What - PowerPoint PPT Presentation

About This Presentation
Title:

What

Description:

Mobile VPN Mobile VPN with IPSec support for the Shrew Soft VPN client Mobile VPN with SSL support for multiple authentication users and groups Application ... – PowerPoint PPT presentation

Number of Views:118
Avg rating:3.0/5.0
Slides: 40
Provided by: WatchGuard8
Category:
Tags:

less

Transcript and Presenter's Notes

Title: What


1
Whats New in Fireware XTM v11.4.1
2
New Features in Fireware XTM v11.4.1
  • Configuration Files
  • Automatically save a time-stamped backup copy of
    the configuration file each time you save to a
    file.
  • Policies
  • Edit SNAT objects from the Policy Manager Policy
    Properties dialog box.
  • Safe Search enforcement added to the HTTP-Client
    proxy action.
  • SNMP
  • Additional enterprise MIB support for SNMP.
  • Authentication
  • Prompt to select the default LDAPS port when
    LDAPS is enabled.
  • Specify which authentication server appears first
    in the Authentication Portal.
  • Select the users that can connect to the SSO
    Agent with Telnet.
  • Enable port 4116 on Windows firewall when the SSO
    Client is installed.

3
New Features in Fireware XTM v11.4.1
  • Branch Office VPN
  • New gateway endpoint setting to specify whether
    the device attempts to resolve the domain name in
    the remote gateway ID.
  • Mobile VPN
  • Mobile VPN with IPSec support for the Shrew
    Soft VPN client
  • Mobile VPN with SSL support for multiple
    authentication users and groups
  • Application Control
  • Clone an Application Control action in the Web
    UI.
  • Configure an action for an application category.
  • Apply an Application Control action to several
    policies at one time.
  • Intrusion Prevention Service (IPS)
  • Enable or disable IPS for several policies at one
    time

4
New Features in Fireware XTM v11.4.1
  • Logging and Reporting
  • New policy to open the ports for LogViewer
    Report Manager when they are behind a firewall
    external to your Log Server and Report Server.
  • Firebox System Manager
  • Hide warnings for expired trial periods when a
    valid license for the feature exists.
  • New Summary section on the FSM Authentication
    List tab.
  • Centralized Management
  • New Management Groups streamline template
    management for devices.
  • Fireware XTM Web UI
  • Release or renew a DHCP lease for an external
    VLAN in the Web UI.

5
Configuration Files
6
Automatically Create a Configuration File Backup
  • You can configure Policy Manager to automatically
    save a backup copy of the configuration file each
    time you save to a file.
  • To enable this option, select File gt Save gt
    Always create a backup.
  • The check mark indicates the automatic backup
    copy feature is enabled.
  • Each time you save the configuration to a file,
    Policy Manager saves a second copy of the
    configuration in the same location, with the date
    and timestamp added to the file name.
  • For example, if you save a configuration file
    named HQ-XTM1050 on March 30, 2011 at 1130 AM,
    Policy Manager saves two files
  • HQ-XTM1050.xml
  • HQ-XTM1050_2011-3-15_11-30-00.xml

7
Policies
8
Edit SNAT Action from Policy Properties Dialog Box
  • You can now edit an SNAT action from the Policy
    Properties dialog box in Policy Manager.
  • Any changes to the SNAT action apply to all
    policies that use this action.

9
Enforce Safe Search
  • Safe Search enforcement has been added to the
    HTTP-Client proxy action for v11.4.1.
  • In web browser search engines, Safe Search
    enables users to specify what level of
    potentially inappropriate content can be returned
    in search results.
  • Safe Search levels vary between search engines.
    Typical settings are Off, Moderate, and Strict.
  • When you enable Safe Search in the HTTP-Client
    proxy action, the strictest level of Safe Search
    rules are enforced regardless of the settings
    configured in the client search engine settings.

10
Enforce Safe Search
  • In Policy Manager, in the HTTP-Client Proxy
    Action Configuration dialog box, select HTTP
    Request gt General Settings and select the Enforce
    Safe Search check box.
  • In Fireware XTM Web UI, select Firewall gt Proxy
    Actions select the HTTP-Client proxy action. On
    the HTTP Request gt General Settings page, select
    the Enforce safe search for major search engines
    such as Google, Bing, Yahoo and YouTube check box.

11
SNMP
12
Additional MIB Support for SNMP
  • Additional enterprise MIBs are now supported for
    SNMP.
  • The complete list of enterprise MIBs includes
  • UCD-SNMP-MIB
  • WATCHGUARD-CLIENT-MIB
  • WATCHGUARD-INFO-SYSTEM-MIB
  • WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
  • WATCHGUARD-IPSEC-SA-MON-MIB-EXT
  • WATCHGUARD-IPSEC-TUNNEL-MIB
  • WATCHGUARD-POLICY-MIB
  • WATCHGUARD-PRODUCTS-MIB
  • WATCHGUARD-SMI
  • WATCHGUARD-SYSTEM-CONFIG-MIB
  • WATCHGUARD-SYSTEM-STATISTICS-MIB

13
Authentication
14
Default Port for LDAPS
  • When you enable LDAPS for your Active Directory
    or LDAP server, if you do not select the default
    port for LDAPS, you are prompted to change the
    port to the default port for LDAPS.

15
Change the Default Authentication Server
  • Specify which of your configured authentication
    servers appears first in the Authentication
    Portal authentication server Domain list.

16
SSO Agent SSO Client Enhancements
  • SSO Agent Telnet Security
  • Telnet connections to the SSO Agent are now
    limited to those users who are specified in the
    SSO Agent Configuration Tool users list.
  • Users must have read/write access to make
    configuration changes over a telnet connection.
  • SSO Client Port 4116 Open on Windows Firewall
  • To allow traffic to the SSO Client, when the SSO
    Client is installed, port 4116 is automatically
    enabled on the Windows firewall of the computer
    where you install the SSO Client.

17
Branch Office VPN and Mobile VPN
18
Branch Office VPN Enhancements
  • New gateway endpoint setting specifies whether
    the device attempts to resolve the domain name in
    the Remote Gateway ID.
  • Select this if the remote gateway uses dynamic
    DNS to maintain a mapping between a dynamic
    IP address and a domain name.

19
Changes to Mobile VPN with IPSec
  • As of April 20th, WatchGuard will no longer
    distribute the WatchGuard Mobile VPN with IPSec
    client on the Software Downloads Center.
  • Technical Support will continue to support the
    existing client
  • With Fireware XTM v11.4.1, we have added support
    for the Shrew Soft VPN Client
  • Supported on Windows only
  • Download the Shrew Soft VPN Client from the Shrew
    Soft web site
  • See the product documentation for a list of
    differences between the WatchGuard IPSec client
    and the Shrew Soft VPN client

20
Mobile VPN with IPSec Shrew Soft VPN Client
  • WatchGuard supports the use of the Shrew Soft VPN
    client for Windows as a Mobile VPN with IPSec
    client.
  • Profile for the Shrew Soft VPN client has a .vpn
    extension.
  • .vpn file is not encrypted and cannot be set to
    read-only
  • Policy Manager generates the .vpn file when it
    generates the .wgx and .ini files
  • In the Web UI you can choose to generate a
    Shrew Soft VPN (.vpn) or WatchGuard Mobile VPN
    (.ini) configuration file.
  • In the CLI, use the newexport muvpn
    client-typeoption to export a .vpn file.

21
Mobile VPN with IPSec Shrew Soft VPN Client
  • Download and install the Shrew Soft VPN client
    from http//www.shrew.net/download
  • Use Shrew Soft VPN Access Manager to configure
    and connect.
  • Select File gt Import to import the generated .vpn
    profile.
  • Select the imported profile, and click Connect.
  • Use Shrew Soft VPN Trace to troubleshoot your
    connection.

22
Shrew Soft VPN Client Limitations
  • The Shrew Soft VPN client does not support some
    Mobile VPN with IPSec configuration settings and
    features
  • IKE keep-alive is not supported.
  • Configuration of multiple VPN gateways for
    multi-WAN failover is not supported.
  • Line management configuration settings Connection
    mode and Inactivity timeout are not supported.
  • The Dead Peer Detection (DPD) Traffic idle
    timeout and Max retries configuration settings do
    not apply to the Shrew Soft VPN client. If DPD is
    enabled, Shrew Soft VPN supports DPD with a
    traffic idle timeout value of 15 seconds.
  • RADIUS 2-factor authentication is not supported.
  • The Shrew Soft VPN client does not support a
    read-only profile.
  • The Shrew Soft VPN client does not store the user
    name and password. Users must type the user name
    and password each time they connect.

23
Mobile VPN with SSL Add Users and Groups
  • Mobile VPN with SSL now supports multiple users
    and groups.
  • The default SSLVPN-Users group is required only
    when you select Firebox-DB.
  • When you add users and groups, the
    Allow-SSLVPN-Users policy shows the group
    SSLVPN-Users, withthe authentication type in
    parentheses. This refers to all users and
    groups in the Mobile VPN with SSL configuration.

24
Subscription Services
25
Application Control
  • You can clone an Application Control action in
    the Web UI.
  • You can apply an Application Control action to
    several policies at one time.
  • Select one or more policies.
  • Select the action to apply.

26
Application Control
  • You can configure an action (Drop or Allow) for
    an application category.
  • If new application signatures are added to the
    category, the configured category action
    automatically applies to the new applications.
  • Application-specific actions take precedence over
    category actions.

27
Intrusion Prevention Service
  • You can enable or disable IPS for several
    policies at one time.
  • Select one or more policies.
  • Select the action to apply.

28
Logging Reporting
29
Open LogViewer Report Manager Ports
  • The new WG-LogViewer-ReportMgr packet filter
    policy opens the ports that enable you to use
    LogViewer and Report Manager through an XTM
    device.
  • Opens TCP ports 4121 (LogViewer) and 4122 (Report
    Manager).
  • Enables remote access from your LogViewer or
    Report Manager to your Log Server or Report
    Server.

30
Firebox System Manager
31
Hide Expired Service Warnings In FSM
  • Firebox System Manager has a new option to hide
    warnings for expired Subscription Services.
  • Select View gt Hide Expired Service Warnings.Or,
    right-click anywhere on the Front Panel tab and
    select Hide Expired Service Warnings.
  • To show the expired service warnings again,
    select View gt Hide Expired Service Warnings.

32
Centralized Management
33
Management Groups for Template Management
  • WSM Management Groups streamline template
    management for devices.
  • When you upgrade your Management Server to
    v11.4.1, a Management Group is automatically
    created for each of your v11.0v11.3.x and v11.4
    templates.
  • Management Groups are not automatically
    created for Firebox X Edge v10.x devices that
    were subscribed to a template.

34
Management Groups for Template Management
  • Devices that were subscribed to a template in
    v11.0v11.3.x, and v11.4 devices that had a
    template applied to them, are automatically added
    to the Management Group folder with the same name
    as the template they were associated with.

35
Management Groups for Template Management
  • When you create a new template, you can create a
    corresponding Management Group and add devices
    that will use that template. This makes it easy
    to apply updated templates to the devices that
    use each template.
  • You can add one or more devices to a Management
    Group and add each device to one or more
    Management Groups.
  • Each Management Group page shows all the devices
    included in the group.

36
Management Groups for Template Management
  • The Device page includes a Management Groups
    section, which shows the groups the device is a
    member of.
  • When you make changes to a template, you can
    apply the template to one or more of the devices
    in the Management Group for that template.
  • To apply a template to a Management Group, drag
    the template to the Management Group folder. The
    Apply Template wizard launches. You can select to
    apply the template to one or more devices in the
    folder.

37
Fireware XTM Web UI
38
Renew or Release a DHCP Lease
  • Fireware XTM Web UI includes a new option to
    release or renew a DHCP lease for an external
    VLAN.
  • Select System Status gt Interfaces.
  • Select an external interface with DHCP enabled
    and click DHCP Release or DHCP Renew.

39
THANK YOU!
Write a Comment
User Comments (0)
About PowerShow.com