Title: What
1Whats New in Fireware XTM v11.4.1
2New Features in Fireware XTM v11.4.1
- Configuration Files
- Automatically save a time-stamped backup copy of
the configuration file each time you save to a
file. - Policies
- Edit SNAT objects from the Policy Manager Policy
Properties dialog box. - Safe Search enforcement added to the HTTP-Client
proxy action. - SNMP
- Additional enterprise MIB support for SNMP.
- Authentication
- Prompt to select the default LDAPS port when
LDAPS is enabled. - Specify which authentication server appears first
in the Authentication Portal. - Select the users that can connect to the SSO
Agent with Telnet. - Enable port 4116 on Windows firewall when the SSO
Client is installed.
3New Features in Fireware XTM v11.4.1
- Branch Office VPN
- New gateway endpoint setting to specify whether
the device attempts to resolve the domain name in
the remote gateway ID. - Mobile VPN
- Mobile VPN with IPSec support for the Shrew
Soft VPN client - Mobile VPN with SSL support for multiple
authentication users and groups - Application Control
- Clone an Application Control action in the Web
UI. - Configure an action for an application category.
- Apply an Application Control action to several
policies at one time. - Intrusion Prevention Service (IPS)
- Enable or disable IPS for several policies at one
time
4New Features in Fireware XTM v11.4.1
- Logging and Reporting
- New policy to open the ports for LogViewer
Report Manager when they are behind a firewall
external to your Log Server and Report Server. - Firebox System Manager
- Hide warnings for expired trial periods when a
valid license for the feature exists. - New Summary section on the FSM Authentication
List tab. - Centralized Management
- New Management Groups streamline template
management for devices. - Fireware XTM Web UI
- Release or renew a DHCP lease for an external
VLAN in the Web UI.
5Configuration Files
6Automatically Create a Configuration File Backup
- You can configure Policy Manager to automatically
save a backup copy of the configuration file each
time you save to a file. - To enable this option, select File gt Save gt
Always create a backup. - The check mark indicates the automatic backup
copy feature is enabled. - Each time you save the configuration to a file,
Policy Manager saves a second copy of the
configuration in the same location, with the date
and timestamp added to the file name. - For example, if you save a configuration file
named HQ-XTM1050 on March 30, 2011 at 1130 AM,
Policy Manager saves two files - HQ-XTM1050.xml
- HQ-XTM1050_2011-3-15_11-30-00.xml
7Policies
8Edit SNAT Action from Policy Properties Dialog Box
- You can now edit an SNAT action from the Policy
Properties dialog box in Policy Manager. - Any changes to the SNAT action apply to all
policies that use this action.
9Enforce Safe Search
- Safe Search enforcement has been added to the
HTTP-Client proxy action for v11.4.1. - In web browser search engines, Safe Search
enables users to specify what level of
potentially inappropriate content can be returned
in search results. - Safe Search levels vary between search engines.
Typical settings are Off, Moderate, and Strict. - When you enable Safe Search in the HTTP-Client
proxy action, the strictest level of Safe Search
rules are enforced regardless of the settings
configured in the client search engine settings.
10Enforce Safe Search
- In Policy Manager, in the HTTP-Client Proxy
Action Configuration dialog box, select HTTP
Request gt General Settings and select the Enforce
Safe Search check box. - In Fireware XTM Web UI, select Firewall gt Proxy
Actions select the HTTP-Client proxy action. On
the HTTP Request gt General Settings page, select
the Enforce safe search for major search engines
such as Google, Bing, Yahoo and YouTube check box.
11SNMP
12Additional MIB Support for SNMP
- Additional enterprise MIBs are now supported for
SNMP. - The complete list of enterprise MIBs includes
- UCD-SNMP-MIB
- WATCHGUARD-CLIENT-MIB
- WATCHGUARD-INFO-SYSTEM-MIB
- WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
- WATCHGUARD-IPSEC-SA-MON-MIB-EXT
- WATCHGUARD-IPSEC-TUNNEL-MIB
- WATCHGUARD-POLICY-MIB
- WATCHGUARD-PRODUCTS-MIB
- WATCHGUARD-SMI
- WATCHGUARD-SYSTEM-CONFIG-MIB
- WATCHGUARD-SYSTEM-STATISTICS-MIB
13Authentication
14Default Port for LDAPS
- When you enable LDAPS for your Active Directory
or LDAP server, if you do not select the default
port for LDAPS, you are prompted to change the
port to the default port for LDAPS.
15Change the Default Authentication Server
- Specify which of your configured authentication
servers appears first in the Authentication
Portal authentication server Domain list.
16SSO Agent SSO Client Enhancements
- SSO Agent Telnet Security
- Telnet connections to the SSO Agent are now
limited to those users who are specified in the
SSO Agent Configuration Tool users list. - Users must have read/write access to make
configuration changes over a telnet connection. - SSO Client Port 4116 Open on Windows Firewall
- To allow traffic to the SSO Client, when the SSO
Client is installed, port 4116 is automatically
enabled on the Windows firewall of the computer
where you install the SSO Client.
17Branch Office VPN and Mobile VPN
18Branch Office VPN Enhancements
- New gateway endpoint setting specifies whether
the device attempts to resolve the domain name in
the Remote Gateway ID. - Select this if the remote gateway uses dynamic
DNSÂ to maintain a mapping between a dynamic
IPÂ address and a domain name.
19Changes to Mobile VPN with IPSec
- As of April 20th, WatchGuard will no longer
distribute the WatchGuard Mobile VPN with IPSec
client on the Software Downloads Center. - Technical Support will continue to support the
existing client - With Fireware XTM v11.4.1, we have added support
for the Shrew Soft VPN Client - Supported on Windows only
- Download the Shrew Soft VPN Client from the Shrew
Soft web site - See the product documentation for a list of
differences between the WatchGuard IPSec client
and the Shrew Soft VPN client
20Mobile VPN with IPSec Shrew Soft VPN Client
- WatchGuard supports the use of the Shrew Soft VPN
client for Windows as a Mobile VPN with IPSec
client. - Profile for the Shrew Soft VPN client has a .vpn
extension. - .vpn file is not encrypted and cannot be set to
read-only - Policy Manager generates the .vpn file when it
generates the .wgx and .ini files - In the Web UI you can choose to generate a
Shrew Soft VPN (.vpn) or WatchGuard Mobile VPN
(.ini) configuration file. - In the CLI, use the newexport muvpn
client-typeoption to export a .vpn file.
21Mobile VPN with IPSec Shrew Soft VPN Client
- Download and install the Shrew Soft VPN client
from http//www.shrew.net/download - Use Shrew Soft VPN Access Manager to configure
and connect. - Select File gt Import to import the generated .vpn
profile. - Select the imported profile, and click Connect.
- Use Shrew Soft VPN Trace to troubleshoot your
connection.
22Shrew Soft VPN Client Limitations
- The Shrew Soft VPN client does not support some
Mobile VPN with IPSec configuration settings and
features - IKE keep-alive is not supported.
- Configuration of multiple VPNÂ gateways for
multi-WAN failover is not supported. - Line management configuration settings Connection
mode and Inactivity timeout are not supported. - The Dead Peer Detection (DPD)Â Traffic idle
timeout and Max retries configuration settings do
not apply to the Shrew Soft VPNÂ client. If DPDÂ is
enabled, Shrew Soft VPNÂ supports DPD with a
traffic idle timeout value of 15 seconds. - RADIUS 2-factor authentication is not supported.
- The Shrew Soft VPNÂ client does not support a
read-only profile. - The Shrew Soft VPNÂ client does not store the user
name and password. Users must type the user name
and password each time they connect.
23Mobile VPN with SSL Add Users and Groups
- Mobile VPN with SSL now supports multiple users
and groups. - The default SSLVPN-Users group is required only
when you select Firebox-DB. - When you add users and groups, the
Allow-SSLVPN-Users policy shows the group
SSLVPN-Users, withthe authentication type in
parentheses. This refers to all users and
groups in the Mobile VPN with SSL configuration.
24Subscription Services
25Application Control
- You can clone an Application Control action in
the Web UI. - You can apply an Application Control action to
several policies at one time. - Select one or more policies.
- Select the action to apply.
26Application Control
- You can configure an action (Drop or Allow) for
an application category. - If new application signatures are added to the
category, the configured category action
automatically applies to the new applications. - Application-specific actions take precedence over
category actions.
27Intrusion Prevention Service
- You can enable or disable IPS for several
policies at one time. - Select one or more policies.
- Select the action to apply.
28Logging Reporting
29Open LogViewer Report Manager Ports
- The new WG-LogViewer-ReportMgr packet filter
policy opens the ports that enable you to use
LogViewer and Report Manager through an XTM
device. - Opens TCP ports 4121 (LogViewer) and 4122 (Report
Manager). - Enables remote access from your LogViewer or
Report Manager to your Log Server or Report
Server.
30Firebox System Manager
31Hide Expired Service Warnings In FSM
- Firebox System Manager has a new option to hide
warnings for expired Subscription Services. - Select View gt Hide Expired Service Warnings.Or,
right-click anywhere on the Front Panel tab and
select Hide Expired Service Warnings. - To show the expired service warnings again,
select View gt Hide Expired Service Warnings.
32Centralized Management
33Management Groups for Template Management
- WSM Management Groups streamline template
management for devices. - When you upgrade your Management Server to
v11.4.1, a Management Group is automatically
created for each of your v11.0v11.3.x and v11.4
templates. - Management Groups are not automatically
created for Firebox X Edge v10.x devices that
were subscribed to a template.
34Management Groups for Template Management
- Devices that were subscribed to a template in
v11.0v11.3.x, and v11.4 devices that had a
template applied to them, are automatically added
to the Management Group folder with the same name
as the template they were associated with.
35Management Groups for Template Management
- When you create a new template, you can create a
corresponding Management Group and add devices
that will use that template. This makes it easy
to apply updated templates to the devices that
use each template. - You can add one or more devices to a Management
Group and add each device to one or more
Management Groups. - Each Management Group page shows all the devices
included in the group.
36Management Groups for Template Management
- The Device page includes a Management Groups
section, which shows the groups the device is a
member of. - When you make changes to a template, you can
apply the template to one or more of the devices
in the Management Group for that template. - To apply a template to a Management Group, drag
the template to the Management Group folder. The
Apply Template wizard launches. You can select to
apply the template to one or more devices in the
folder.
37Fireware XTM Web UI
38Renew or Release a DHCP Lease
- Fireware XTM Web UI includes a new option to
release or renew a DHCP lease for an external
VLAN. - Select System Status gt Interfaces.
- Select an external interface with DHCP enabled
and click DHCP Release or DHCP Renew.
39THANK YOU!