Sunteți pe pagina 1din 81

Whats New in

Fireware v11.10

WatchGuard
Training

2015 WatchGuard Technologies, Inc.

Whats New in v11.10


New Features

Policies by Domain Name


Bandwidth and time user quotas

Monitoring Enhancements

Review and reset user quota data


VPN diagnostic messages and report enhancements
Gateway Wireless Controller shows rogue access points and client
signal strength
Full Screen mode in FireWatch in Fireware XTM Web UI

Subscription Services Enhancement

Setup wizards for services now available in the Web UI

VPN Enhancements

WatchGuard
Training

Mobile VPN with SSL v11.10 clients for Windows and Mac OS X

Whats New in v11.10


Certificate Management Enhancements

Manage certificates from the Web UI


Automatic CA certificate updates

Wireless Access Point Enhancements

Wireless traffic shaping


Time-based SSID Activation
Scheduled restarts of AP devices
Multiple AP device selection for AP actions
Enable rogue access point detection

SSO Enhancements

WatchGuard
Training

Exchange Monitor (EM) Exchange Server 2013 support


Clientless SSO for RDP logins
Traffic through BOVPN tunnels can use SSO
Support for switching between multiple users of the SSO Client

Whats New in v11.10


RapidDeploy Enhancements

Improvements for CSV files on a USB drive

System Enhancements

NTP server

Networking Enhancements

Improved routing tables


Multiple servers for DHCP relay
DHCPv6 prefix delegation
ARP limit updates
XTM Configuration Report updates

Logging & Reporting Enhancements

Simultaneously send log messages to two Log Servers


Expanded information included in Device Feedback

What Else is New?

WatchGuard
Training

A comprehensive Help system with instructions for all Fireware management


UIs.
4

New Feature Policies by Domain


Name

WatchGuard
Training

Policies by Domain Name


You can now use FQDN
(Fully Qualified Domain Names) in:

From and To lists in a policy


Aliases
Blocked Sites
Blocked Site Exceptions
Quota Exceptions

We recommend you use this


feature to allow traffic to selected
domains while blocking all other
traffic.

Software update sites such as


Windows updates
Antivirus signature update sites

Useful for when sites are hosted on


content delivery networks (CDNs)
that frequently add and change IP
addresses.
WatchGuard
Training

Domain Name Format


You can use a specific FQDN
(host.example.com) or a
wildcard domain
(*.example.com).
For example, the wildcard
domain *.example.com would
include:

a.example.com
b.example.com
a.b.example.com

These wildcard entries are not


supported:

WatchGuard
Training

*.*.example.com
example*.com
*. example.*.com
example.*.com
7

Policies by Domain Name


How It Works

WatchGuard
Training

When you define an FQDN in your configuration, your Firebox


performs forward DNS resolution for the specified domain and stores
the IP mappings.
For wildcard domains such as *.example.com, the device performs
forward DNS resolution on example.com and www.example.com.
To resolve the subdomains implied by *.example.com, the device
analyzes DNS replies that match your FQDN configuration.
As DNS traffic passes through the Firebox, it stores the IP mapping
responses to relevant queries.

Policies by Domain Name


DNS Configuration

You must have a DNS server configured in the network settings of


your Firebox, or have the external interface set to DHCP or PPPoE to
get a DNS configuration.
All clients and your Firebox must use the same DNS server.
If the client contains different IP and domain mappings than the Firebox,
the traffic will not match to the correct policy and could be allowed by a
different policy, or dropped if no policy is matched.

If clients try to reach an internal destination with an internal DNS


server, the Firebox might not have an opportunity to analyze this
traffic for local servers.
We recommend that if you use internal DNS server, they should be
located on a different internal network than your clients so that the
Firebox can see and analyze replies from the DNS server.

WatchGuard
Training

Policies by Domain Name


When you configure Domain Names, consider these possibilities:

WatchGuard
Training

An FQDN can correspond to multiple IP addresses It is


possible that different DNS servers can return different IP address
replies based on geographical location, time zone, load balancing
configurations, and other factors.
A specific IP address might map to several FQDN When an
FQDN address is resolved to an IP address, it is equivalent to having
a firewall policy with that specific IP address in the policy. If another
domain or subdomain also resolves to the same IP address, traffic to
or from that domain will also match this policy.
Multiple FQDN for the same site Many website main pages
pull data from other websites and second-level domains for images
and other information. If you block all traffic and allow a specific
FQDN, you must also allow any additional FQDN that are called by
the main page. The Firebox will attempt to map IP addresses from
second-level domains for a wildcard domain to provide the full
content for a site.
10

Domain Names in Logging


Log messages show the domain names (including wildcard
domains) that are matched in the log messages when a policy is
applied to traffic by FQDN.

WatchGuard
Training

11

Domain Names in Reporting


Reports show the domain name that was matched when the policy
was applied to traffic by FQDN.

WatchGuard
Training

12

Domain Names in Reporting


The Blocked Sites list identifies the IP addresses blocked by FQDN
included in the configuration.

WatchGuard
Training

13

New Feature Quotas

WatchGuard
Training

14

Bandwidth and Time Quotas


You can enable bandwidth and time usage quotas for users on
your network for access to external sites.
Apply a daily limit to user Internet usage to enforce corporate
acceptable use policies.
When users exceed the quota limit, a notification message
appears in their web browsers and further access attempts are
denied.

WatchGuard
Training

15

Bandwidth and Time Quotas


You can set these types of
quotas:

Bandwidth The bandwidth


quota is set in MB per day, and
is enforced for all TCP and UDP
traffic in both directions.
Time The time quota is set
in minutes per day.

Both bandwidth and time


quotas can be enabled at the
same time, and the limit that
is reached first is enforced.

WatchGuard
Training

16

Bandwidth and Time Quotas


Quota limits are applied to
users and groups based on
authentication to the Firebox.
For a quota to take effect, a
user must be authenticated
and match a configured policy
defined with Firebox users and
groups.

WatchGuard
Training

17

Bandwidth and Time Quotas


To enable bandwidth and time quotas, you must:

WatchGuard
Training

Enable quotas and create quota rules


Apply a quota action to a rule
Enable the quota rule in a policy

18

Bandwidth and Time Quotas


Enable time and bandwidth quotas
Add a quota rule that defines applicable users and groups, and the
quota action to apply.

WatchGuard
Training

19

Bandwidth and Time Quotas


A quota action defines the bandwidth and time restrictions to
apply to a quota rule.

WatchGuard
Training

20

Bandwidth and Time Quotas


To enforce a quota, a quota
rule must be enabled for a
specific policy.
The policy must be defined
with users or groups to be able
to apply a quota rule.

WatchGuard
Training

21

Bandwidth and Time Quotas


You can create exceptions to quotas so that any traffic to a specific
destination address is not counted towards the usage quota.
Create exemptions for your company's own domains, or software
and antivirus signature update sites.

WatchGuard
Training

22

Bandwidth and Time Quotas


Options to reset user quota data include:

WatchGuard
Training

Quota daily limits are automatically reset the next day (starting at
00:00)
Configuration changes automatically reset quotas for users and groups
that use the updated quota action
Reboot the Firebox
Manually reset quota data for specific users from the Web UI and FSM

23

Monitoring Enhancements

WatchGuard
Training

24

Review & Reset Bandwidth and Time Quotas


Monitor user quota usage data in Fireware XTM Web UI and
Firebox System Manager.

Fireware XTM Web UI System Status > Quotas page


Firebox System Manager Quotas tab

Quota data includes these details for each connected user:


Quotas Page
(Web UI)

User Quotas Tab


(FSM)

Description

User

User

The user name of the connected user.

Auth Domain

N/A

The authentication domain through which


the user is authenticated.

Quota Action

Quota Action

The quota action defined on your Firebox


that applies to the user.

Used/Configured
Bandwidth (per
day)

Bandwidth Usage
(per day)

The amount of bandwidth the user has


already used and is allowed to use
(used/allowed), for each day.

Used/Configured
Time (per day)

Time Usage (per


day)

The amount of time the user has already


used and is allowed to use (used/allowed),
for each day.

WatchGuard
Training

25

Review & Reset Bandwidth and Time Quotas


Manually reset user quota data for specific users:

1. Select one or more users.


2. Click Reset Quota.

WatchGuard
Training

26

Gateway Wireless Controller Rogue Access


Points
Use the Gateway Wireless
Controller Wireless
Deployment Maps to scan for
foreign wireless access points
See a list of rogue access points
on the Foreign BSSIDs page
A rogue access point is any
wireless access point within
range of your network that is not
recognized as an authorized
access point.
Rogue access point can be
installed by a malicious user, but
could also be a device installed
by someone inside your
organization without consent.
WatchGuard
Training

27

Gateway Wireless Controller Client Signal


Strength
The Gateway Wireless Controller in Fireware XTM Web UI and
Firebox System Manager now includes an indicator to show the
wireless client signal strength.

WatchGuard
Training

28

Enhanced VPN Diagnostic Tools


VPN diagnostic messages

New VPN messages now indicate why a branch office VPN gateway or
tunnel failed, and can include information about what action to take to
resolve the error.
VPN diagnostic messages appear in three places in the UI:
Firebox System Manager Front Panel tab
WatchGuard System Manager Device Status tab
Fireware XTM Web UI System Status > VPN Statistics page

Enhanced VPN Diagnostic Report

WatchGuard
Training

Performs more checks to identify many of the most common VPN


issues
Provides more actionable information

29

VPN Diagnostic Messages


VPN diagnostic
messages appear
below the gateway in
the Web UI and FSM.

Messages can be for


a specific tunnel or
gateway endpoint.

Errors

Error status Web


UI
Red text FSM and
WSM.

Warnings

WatchGuard
Training

Warning status
Web UI.
Orange text FSM
and WSM.
30

VPN Diagnostic Report Enhancements


Improved VPN Diagnostic Report

The VPN Diagnostic Report now does more extensive diagnostics


checks, and provides more information.
The report includes three new sections:
[Conclusion] This section at the top summarizes what was observed,
lists any detected errors, and includes suggestions of next steps to
troubleshoot the VPN.
[Address Pairs in Firewalld] This section shows the address pairs and
the traffic direction (IN, OUT, or BOTH).
[Policy checker result] This section shows policy checker results for
policies that manage traffic for each tunnel route.

The VPN Diagnostic Report is now available in the Fireware XTM


Web UI on the System Status > VPN Statistics page, as well as
on the System Status > Diagnostics page.

WatchGuard
Training

31

Branch Office VPN Troubleshooting Tips


For any branch office VPN, you can run reports and monitor error
messages on both endpoint devicesthe initiator and the
responder.

The initiator is the endpoint that starts the tunnel negotiation


The responder receives the proposal and accepts or rejects the
proposed tunnel settings from the initiator

For troubleshooting VPN negotiation, run the VPN Diagnostic


Report or look at the VPN diagnostic messages on the responder.

WatchGuard
Training

The responder has more information about settings that do not match.
On the responder, VPN diagnostic errors include more detailed information
about what setting the initiator proposed, and what setting was expected.

The initiator does not know what settings were expected.

32

VPN Troubleshooting in Firebox System


Manager
Example VPN diagnostic message for a mismatched Phase 2
proposal
Initiato
VPN diagnostic message on
the initiator:
r

Received No Proposal Chosen


message. Check VPN IKE diagnostic
log messages on the remote gateway
endpoint for more information.

The VPN diagnostic message


on the responder is more
informative:
Received ESP encryption 3DES,
expecting AES

The same messages appear


in the VPN Diagnostic Report.

WatchGuard
Training

Respond
er

To run the report, right-click


the gateway and select
VPN Diagnostic Report.
33

VPN Diagnostic Messages in the Web UI


VPN diagnostic messages appear in the System Status >
VPN Statistics page.

WatchGuard
Training

34

VPN Diagnostic Report in the Web UI


To run the VPN
Diagnostic Report
from the System
Status > VPN
Statistics page:

WatchGuard
Training

On the Branch
Office VPN tab,
click Debug for a
Gateway.
Or, select the
Debug tab, select
the gateway, and
click Start Report.

35

Routes Table Updates


In Fireware XTM Web UI, the Routes table in System Status >
Routes includes these updates:

Filter routes by:

IP address type (IPv4, IPv6, or both IPv6 is new)


Route Type (Connected, Static, Dynamic, VPN)
Interface (Select the interface)
Destination (Type a valid IPv4 network address)

The Routes table shows the first 100 routes that match the filter
criteria.

WatchGuard
Training

36

Routes Table Updates


The Firebox System Manager Status Report tab now includes two
route tables.

IPv4 Routes Shows the first 100 IPv4 routes (all routes, including
static, dynamic, and VPN routes).
IPv6 Routes Shows the first 100 IPv6 routes (all routes, including
static, dynamic, and VPN routes).

Route table includes the same


information as the output of the
CLI show ip route and
show v6 ip route commands.
These two route tables replace
the four route tables that previously
appeared in the Status Report
(main, ethx.out, any.out, and zebra).

WatchGuard
Training

37

FireWatch Enhancements
FireWatch can now be viewed in Full Screen mode in Fireware XTM
Web UI
Full Screen mode options include:

WatchGuard
Training

Select to include one or more groups in the display


Specify the information refresh rate
The settings controls are hidden after a period of time
Select all standard filters
See information in bytes for all groups except WebBlocker, which
appears in number of connections

38

FireWatch Enhancements
Select group, data, and refresh options in Full Screen Mode

WatchGuard
Training

39

FireWatch Enhancements
Select which group information appears:

Source
Destination
Applications
Policies
Interface (In)
Interface (Out)

Select the type of data that appears:

WatchGuard
Training

Rate
Bytes
Connection
Duration

40

Subscription Services Enhancements

WatchGuard
Training

41

Subscription Services Setup Wizards


New Web UI activation wizards that guide you through the steps to
enable these Subscription Services and create a basic
configuration:

WatchGuard
Training

spamBlocker
WebBlocker
Gateway AntiVirus
Intrusion Prevention

42

Signature Update Warnings


New warnings displayed for
services when automatic
signature updates are
disabled.

WatchGuard
Training

IPS
Gateway AntiVirus
Application Control
DLP

43

VPN Enhancements

WatchGuard
Training

44

Updates to Mobile VPN with SSL Clients


Updated WatchGuard Mobile VPN with SSL clients for Windows and
Mac OS X

WatchGuard
Training

Both clients now use OpenVPN 2.3.6


Both clients now support more than 24 routes
The Windows client now includes the TAP driver for Windows 8.1

45

Certificate Management Enhancements

WatchGuard
Training

46

Manage Certificates from the Web UI


You can now perform
all the same
certificate
management tasks
from the Web UI that
are available in
Firebox System
Manager.

WatchGuard
Training

Delete, Install, and


export certificates
View certificate
details
Import CRLs
Create CSRs
(certificate signing
requests)
47

Automatic CA Certificate Updates


Automatically get new
versions of the trusted
CAcertificates stored on
the device and
automatically install the
new certificates.
Ensures all trusted CA
certificates on your device
are the latest version.
Expired certificates are
updated, andnew trusted
CA certificates are added
to your device.
Updated certificates are
downloaded from a secure
WatchGuard server.
WatchGuard
Training

48

Wireless Access Point Enhancements

WatchGuard
Training

49

Wireless AP Enhancements

Wireless traffic shaping


Time-based SSID Activation
Scheduled restarts of AP devices
Multiple AP device selection for AP actions
Enable rogue access point detection

WatchGuard
Training

50

Wireless Traffic Shaping


Configure traffic rate shaping
for each wireless SSID.
Traffic shaping is for wireless
download traffic only.

WatchGuard
Training

Base rate The base


throughput rate for the SSID.
Not allowed to exceed this limit
except for burst activity.
Ceiling rate The hard limit
throughput rate for the SSID.
This limit includes burst
activity.
Burst The maximum number
of kilobytes allowed beyond
the base rate.

51

Time-based SSID Activation


Enable SSIDs for specific time
periods.
Limits access to the SSID
based on the start and end
times you configure.

WatchGuard
Training

52

Scheduled Restarts of AP Devices


Restart wireless services or
reboot all of your APdevices at
scheduled times on a daily or
weekly basis.
Refreshes the AP device and
makes sure the device
configuration and all access
control lists are up to date.
Automatically updates wireless
channel selection.
AP devices are restarted in 90
second intervals to make sure
they are not all restarted at
the same time.

WatchGuard
Training

53

Multiple AP Device Selection for AP Actions


You can select
multiple AP devices
to complete reboot,
upgrade, and restart
wireless actions.

WatchGuard
Training

54

Enable Rogue Access Point Detection


Enable rogue access
point detection for
each SSID.
Add known device
MAC addresses to
the exceptions list so
they are not
considered a rogue
access point.

WatchGuard
Training

55

SSO Enhancements

WatchGuard
Training

56

Single Sign-On Enhancements


Single Sign-On Enhancements include:

WatchGuard
Training

Support for Microsoft Exchange Server 2013 for the SSO Exchange
Monitor
.NET Framework v3.5 required on Exchange Server 2013 server

Clientless SSO for RDP logins


Event Log Monitor now recognizes both logon and logoff events for RDP
connections and reports this information to the SSO Agent, which sends the
events to the Firebox.
The Firebox opens and closes user sessions based on the logon and logoff
event reports from the Event Log Monitor.

Traffic through BOVPN tunnels can now use Single Sign-On (SSO Client
only)
Support for switching between multiple users of the SSO Client on
Windows Vista, 2008, 2012, 7, 8, and 8.1

57

Single Sign-On Enhancements


New Enable SSO through BOVPN tunnels option allows users
of BOVPN tunnels to use SSO for network connections

WatchGuard
Training

58

RapidDeploy Enhancements

WatchGuard
Training

59

RapidDeploy CSV File Change External


Interface
You can now use a CSV file to change the external interface
number.
A device that starts with factory-default settings can automatically
configure the external interface from settings in a CSV file on a
connected USB drive.

Previously, the only valid interface you could specify in the CSV file was
0.
A device that uses Fireware v11.10 now supports interface numbers
other than 0.
The format of the CSV file did not change.
This is most often used for RapidDeploy.

Example line in a CSV file to configure interface 2 as the external


interface:
70XX00777X777,2,ext,Static,203.0.113.20/24,203.0.113.1,198.51.100.20

WatchGuard
Training

60

System Enhancements

WatchGuard
Training

61

NTP Server
After you enable a Firebox to
use NTP, you can enable the
device as an NTP server.

When you enable the device as


an NTP server, the NTP
Server policy is automatically
created.
The NTP Server policy allows
connections to the NTP server
from clients on the trusted and
optional networks.

Configure NTP clients to get


the date and time from the
interface IP address or domain
name of the Firebox.

WatchGuard
Training

62

Networking Enhancements

WatchGuard
Training

63

Multiple Servers for DHCP Relay


In the DHCP Relay settings,
you can now add the IP
addresses of up to three DHCP
servers.

Previously you could configure


only one IP address for DHCP
Relay.

The Firebox relays DHCP


requests to the IP addresses of
all DHCP servers.

WatchGuard
Training

64

DHCPv6 Prefix Delegation


You can enable DHCPv6 Client Prefix Delegation on an external
interface.

The device requests an IPv6


prefix from a DHCPv6 server.
You can use the delegated
prefix when you configure
IPv6 addresses on trusted,
optional, and custom
interfaces.

DHCP prefix delegation is


described in RFC 3633.

WatchGuard
Training

65

DHCPv6 Prefix Delegation


The delegated prefix appears on the Front Panel tab of Firebox
System Manager.

WatchGuard
Training

66

DHCPv6 Prefix Delegation


You can use the delegated prefix for a trusted, optional or custom
interface.

Static IPv6 interface IP address


IPv6 prefix advertisement
DHCPv6 address pool
DHCPv6 reserved addresses

Select Use delegated prefix.

The delegated prefix name appears Delegated prefix in a static IPv6


as the first part of the IPv6 address. address
The prefix name includes the external
interface device name, followed by
_prefix. For example eth0_prefix.
Type the subnet in the adjacent text box.
Delegated prefix in the DHCPv6
address pool

WatchGuard
Training

67

DHCPv6 Prefix Delegation


You can also enable the
DHCPv6
server on an interface to
delegate
prefixes to DHCPv6 clients.

WatchGuard
Training

Add prefixes to the Prefix


Pool.
To reserve a specific prefix for
a client, add the prefix to the
Reserved Addresses and
Prefixes list.

68

Improved Route Tables Command Line


Interface
To see the first 100 IPv4 routes, use the show ip route command

Replaces the show route command


Output is easier to read than the output of the old show route command
WG>show ip route
Kernel IP routing table
Destination
Gateway
0.0.0.0
203.0.113.1
10.0.70.0
0.0.0.0
10.0.71.0
0.0.0.0
10.0.78.0
0.0.0.0
10.0.79.0
0.0.0.0
10.10.10.0
0.0.0.0
127.0.0.0
0.0.0.0
192.168.113.0
0.0.0.0
203.0.113.0
0.0.0.0

Genmask
0.0.0.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.0.0.0
255.255.255.0
255.255.255.0

Interface
eth0
eth1
eth1
vlan10
br0
ath1
lo
tun0
eth0

Flags
UG
U
U
U
U
U
U
U
U

Metric
5
0
0
0
0
0
0
0
0

Use command options to filter the route table (same filters as in the Web UI)
WG>show ip route ?
<cr>
Carriage return
<net>
IP subnet for the destination <A.B.C.D/(1-32)>
connected Connected routes
dynamic
Dynamic routes
ifname
Interface device name
static
Static routes
vpn
VPN routes

WatchGuard
Training

69

Improved Route Tables Command Line


Interface
To see the first 100 IPv6 routes use show v6 ip route

Output no change from 11.9.x

WG>show v6 ip route
Kernel IPv6 routing table
Destination
2001::/64
fe80::/64

Next Hop
::
::

Interface Flags
vlan10
U
vlan10
U

Metric
256
256

New command options to filter the route table (same filters as in the
Web UI)
WG>show v6 ip route ?
<cr>
Carriage return
<netipv6> IPv6 subnet for the destination <A:B:C:D:E:F:G:H/I>
<A::G:H/I>
<::H/I>
connected Connected routes
dynamic
Dynamic routes
ifname
Interface device name
static
Static routes
vpn
VPN routes

WatchGuard
Training

70

Updated XTM Configuration Report


The XTM Configuration Report available from the Fireware Web UI
now includes information about Default Packet Handling and
FireCluster configuration settings.

WatchGuard
Training

71

Logging & Reporting Enhancements

WatchGuard
Training

72

Logging Enhancements
Simultaneously send Log Messages to two WatchGuard Log
Servers

WatchGuard
Training

Two different WatchGuard Log Servers Dimension or WSM Log


Servers
Configure two sets of Log Servers
Add primary and backup servers for each Log Server set

73

Logging Enhancements
Fireware XTM Web UI Logging > Log Servers 1 & Log
Servers 2 tabs

WatchGuard
Training

74

Logging Enhancements
Policy Manager Logging Setup > Configure > Log Servers 1
&
Log Servers 2 tabs

WatchGuard
Training

75

Device Feedback Report Enhancements


New information in the Device Feedback sent to WatchGuard
includes:

Start and end time stamps for the feedback data sent to WatchGuard
Peak proxy connection limit usage
Number of proxy actions with Subscription Services enabled in the
configuration
Subscription Services details include:
Whether the service is enabled
Counts of the number of events for each service enabled on the Firebox
A list of the events triggered on the Firebox for each service (includes the
source IPaddress, protocol, and threat level of the event).

WatchGuard
Training

76

What Else is New?

WatchGuard
Training

77

Integrated Fireware Help


The v11.10 release includes the first iteration of a comprehensive
online-only Help system for Fireware with integrated instructions
for all Fireware management UIs.
Includes context-sensitive help topics for these management and
monitoring tools:

WatchGuard
Training

Fireware XTM Web UI


WatchGuard System Manager & all WSM tools
WatchGuard Dimension
WatchGuard WebCenter
WatchGuard Server Center & WatchGuard servers
WatchGuard Deployment Center (RapidDeploy)

78

Additional Resources

WatchGuard
Training

79

Additional Resources
Information about the new and enhanced features included in this
release is available from these resources on the Product
Documentation pages of the WatchGuard website:

From the Help systems:


Fireware Help Whats New in This Release

From the Whats New presentation:


Whats New in Fireware v11.10

WatchGuard
Training

80

Thank You!

WatchGuard
Training

81

S-ar putea să vă placă și