to ConnectWise, you must select
  at least one of these reports.
• Reports must be scheduled to run daily

37
SMTP-Proxy TLS Encryption
38
SMTP-Proxy TLS Encryption Settings

• v11.5.1 includes new options for TLS encryption
  settings in the ESMTP category of the SMTP proxy
  action.
• If an SMTP-proxy is used for mail traffic sent
  through an XTM device, TLS encryption can be
  applied to the traffic.
• Certificates used by the HTTPS-proxy are also
  used by the SMTP-proxy for TLS encryption. The
  FSM certificate import feature is also used to
  import TLS encryption certificates to the XTM
  device.

39
SMTP-Proxy TLS Encryption Settings

• Configure rules to determine which recipient
  domains receive TLS encrypted email
• If Recipient Encryption is Required, the XTM
  device does not send email if TLS negotiation
  fails.
• If Recipient Encryption is Preferred, the XTM
  device tries to negotiate a TLS connection, but
  if negotiation fails the email is sent
  unencrypted.
• If Recipient Encryption is Allowed, the email
  client can select to encrypt or not encrypt
  email, and the XTM device sends the email
  whether it is encrypted or unencrypted.

40
SMTP-Proxy TLS Encryption Settings

• If Sender Encryption is Required, an option can
  be enabled to encrypt not only the email data but
  also the sender, recipient, and body information
  in the message.

41
SMTP-Proxy TLS Encryption Settings

• The Authentication category of the ESMTP settings
  includes an option to require encryption of
  plain-text ESMTP authentication information.

42
Minor Changes
43
Diagnostic Log Level For Proxy Actions

• Set the Diagnostic Log Level for each proxy
  action in the General Settings category.
• Diagnostic Log Levels
• Error
• Warning
• Information
• Debug
• Reduce log messages from high-traffic proxy
  actions.
• To disable logging for a single proxy action,
  you must disable logging for that proxy type
  globally, then enable logging for all other
  proxy actions.

44
WSM Management Server Search

• New Search folder for the Management Server on
  the Device Management tab.
• Search supports
• Device display name
• Device IP addresses
• Device host names
• Polled device name
• Polled IP address
• Polled serial number
• Polled software version
• Search does not support
• Serial number for backup master
• Secondary addresses
• Polling multi-WAN IP addresses

45
iOS Mobile VPN with IPSec

• No Profile to use, specific configuration only
• iOS Setting up VPN
• Configure Fireware XTM
• Shared Key Only (no certificates)
• Force all traffic through tunnel
• Phase 1
• Authentication MD5 or SHA-1
• Encryption DES, 3DES, AES-128, AES-256 (no
  AES-192)
• SA Life 1 hour
• Key Group DH Group 2
• Phase 2
• Authentication MD5 or SHA-1
• Encryption 3DES, AES-128, or AES-256
• Key Expiration 1 hour and 0 Kb
• Disable PFS

46
Export Auto-Blocked Sites

• To export the list of blocked sites, right-click
  the Blocked Sites list in Firebox System Manager
• Save the list as the blocked_sites.txt file

47
Negotiate PPPoE Client IP Address and DNS

• Configure an external interface, select the IPv4
  tab, select Use PPPoE,select Use IP address,
  andclick Advanced Properties
• Send the PPPoE client static IP address during
  PPPoE negotiation
• When selected, the configured addressis
  requested, but other addresses willalso be
  accepted for negotiation
• When not selected, the IP address isnot
  negotiated in PPPoE
• Negotiate DNS with PPPoE Server

48
New Platforms
49
XTM 330 XTM 2050
Form Factor Rackmount (1U) Rackmount (2U)
Network Interfaces 7x GbE (RJ45) 16x GbE (RJ45) 2x 10G SFP Fiber
Other Interfaces 2x USB 1x RJ45 serial 1x GbE RJ45 management 2x USB 1x RJ45 serial
Weight 7.55 lbs 48.5 lbs
Power Supply 100-240 VAC Autosensing Dual 100-240 VAC Autosensing
50
THANK YOU!