What

1
Whats New inFireware XTM v11.6
2
Changes in Fireware XTM v11.6

• WatchGuard Servers
• Schedule Tasks for Management Groups
• Compliance Reporting
• Automatic WebBlocker Database Updates
• Authentication
• Authentication Auto-Redirect to Host Name
• Authentication Portal Support for Mobile Devices
• Test LDAP or Active Directory Server Connection
• Single Sign-On Support for Terminal Services
• Configuration
• Policy Manager Default View
• XTM Configuration Report

3
Changes in Fireware XTM v11.6

• Diagnostics
• Policy Checker
• Download a PCAP File in FSM Diagnostic Tasks
• Proxies and ALGs
• New Deny Message in the HTTP-Client and
  HTTP-Server Proxy Actions
• More data sources for Reputation Enabled Defense
• SIP-ALG Registration Expiration
• Networking
• Increased Maximum Number of VLANs
• Wireless Hotspot Splash Screen Uses HTTP
• Configurable Dynamic Routing Policies

4
Changes in Fireware XTM v11.6

• Branch Office VPN
• Inbound IPSec Pass-through
• Improved VPN Phase 2 Key Expiration Settings
• Branch Office VPN Diagnostics
• Branch Office VPN Log Message Header
• Help System Improvements
• HTML5 and Improved Search
• Whats New in This Release Topic

5
WatchGuard Servers
6
Schedule Tasks for Management Groups

• From the right-click context menu, you can now
  schedule these tasks for Management Groups
• Schedule OS Update
• Schedule Feature Key Synchronization
• Schedule Reboot

7
Compliance Reporting

• New group of reports for compliance with HIPAA
  PCI regulations
• Reports included in this group
• Alarm Summary Report
• Audit Trail
• User Authentication Denied
• Gateway AntiVirus Summary
• Intrusion Prevention Service Summary
• From WSC, schedule the Compliance Reports to
  generate. Select Report Server gt Report
  Generation gt Report Schedules.

8
Compliance Reporting

• Add a New Schedule that incudes the Compliance
  Reports you want to generate.
• Schedule the Compliance Reportsto run once or
  recurrently.

9
Compliance Reporting

• Review Compliance Reports in Log and Report
  Manager.
• Compliance Reports that have been generated for
  the selected device appear in the Available
  Reports list and on the Compliance tab.
• You can pivot on the Compliance Report type
  (HIPAA or PCI) to update the data that appears in
  the report.
• You can also export the displayed report details
  to a PDF file.

10
Automatic WebBlocker Database Updates

• The WebBlocker Server automatically updates the
  WebBlocker database every night at midnight,
  based on the local time on the WebBlocker Server.
• The WebBlocker Server does not stop and restart
  during the update process.
• The WebBlocker Server must be running at midnight
  for the update to occur.
• There is no change to the WebBlocker Server
  management settings in WatchGuard Server Center.
• You cannot change the update schedule or disable
  the automatic update.
• You can still manually start a database update
  from WSC.
• You can continue to use Windows Task Scheduler to
  run the updatedb.bat batch file, which is
  installed with WSM.
• This does not disable the automatic update at
  midnight.

11
Authentication
12
Auto-Redirect to Host Name in Authentication
Portal

• Add a host name in the Authentication Portal page
  settings to redirect users from an IP address to
  a host name.
• In Policy Manager, select Setup gt Authentication
  Settings gt Firewall Authentication.
• In Fireware XTM Web UI, select Authentication gt
  Settings.
• Select the Automatically redirect users to the
  authentication page and the Redirect traffic
  sent to the IP address of the XTM device to
  this host name check boxes.
• Specify the host name for the redirect.

13
Authentication Portal Support for Mobile Devices

• Users of mobile devices, such as smart phones,
  can now log in to the Authentication portal (over
  port 4100).
• The Authentication portal page is now created in
  HTML, rather than XSLT, so smart phone browsers
  can load the page.

14
Test Connection to AD LDAP Servers

• From Fireware XTM Web UI and CLI, you can test
  the connection to your currently configured
  Active Directory or LDAP server.
• You must only specify the domain name for the
  server to test the connection.
• You can also find the group information and
  authentication status for a user in your Active
  Directory server.
• Specify the users credentials and the domain
  name that corresponds to the user account.
• In Fireware XTM Web UI, test the authentication
  server connection from two places
• Select System Status gt Server Connection.
• On the Authentication Servers gt LDAP page or the
  Authentication Servers gt Active Directory page,
  click Test Connection .This redirects you to the
  System Status gt Server Connection page.

15
Test Connection to AD LDAP Servers

• On the Server Connection page, specify the
  Authentication Server to test, and the User Name
  and Password to use to test the connection.
• Click Test Connection to find whether the XTM
  device can communicate with the authentication
  server, and to get group information for the
  specified user.
• The Results sectionincludes the
  connectionstatus and user group details.

16
Test Connection to AD LDAP Servers

• From the CLI, run this commanddiagnose
  auth-user ltusernamegt ltpasswordgt ltauth domaingt
• CLI output example

WGdiagnose auth-user XTM Admin readwrite"
wgtraining.local --- ---User Authenticated Test
Results --- Connect to server OK
connected to 192.168.54.61 Log in (bind)
OK user XTM Admin_at_wgtraining.local
authenticated ---Get group list--- Domain Users,
SSLVPN-Users, Local-Admins, Unrestricted-internet,
WG-mgmt-server-admins, Remote Operators, Users,
Remote Desktop Users, Administrators
17
Single Sign-On for Terminal Services

• Terminal Services now supports Single Sign-On, so
  users do not have to manually authenticate to the
  authentication portal.
• When a user logs in to the domain, the TO Agent
  collects the users credentials and group
  information and provides it to the XTM device.
• The XTM device then creates the authentication
  session for the user.
• When the user logs off, the TO Agent
  automatically sends the logoff information to
  the XTM device, and the XTM device closes the
  users authenticated session.

18
Configuration
19
Policy Manager Default View

• The default view in Policy Manager has changed
  from Large Icons to Details.

20
XTM Configuration Report Feature Preview

• From Fireware XTM Web UI, you can open the XTM
  device configuration as an HTML page that you can
  view in your browser or print.
• Select System gt Configuration File gt XTM
  Configuration Report. The XTM Configuration
  Report appears in a new browser window.
• From the CLI, use the export command with the
  html option.

21
XTM Configuration Report Feature Preview

• Not all configuration information is included in
  this report.
• It does not include
• FireCluster
• Multi-WAN details
• Dynamic routing
• Wireless
• IPv6, secondary networks, MAC access control,
  PPPoE, DHCP client, DHCP server, and advanced
  interface settings
• Some policy and proxy settings, such as
  policy-based routing, IPS, Application Control,
  and notification
• Proxy action configuration details

22
Diagnostics
23
Policy Checker Feature Preview

• Available in Fireware XTM Web UI and the Command
  Line Interface.
• You must specify these parameters in your search
• An interface
• A protocol Ping, TCP, or UDP
• Source and destination IP address
• Source and destination port Only applies if you
  select TCP or UDP as the Protocol
• Search results can include any of these details
• Policy type
• Policy name
• An action
• An interface
• Source or destination NAT IP address
• Source or destination NAT port

24
Policy Checker Feature Preview

• In the Web UI, the applicable policy is
  highlighted in the Firewall Policies list.
• In the CLI, use the new policy-check command.
• The interface name is case sensitive.
• CLI example

WGgtpolicy-check Trusted ping 10.0.100.2
203.0.113.2 -- --Result of policy check -- Policy
name Ping-00 Cost
126 Type
Policy Action Allowed
25
Download PCAP File from FSM Diagnostic Tasks

• From the FSM Traffic Monitor, you can run a
  Diagnostic Task to download a PCAP file.
• From the Diagnostic Tasks dialog box, run a TCP
  Dump task. When you have collected enough
  results, click Stop Task.
• Click the Save Pcap file button that appears,
  and specify a location to save the file.
• Open the PCAP file in third-party utilities,
  such as Wireshark, to analyze this file.

26
Proxies and ALGs
27
New Deny Message for HTTP Proxy Actions

• The Default Deny Message in the HTTP proxy action
  has been changed.

28
More Data Sources for Reputation Enabled Defense

• The reputation score for a URL is based on
  feedback collected from devices around the world.
  
• It has previously used scan results from two
  leading anti-malware engines (AVG and Kaspersky),
  based on data collected from XTM and XCS devices.
• Reputation Enabled Defense now uses additional
  data feeds from other leading sources of malware
  intelligence, such as Phishtank and
  malwaredomainlist.com, to improve the accuracy of
  URL reputation scores.

29
SIP-ALG Registration Expiration

• In the SIP-ALG proxy action General settings, use
  the new Registration expires after setting to
  specify the elapsed time interval before the
  SIP-ALG rewrites the SIP registration value.
• VoIP phones and PBX systems use this value to
  update their registration.
• The default value is 180 seconds (three minutes)
  and the maximum value is 600 seconds (ten
  minutes).

30
Networking
31
Increased Maximum Number of VLANs

• The maximum number of VLANs has been increased
  for most models.
• The updated maximum number of VLANs per model
  are

XTM model Maximum number of VLANs
XTM 33, 330 75
XTM 505 100
XTM 510 200
XTM 520 300
XTM 530 400
XTM 810, 820, 830 500
XTM 1050 500
XTM 2050 500
32
Wireless Hotspot Splash Screen Uses HTTP

• The wireless hotspot splash screen now uses HTTP
  instead of HTTPS.
• This change prevents the certificate warning that
  appeared to users.
• In Fireware XTM v11.5.x and earlier, the URL of
  the wireless hotspot splash screen
  washttps//ltIP address of the wireless
  networkgt4100/hotspot
• In Fireware XTM v11.6, the URL of the wireless
  hotspot splash screen ishttp//ltIP address of
  the wireless networkgt4106/hotspot
• This change was introduced in Fireware XTM
  v11.5.3 Update 1

33
Configurable Dynamic Routing Policies

• When you enable a dynamic routing protocol, the
  required dynamic routing policy (BGP, OSPF, or
  RIP) is automatically added to the configuration.
• In previous versions, the dynamic routing policy
  was hidden and not editable.
• Now, the added policy is not hidden. This enables
  you to configure static NAT, 1-to-1 NAT, logging,
  and alarms in your dynamic routing policies.
• When you upgrade a device to Fireware XTM v11.6,
  the hidden dynamic routing policies are removed,
  and editable policies are automatically created.

34
Configurable Dynamic Routing Policies

• Policy Manager asks if you want to add the
  required policies if
• You enable a dynamic routing protocol and there
  is no dynamic routing policy.
• You save a configuration to the XTM device, and
  there is no dynamic routing policy for an enabled
  dynamic routing protocol.
• If you click Yes, Policy Manager automatically
  creates a policy for each enabled dynamic routing
  protocol that does not have a policy. The
  automatically created dynamic routing policies
  are DR-OSPF-Allow, DR-BGP-Allow, DR-RIP-Allow
• If an existing dynamic routing policy exists, but
  is disabled, Policy Manager enables that existing
  policy instead of creating a new policy.

35
Configurable Dynamic Routing Policies

• Fireware XTM Web UI automatically enables or adds
  the required policies for enabled dynamic routing
  protocols when you save a change to the dynamic
  routing configuration.
• Unlike Policy Manager, there is no option to not
  create the dynamic routing policy.

36
Configurable Dynamic Routing Policies

• Other confirmation or informational dialog boxes
  appear if you
• delete the dynamic routing policy for an enabled
  dynamic routing protocol
• disable the dynamic routing policy for an
  enabled dynamic routing protocol
• disable a dynamic routingprotocol that has an
  associated dynamic routing policy

37
Branch Office VPN
38
Inbound IPSec Pass-Through

• New global VPN setting Enable built-in IPSec
  Policy
• The built-in IPSec policy is not new. Only the
  ability to disable it is new.
• The built-in IPSec policy is hidden and is
  enabled by default.
• The built-in IPSec policy, allows incoming IPSec
  traffic to the XTM device.
• The built-in policy enables the XTM device to
  function as an IPSec VPN endpoint.
• Disable the built-in IPSec policy only if you
  want to add IPSec policies to handle incoming
  IPSec traffic and direct some or all VPN traffic
  to another VPN endpoint.

39
Inbound IPSec Pass-Through

• If you want an IPSec VPN tunnel to pass through
  the XTM device and terminate on a VPN gateway
  behind the XTM device, you must
• In the global VPN settings, clear the Enable
  built-in IPSec Policy check box.
• Add IPSec policies to allow IPSec traffic to the
  VPN gateway. You can use SNAT or 1-to-1 NAT to
  route inbound IPSec traffic to a different
  device.
• If you want some tunnels to terminate at the XTM
  device, add another IPSec policy to allow other
  IPSec traffic to the XTM device.

40
Improved VPN Phase 2 Key Expiration Settings

• The Branch Office VPN Phase 2 Proposal
  configuration is updated.
• Select the Time and Traffic checkboxes to force
  the gateway endpoints to exchange new keys after
  a quantity of time or traffic has passed.
• You cannot set a Force Key Expiration value to
  zero. You can only disable it.
• If both Force Key Expiration options
  aredisabled, the key expiration interval isset
  to 8 hours.
• By default, both options are enabled, and the
  default settings are the same as in previous
  releases
• 8 hours
• 128000 kilobytes

41
Branch Office VPN Diagnostic Report

• New VPN Diagnostic Report provides information to
  help you troubleshoot a branch office VPN.
• This appears as a new VPN tab in the Diagnostics
  Tasks dialog box.
• To run the VPN Diagnostic Report from Firebox
  System Manager
• On the Traffic Monitor tab, right-click and
  select Diagnostic Tasks.Or, select Tools gt
  Diagnostic Tasks.
• Select the VPN tab.
• Select a Gateway to test.
• Select a Duration to run the test.
• Click Start Report.
• To run this report from the Fireware XTM Web UI,
  select System Status gt Diagnostic Tasks.

42
Branch Office VPN Diagnostic Report

• The diagnostic log level for the selected VPN
  gateway is temporarily increased for the duration
  of the diagnostic report. Maximum duration is 60
  seconds.
• The VPN Diagnostic Report contains these
  sections
• Gateway Summary A summary of the gateway
  configuration, and each configured gateway
  endpoint
• Tunnel Summary A summary of the tunnel
  configuration for all tunnels that use the
  selected gateway
• Run-time Info (gateway IKE_SA) The status of
  the IKE (Phase 1) security association for the
  selected gateway
• Run-time Info (tunnel IPSEC_SA) The status of
  the IPSec tunnel (Phase 2) security association
  for active tunnels that use the selected gateway
• Run-time Info (tunnel IPSec_SP) The status of
  the IPSec tunnel (Phase 2) security policy for
  active tunnels that use the selected gateway
• Related Logs Tunnel negotiation log messages,
  if a tunnel negotiation occurs during the time
  period that you run the diagnostic report

43
BOVPN Log Message Header

• Branch office VPN log messages now include a
  header that shows the IP addresses of the local
  and remote VPN gateway.
• The format of the header is (local_gateway_iplt-gtr
  emote_gateway_ip)
• The header enables you to filter the log messages
  by the gateway IP address to find the messages
  related to a VPN gateway.

44
Help System Improvements
45
Help System Improvements

• Help systems are now in HTML5 format and provide
  improved search functionality.
• Searches from major Internet search engines can
  now find content in our Help.
• Search results are presented in a more familiar
  and useful format, with context.

46
Help System Improvements

• Use the new Whats New in This Release help
  topic to quickly navigate to the documentation
  for the new features in this release.

47
THANK YOU!