What

1
Whats New in Fireware XTM v11.7.3
2
New Updated Features in Fireware XTM WSM
v11.7.3

• XTMv on Hyper-V
• WatchGuard AP device enhancements
• MAC access control whitelist
• AP device monitoring enhancements
• Station isolation
• No automatic AP device reboot after AP
  configuration change
• See the AP device radio used by each wireless
  client
• Set source IP address in static NAT and server
  load balancing actions
• 3G / 4G modem support for failover

3
New Updated Features in Fireware XTM WSM
v11.7.3

• Quarantine Server end-user web UI improvements
• New Websense categories
• Configurable syslog server port
• Set the diagnostic log level for the Gateway
  Wireless Controller
• Updated hotspot policies
• Log off hotspot user sessions
• Send device feedback to WatchGuard

4
XTMv on Hyper-V
5
XTMv on Hyper-V

• Fireware XTM v11.7.3 continues to support for
  XTMv on vSphere ESXi 4.1 and 5.0.
• In v11.7.3, support is added for XTMv on
  Microsoft Hyper-V hypervisors.
• Windows Server 2012 with a Hyper-V role
• Hyper-V Server 2012
• Windows Server 2008 R2 with a Hyper-V role
• Hyper-V Server 2008 R2

6
XTMv Editions and Licensing

• The four XTMv device editions are the same on
  VMware and Hyper-V.
• The recommended resource requirements and feature
  key limits for each edition are the same for
  XTMv, whether it is deployed on VMware or
  Hyper-V.

Product CPU (Min rec) Memory (Min rec) Feature Key Limits
Small Office Edition 1 Core 1 GB 200 Mbps throughput 50 VPN Tunnels 30K Connections 10 Interfaces
Medium Office Edition 2 Cores 2 GB 2.5 Gbps throughput 600 VPN Tunnels 350K Connections 10 Interfaces
Large Office Edition 4 Cores 4 GB 5 Gbps throughput 6K VPN Tunnels 1M Connections 10 Interfaces
Datacenter Edition 8 or more Cores 4 GB or more Unlimited throughput 10K VPN Tunnels 2.5M Connections 10 Interfaces
7
XTMv on Hyper-V Limitations for Hyper-V (not
ESXi)

• The maximum number of configurable interfaces for
  an XTMv virtual machine (VM) in a Hyper-V
  environment is eight.
• Hyper-V supports two types of virtual adapters
• Network adapters (Hyper-V supports a maximum of
  8)
• Legacy network adapters (Hyper-V supports a
  maximum of 4)
• XTMv does not support the use of legacy network
  adapters.
• You must assign a minimum of two network adapters
  to an XTMv VM.
• The number of network adapters you add to your
  XTMv VM determines the number of interfaces you
  can configure.
• These networking features are not supported for
  XTMv on Hyper-V because they require the virtual
  adapter to be configured in promiscuous mode,
  which is not supported in Hyper-V
• Bridge mode network configuration
• Network bridge
• Mobile VPN with SSL with the Bridged VPN Traffic
  setting

8
XTMv Software Distribution and Installation on
Hyper-V

• For Hyper-V, XTMv is distributed as a zipped
  Virtual Hard Disk (.vhd) file.
• The file name inside the zip file is
  xtmv_ltxtm-versiongt.vhd.
• Copy the .zip file to the Windows server where
  Hyper-V is installed.
• Extract the .vhd file from the .zip file.
• You cannot use the same .vhd file for more than
  one virtual machine.
• To deploy multiple XTMv virtual machines
• Save a copy of the unzipped .vhd file with a
  unique name for each XTMv VM.
• When you add the VM in Hyper-V, select a
  different .vhd file for each XTMv VM.
• To install an XTMv VM on Hyper-V
• Use the Hyper-V New Virtual Machine Wizard to add
  the XTMv VM.
• Add network adapters to the XTMv VM.
• Power on the XTMv VM.
• Use the Fireware XTM Web Setup Wizard to set up a
  basic configuration file.
• Allocate additional resources to the XTMv VM.

9
WatchGuard AP Enhancements
10
AP MAC Access Control Whitelist

• The MAC Access Control now supports two MAC
  Access Control lists
• Denied MAC Addresses (blacklist)
• Allowed MAC Addresses (whitelist)
• Configure MAC access control in the Gateway
  Wireless Controller settings
• In each SSID, enable MAC access control and
  select which list to use.

11
AP Device Station Isolation

• You can now enable station isolation in the SSID
  configuration.
• Station isolation prevents direct communication
  between wireless clients connected to the SSID on
  the same AP radio.
• It does not prevent direct communication between
  wireless clients on different radios or different
  AP devices, even if they connect to the same
  SSID.
• We recommended you enable station isolation for
  wireless guest networks, where the wireless
  clients should not trust each other.

12
AP Device Monitoring

• The LiveSecurity column shows the AP device
  activation status.
• Click Network Statistics to see these network
  statistics for the selected AP device
• Interface statistics
• Routing table
• ARP table

13
AP Device Radio Used by Wireless Clients

• The Gateway Wireless Controller now includes a
  column that shows the radio channel on the AP
  device that is used by each wireless client.
• Select the Wireless Clients tab in the Gateway
  Wireless Controller.

14
AP Device Configuration Update Without a Reboot

• Paired AP devices no longer automatically reboot
  after you save an AP configuration change to the
  XTM device.

15
Other Enhancements
16
Set Source IP Address in SNAT Actions

• You can now set the source IP address in SNAT
  actions.
• In a server load balancing SNAT action you can
  set one source IP address for all servers.
• In a static NAT action you can set one source IP
  address for each server.

17
3G / 4G Modem Failover

• In the Modem Configuration on XTM 2 Series, 3
  Series, and 5 Series devices, you can now enable
  3G/4G modem support.
• When you enable 3G/4G modem support
• The telephone number is set to 99 by default.
• All other account settings are optional.
• The telephone number and account
  settingsrequired to connect vary by wireless
  carrier.
• WatchGuard tested these 3G/4G modems
• ZTE MF683 (T-Mobile Rocket 3.0 4G)
• Franklin U602 (Sprint 3G/4G Plug-in-Connect USB)
• Sierra Wireless AirCard 250U (Sprint 3G/4G USB
  250U)

18
Updated UI for User Quarantine Message Management

• The options in the Quarantine message management
  UI have been improved.
• Send to Mailbox Releases the selected messages
  from quarantine and sends them to the recipient.
• Delete Selected Deletes the selected spam or
  virus messages for this user from the Quarantine
  Server.
• Delete All Deletes all spam and virus messages
  for this user from the Quarantine Server.

19
New Websense Categories

• Added two new Websense security categories
• Compromised Websites
• ID 220
• Description Site whose code indicates possible
  alteration by an external third-party to include
  hidden links, scripts, or iframe tags that
  download or redirect the user to malicious or
  unwanted content.
• Newly Registered Websites
• ID 221
• Description Sites with a recently registered
  domain name.

20
Specify a Syslog Server Port

• You can now specify the port for connections to
  a syslog server.
• The default port (514) alwaysappears as the
  default setting.

21
Set the Log Level for the Gateway Wireless
Controller

• When you configure the Diagnostic Log Level
  settings for your XTM device, you can specify
  the log level for the Gateway Wireless
  Controller.
• In Policy Manager, select the Networking
  category and select a log level for the GWC
  option.

22
Set the Log Level for the Gateway Wireless
Controller

• In Fireware XTM Web UI, select System gt
  Diagnostic Log, and select a log level for the
  Gateway Wireless Controller option in the
  Networking section.

23
Updated Hotspot Policies

• When you enable a hotspot on your XTM device,
  these policies are automatically added to your
  configuration file
• Allow External Web Server Allows TCP
  connections from users on the guest network to
  the external web server IP address and the port
  you use for hotspot external guest
  authentication.
• Allow Hotspot Session Mgmt Allows connections
  from the external web server IP address to the
  XTM device.
• Allow Hotspot-Users Allows connections from the
  hotspot to addresses external to the XTM device.

24
Log Off Hotspot User Sessions

• When a hotspot is configured for external guest
  authentication, the external hotspot
  authentication server can send a logoff URL to
  the XTM device to terminate a user hotspot
  session.
• The logoff URL includes the MAC address of the
  user hotspot session to log off, and the shared
  secret configured in the hotspot settings on your
  XTM device.
• Each logoff URL sent to the XTM device can log
  off only one session at a time.

25
Device Feedback

• The XTM device can now send device feedback to
  WatchGuard.
• Device feedback includes information about how
  yourdevice is used, but does not include
  information aboutyour company, or company data.
• The device feedback option is enabled by
  default.
• You can enable or disable device feedback in the
  Global Settings in your XTM device configuration
  files and device configuration templates, or in
  the Web Setup and Quick Setup wizards.

26
Thank You!