What

1
Whats New in Fireware XTM v11.4.1
2
New Features in Fireware XTM v11.4.1

• Configuration Files
• Automatically save a time-stamped backup copy of
  the configuration file each time you save to a
  file.
• Policies
• Edit SNAT objects from the Policy Manager Policy
  Properties dialog box.
• Safe Search enforcement added to the HTTP-Client
  proxy action.
• SNMP
• Additional enterprise MIB support for SNMP.
• Authentication
• Prompt to select the default LDAPS port when
  LDAPS is enabled.
• Specify which authentication server appears first
  in the Authentication Portal.
• Select the users that can connect to the SSO
  Agent with Telnet.
• Enable port 4116 on Windows firewall when the SSO
  Client is installed.

3
New Features in Fireware XTM v11.4.1

• Branch Office VPN
• New gateway endpoint setting to specify whether
  the device attempts to resolve the domain name in
  the remote gateway ID.
• Mobile VPN
• Mobile VPN with IPSec support for the Shrew
  Soft VPN client
• Mobile VPN with SSL support for multiple
  authentication users and groups
• Application Control
• Clone an Application Control action in the Web
  UI.
• Configure an action for an application category.
• Apply an Application Control action to several
  policies at one time.
• Intrusion Prevention Service (IPS)
• Enable or disable IPS for several policies at one
  time

4
New Features in Fireware XTM v11.4.1

• Logging and Reporting
• New policy to open the ports for LogViewer
  Report Manager when they are behind a firewall
  external to your Log Server and Report Server.
• Firebox System Manager
• Hide warnings for expired trial periods when a
  valid license for the feature exists.
• New Summary section on the FSM Authentication
  List tab.
• Centralized Management
• New Management Groups streamline template
  management for devices.
• Fireware XTM Web UI
• Release or renew a DHCP lease for an external
  VLAN in the Web UI.

5
Configuration Files
6
Automatically Create a Configuration File Backup

• You can configure Policy Manager to automatically
  save a backup copy of the configuration file each
  time you save to a file.
• To enable this option, select File gt Save gt
  Always create a backup.
• The check mark indicates the automatic backup
  copy feature is enabled.
• Each time you save the configuration to a file,
  Policy Manager saves a second copy of the
  configuration in the same location, with the date
  and timestamp added to the file name.
• For example, if you save a configuration file
  named HQ-XTM1050 on March 30, 2011 at 1130 AM,
  Policy Manager saves two files
• HQ-XTM1050.xml
• HQ-XTM1050_2011-3-15_11-30-00.xml

7
Policies
8
Edit SNAT Action from Policy Properties Dialog Box

• You can now edit an SNAT action from the Policy
  Properties dialog box in Policy Manager.
• Any changes to the SNAT action apply to all
  policies that use this action.

9
Enforce Safe Search

• Safe Search enforcement has been added to the
  HTTP-Client proxy action for v11.4.1.
• In web browser search engines, Safe Search
  enables users to specify what level of
  potentially inappropriate content can be returned
  in search results.
• Safe Search levels vary between search engines.
  Typical settings are Off, Moderate, and Strict.
• When you enable Safe Search in the HTTP-Client
  proxy action, the strictest level of Safe Search
  rules are enforced regardless of the settings
  configured in the client search engine settings.

10
Enforce Safe Search

• In Policy Manager, in the HTTP-Client Proxy
  Action Configuration dialog box, select HTTP
  Request gt General Settings and select the Enforce
  Safe Search check box.
• In Fireware XTM Web UI, select Firewall gt Proxy
  Actions select the HTTP-Client proxy action. On
  the HTTP Request gt General Settings page, select
  the Enforce safe search for major search engines
  such as Google, Bing, Yahoo and YouTube check box.

11
SNMP
12
Additional MIB Support for SNMP

• Additional enterprise MIBs are now supported for
  SNMP.
• The complete list of enterprise MIBs includes
• UCD-SNMP-MIB
• WATCHGUARD-CLIENT-MIB
• WATCHGUARD-INFO-SYSTEM-MIB
• WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
• WATCHGUARD-IPSEC-SA-MON-MIB-EXT
• WATCHGUARD-IPSEC-TUNNEL-MIB
• WATCHGUARD-POLICY-MIB
• WATCHGUARD-PRODUCTS-MIB
• WATCHGUARD-SMI
• WATCHGUARD-SYSTEM-CONFIG-MIB
• WATCHGUARD-SYSTEM-STATISTICS-MIB

13
Authentication
14
Default Port for LDAPS

• When you enable LDAPS for your Active Directory
  or LDAP server, if you do not select the default
  port for LDAPS, you are prompted to change the
  port to the default port for LDAPS.

15
Change the Default Authentication Server

• Specify which of your configured authentication
  servers appears first in the Authentication
  Portal authentication server Domain list.

16
SSO Agent SSO Client Enhancements

• SSO Agent Telnet Security
• Telnet connections to the SSO Agent are now
  limited to those users who are specified in the
  SSO Agent Configuration Tool users list.
• Users must have read/write access to make
  configuration changes over a telnet connection.
• SSO Client Port 4116 Open on Windows Firewall
• To allow traffic to the SSO Client, when the SSO
  Client is installed, port 4116 is automatically
  enabled on the Windows firewall of the computer
  where you install the SSO Client.

17
Branch Office VPN and Mobile VPN
18
Branch Office VPN Enhancements

• New gateway endpoint setting specifies whether
  the device attempts to resolve the domain name in
  the Remote Gateway ID.
• Select this if the remote gateway uses dynamic
  DNS to maintain a mapping between a dynamic
  IP address and a domain name.

19
Changes to Mobile VPN with IPSec

• As of April 20th, WatchGuard will no longer
  distribute the WatchGuard Mobile VPN with IPSec
  client on the Software Downloads Center.
• Technical Support will continue to support the
  existing client
• With Fireware XTM v11.4.1, we have added support
  for the Shrew Soft VPN Client
• Supported on Windows only
• Download the Shrew Soft VPN Client from the Shrew
  Soft web site
• See the product documentation for a list of
  differences between the WatchGuard IPSec client
  and the Shrew Soft VPN client

20
Mobile VPN with IPSec Shrew Soft VPN Client

• WatchGuard supports the use of the Shrew Soft VPN
  client for Windows as a Mobile VPN with IPSec
  client.
• Profile for the Shrew Soft VPN client has a .vpn
  extension.
• .vpn file is not encrypted and cannot be set to
  read-only
• Policy Manager generates the .vpn file when it
  generates the .wgx and .ini files
• In the Web UI you can choose to generate a
  Shrew Soft VPN (.vpn) or WatchGuard Mobile VPN
  (.ini) configuration file.
• In the CLI, use the newexport muvpn
  client-typeoption to export a .vpn file.

21
Mobile VPN with IPSec Shrew Soft VPN Client

• Download and install the Shrew Soft VPN client
  from http//www.shrew.net/download
• Use Shrew Soft VPN Access Manager to configure
  and connect.
• Select File gt Import to import the generated .vpn
  profile.
• Select the imported profile, and click Connect.
• Use Shrew Soft VPN Trace to troubleshoot your
  connection.

22
Shrew Soft VPN Client Limitations

• The Shrew Soft VPN client does not support some
  Mobile VPN with IPSec configuration settings and
  features
• IKE keep-alive is not supported.
• Configuration of multiple VPN gateways for
  multi-WAN failover is not supported.
• Line management configuration settings Connection
  mode and Inactivity timeout are not supported.
• The Dead Peer Detection (DPD) Traffic idle
  timeout and Max retries configuration settings do
  not apply to the Shrew Soft VPN client. If DPD is
  enabled, Shrew Soft VPN supports DPD with a
  traffic idle timeout value of 15 seconds.
• RADIUS 2-factor authentication is not supported.
• The Shrew Soft VPN client does not support a
  read-only profile.
• The Shrew Soft VPN client does not store the user
  name and password. Users must type the user name
  and password each time they connect.

23
Mobile VPN with SSL Add Users and Groups

• Mobile VPN with SSL now supports multiple users
  and groups.
• The default SSLVPN-Users group is required only
  when you select Firebox-DB.
• When you add users and groups, the
  Allow-SSLVPN-Users policy shows the group
  SSLVPN-Users, withthe authentication type in
  parentheses. This refers to all users and
  groups in the Mobile VPN with SSL configuration.

24
Subscription Services
25
Application Control

• You can clone an Application Control action in
  the Web UI.
• You can apply an Application Control action to
  several policies at one time.
• Select one or more policies.
• Select the action to apply.

26
Application Control

• You can configure an action (Drop or Allow) for
  an application category.
• If new application signatures are added to the
  category, the configured category action
  automatically applies to the new applications.
• Application-specific actions take precedence over
  category actions.

27
Intrusion Prevention Service

• You can enable or disable IPS for several
  policies at one time.
• Select one or more policies.
• Select the action to apply.

28
Logging Reporting
29
Open LogViewer Report Manager Ports

• The new WG-LogViewer-ReportMgr packet filter
  policy opens the ports that enable you to use
  LogViewer and Report Manager through an XTM
  device.
• Opens TCP ports 4121 (LogViewer) and 4122 (Report
  Manager).
• Enables remote access from your LogViewer or
  Report Manager to your Log Server or Report
  Server.

30
Firebox System Manager
31
Hide Expired Service Warnings In FSM

• Firebox System Manager has a new option to hide
  warnings for expired Subscription Services.
• Select View gt Hide Expired Service Warnings.Or,
  right-click anywhere on the Front Panel tab and
  select Hide Expired Service Warnings.
• To show the expired service warnings again,
  select View gt Hide Expired Service Warnings.

32
Centralized Management
33
Management Groups for Template Management

• WSM Management Groups streamline template
  management for devices.
• When you upgrade your Management Server to
  v11.4.1, a Management Group is automatically
  created for each of your v11.0v11.3.x and v11.4
  templates.
• Management Groups are not automatically
  created for Firebox X Edge v10.x devices that
  were subscribed to a template.

34
Management Groups for Template Management

• Devices that were subscribed to a template in
  v11.0v11.3.x, and v11.4 devices that had a
  template applied to them, are automatically added
  to the Management Group folder with the same name
  as the template they were associated with.

35
Management Groups for Template Management

• When you create a new template, you can create a
  corresponding Management Group and add devices
  that will use that template. This makes it easy
  to apply updated templates to the devices that
  use each template.
• You can add one or more devices to a Management
  Group and add each device to one or more
  Management Groups.
• Each Management Group page shows all the devices
  included in the group.

36
Management Groups for Template Management

• The Device page includes a Management Groups
  section, which shows the groups the device is a
  member of.
• When you make changes to a template, you can
  apply the template to one or more of the devices
  in the Management Group for that template.
• To apply a template to a Management Group, drag
  the template to the Management Group folder. The
  Apply Template wizard launches. You can select to
  apply the template to one or more devices in the
  folder.

37
Fireware XTM Web UI
38
Renew or Release a DHCP Lease

• Fireware XTM Web UI includes a new option to
  release or renew a DHCP lease for an external
  VLAN.
• Select System Status gt Interfaces.
• Select an external interface with DHCP enabled
  and click DHCP Release or DHCP Renew.

39
THANK YOU!