Whats New in

Fireware XTM v11.9.4

WatchGuard
Training

2014 WatchGuard Technologies, Inc.

Whats New in v11.9.4

Authentication Enhancements

Hotspot Enhancements
Create custom hotspot page settings & manage Guest Administrator accounts
Support for Guest Administrators to manage guest user accounts and create
custom vouchers

Single Sign-On Event Log Monitor Enhancements

HTTPS Proxy Content Inspection based on SNI or WebBlocker Category

Supports SNI (Server Name Indication) to more accurately configure the

domains you want to allow, block, or inspect.
More control over the HTTPS sites you want to inspect and the sites you
want to bypass.
You can select the WebBlocker categories you want to inspect.

Branch Office VPN enhancements

WatchGuard
Training

A BOVPN Virtual Interface now supports any interface as the local gateway
New BOVPN Configuration Reports for easier VPN troubleshooting
Renamed Enable IPSec Pass-through VPN setting

Whats New in v11.9.4

Enable/Disable SSLv3 Option in HTTPS and SMTP Proxy Actions

Offline Signature Updates
Support for /31 and /32 subnet masks
Management Server Enhancements

Change the order of IP addresses in the Distribution IP Address list

Monitoring Enhancements

Web UI VPN Statistics page includes statistics for Mobile VPN types on one
tab
Clear the WebBlocker cache from Firebox System Manager
Support for NAT connections through the SNMP application layer gateway

Other Enhancements
Support for new Firebox models

Firebox M400
Firebox M500
Fireware XTM OS update for Firebox M440 and FireboxT10-D

What Else is New?

WatchGuard
Training

Authentication Enhancements

WatchGuard
Training

Hotspot Enhancements
The Hotspot feature now includes these new features:

Customize guest user authentication options for a hotspot

Create and manage Guest Administrator user accounts
New Wireless Guest Administration web portal for Guest Administrators
to:
Manage guest user accounts
Configure guest user account settings
Customize vouchers with guest user account information

WatchGuard
Training

Customize Guest User Authentication for

Hotspots
Configure the Hotspot Connections settings for a custom hotspot
page and manage Guest Administrator accounts.

WatchGuard
Training

In Fireware XTM Web UI, select Authentication > Hotspot.

In Policy Manager, select Setup > Authentication > Hotspot.

Customize Guest User Authentication for

Hotspots
On the new Hotspot Connections tab:

Select whether guest users must use credentials to connect.

Set the number of user account the Guest Administrator can add.
Add Guest Administrator user accounts.
Guest Administrator user accounts are added to the default Firebox-DB
authentication server.
You can add and remove accounts, or edit them to disable the account or
change the passphrase.

WatchGuard
Training

Customize Guest User Authentication for

Hotspots
To add Guest Administrator user accounts:

WatchGuard
Training

In Policy Manager, click Manage Guest Administrator Accounts.

Customize Guest User Authentication for

Hotspots
In Fireware XTM Web UI, add Guest Administrators in the Wireless
Guest Administrators section.

WatchGuard
Training

Customize Guest User Authentication for

Hotspots
Guest Administrator user accounts also appear in the Firebox or
XTM device Users and Roles list, with the Guest Administrator
role:

WatchGuard
Training

In Policy Manager, select File > Manage Users and Roles.

In Fireware XTM Web UI, select System > Users and Roles.

10

Customize Guest User Authentication for

Hotspots
Custom Page settings remain
the same, but have moved to
the Customize Hotspot Page
tab.

WatchGuard
Training

11

Guest Administration for Hotspots

Guest Administrators can connect to the Wireless Guest
Administration web portal on the Firebox or XTM device to manage
guest user accounts and create custom vouchers for guest user
accounts.
Guest Administrators connect to the device at:
https://<device-ip-address>:8080/wirelessguest/
and logs in to the
Wireless Guest
Administration web portal
with Guest Administrator
credentials

WatchGuard
Training

12

Guest Administration for Hotspots

The Guest Administrator configures the user account settings for
guest user accounts.

WatchGuard
Training

Select the Settings tab.

13

Guest Administration for Hotspots

Configure these settings for guest user accounts:

User Name Prefix

The prefix for all guest user account user names.
When guest user accounts are generated, each user name begins with this
prefix.

Account Lifetime
The amount of time that each guest user account can be used after it is
activated for the first time.
When the guest user logs in with the guest user account credentials, the
countdown starts.
The default account lifetime is 24 hours.

Account Expiration
The amount of time after which the guest user account expires and is
removed from the Guest Accounts list.
If the guest user account has not been activated before the account
expiration time is reached, the guest user account still expires.

WatchGuard
Training

14

Guest Administration for Hotspots

The Guest Admin configures the settings for the printed vouchers
to give guest users with their guest user account information.

WatchGuard
Training

Select the Customize Voucher tab.

15

Guest Administration for Hotspots

Configure these settings for the guest user vouchers:

Business Name
The name of the company where the hotspot is located.
The name you specify is included in the voucher text.

Contact Information
The contact information for the company.
This text can include instructions to get hotspot connection help as well as
contact numbers or addresses.

Use a custom logo

Upload the company logo to use on the voucher.
The logo file can include images, text, and other special information that you
want to give guest users.
Image files must be JPG, PNG, or GIF files. There is no size constraint on the
logo image files, but the recommended size is 90 x 50 pixels.

WatchGuard
Training

16

Guest Administration for Hotspots

The Guest Admin adds guest user accounts and prints vouchers.

WatchGuard
Training

Select the Accounts tab.

Specify the number of guest user accounts to create.
Click Add and Print New Accounts.

17

Guest Administration for Hotspots

Example vouchers Logo only and logo with informational text.

WatchGuard
Training

18

Guest Administration for Hotspots

Print the voucher:

WatchGuard
Training

Click Print in the

Print Guest
Account window.

19

Guest Administration for Hotspots

Manage guest user
accounts:

WatchGuard
Training

Select the check

box for an
account.
To remove the
account, click
Delete.
To print a new
voucher, click
Print.

20

Single Sign-On Enhancements

Single Sign-On has been updated to support failover and load
balancing for the Event Log Monitors installed on multiple domains
in your network.
The SSO Agent sends a DNS resolution request to resolve the host
name for the IP address of the client, and determines which
domain the client is a member of.
The SSO Agent then contacts the Event Log Monitors in that
domain to attempt to authenticate the client.

If multiple Event Log Monitors are installed and included in the SSO
Agent Configuration, and the first Event Log Monitor is unable to
resolve the authentication request, the SSO Agent will fail over to the
next Event Log Monitor to attempt to resolve the request.

The SSO Agent can also contact the Event Log Monitors from other
domains in your network, if they are specified in the SSO Agent
configuration.

WatchGuard
Training

21

HTTPS Proxy Content Inspection

based on SNI or WebBlocker
Category

WatchGuard
Training

22

What is SNI?
SNI (Server Name Indication), is an extension of the TLS protocol that
indicates the specific server name while making a TLS/SSL connection.
SNI is supported by most modern web browsers.
SNIis more accurate than the certificate CN (Common Name) for a
site because it can determine the actual server name from the
HTTPS traffic headers.
Many web servers host several web sites that share the same IP address
and multiple certificates, and these sites can share the same certificate CN
(Common Name).

WatchGuard
Training

23

SNI and Certificate CN

For example, many Google services such as YouTube and Google
Maps share the same certificate CN (*.google.com)
If you block access to YouTube based on the certificate CN, this
would also block access to Google Maps and other services with
the same CN.
SNI provides the server name that you can use to more accurately
control access to specific sites and perform or bypass content
inspection.
The certificate CN is used if SNIinformation is not available

WatchGuard
Training

24

Benefits of HTTPS Content Inspection with SNI

With selective content inspection and SNI checks in v11.9.4, you
now have more control over the HTTPS sites you want to inspect
and the sites you want to bypass.
For example, you can configure HTTPS content inspection but
bypass banking, financial, or other sites with privacy concerns.
You can more accurately allow, block, or inspect specific sites that
come from domains (Google, YouTube, etc.) that may share the
same certificate common name (CN).
With WebBlocker, you can enable HTTPS content inspection only
for known categories of high risk web sites.

WatchGuard
Training

25

HTTPS Content Inspection Enable Content

Inspection
Enable Content Inspection

WatchGuard
Training

To enable content inspection, in

the HTTPS Proxy Action
configuration, select the
Enable deep inspection of
HTTPS content check box.
Select the HTTP Proxy Action to
apply to inspected traffic.
At this point, even when this
feature is enabled globally, all
HTTPS web sites will bypass
inspection.
To inspect a site, you must define
the domain in the Domain Names
page and configure the domain
with the Inspect action.

26

HTTPS Content Inspection Domain Names

Domain Names

WatchGuard
Training

SNI and CN are used to check the

rules configured in the Domain
Names section of the HTTPS
Proxy Action. The certificate CN
will be used if SNI not available.
You can allow or deny access to a
site, or perform content inspection.
When content inspection in
enabled, web sites will only be
inspected if the domain is
configured with the action Inspect.
The pattern name can be server
name (SNI), certificate common
name (CN), or an IP address.
Allow action bypasses content
inspection
27

HTTPS Content Inspection Domain Names

Examine the HTTPS entries in the traffic logs for the correct
SNI/CN information when you create your domain name rules.

WatchGuard
Training

28

HTTPS Content Inspection WebBlocker

WebBlocker

WatchGuard
Training

Only categories allowed by

WebBlocker are displayed in the
HTTPS Proxy Action
WebBlocker configuration.
When content inspection is
enabled, you must select the
WebBlocker categories you want
to perform content inspection on.
If content inspection is not
enabled, WebBlocker can allow
or deny the connection.
Domain Names rules have the
highest priority. WebBlocker
checks only occur when there is
no domain name rule match and
default action is Allow.
29

HTTPS Content Inspection v11.9.3 vs.

v11.9.4
In v11.9.3 and lower:
A certificate name (CN) check determines whether to allow or deny access to site as
configured in Certificate Names.
If content inspection is enabled, all connections are redirected to the HTTP-Proxy for
content inspection except for addresses defined in the Bypass List.
WebBlocker checks to allow or block sites are performed only for traffic that is not
content inspected.

In v11.9.4 and higher:

SNI, CN, and IP address are used to check the rules configured in the Domain Names
section of the HTTPS Proxy Action. The certificate CN will be used if SNI not available.
You inspect, allow (bypass inspection), or deny access to a domain.
When content inspection in enabled, inspection only occurs if the domain is configured
with the action Inspect.
No Bypass List in v11.9.4. Set the action in Domain Names to Allow to bypass
content inspection.
When content inspection is enabled, you must choose the WebBlocker categories you
want to inspect.
WatchGuard
Training

30

Branch Office VPN Enhancements

WatchGuard
Training

31

BOVPN Virtual Interface Local Gateway

Interface
BOVPN Virtual Interface now supports any interface as the local
gateway.

You cannot use a modem for failover from a BOVPN virtual interface if a
local gateway endpoint uses an interface that is not external.

From the Physical drop-down

list, select any enabled physical
or wireless interface.
Select Other and click
Select to select any VLAN,
Bridge, PPPoE, or
Link Aggregation interface.

WatchGuard
Training

32

BOVPN Virtual Interface Local Gateway

Interface
When you select Other, a list of logical interfaces appears.
To filter the interface list, use the Type and Zone drop-down lists,
or type the interface Name.

Types:

VLAN
Bridge
Link Aggregation
PPPoE

Zone:
Trusted
Optional
Custom
External

WatchGuard
Training

33

BOVPN Configuration Reports

Three new branch office VPN configuration reports show a summary
of BOVPN settings in HTML or plain text format that you can save or
print.

BOVPN Gateway Configuration Report

BOVPN Tunnel Configuration Report
BOVPN Virtual Interface Configuration Report

The reports make it easier to compare VPN configuration settings

when you troubleshoot a branch office VPN.
The reports are available in Policy Manager and Fireware XTM Web
UI in the same locations where you add or edit a VPN gateway,
tunnel or BOVPN virtual interface.

WatchGuard
Training

In Policy Manager, these reports include information about the selected

gateway, tunnel, or virtual interface.
In the Web UI, these are sections of the existing XTM Configuration
Report, which also contain information about other device configuration
settings.
34

BOVPN Gateway Configuration Report

The BOVPN Gateway Configuration Report shows settings for the
selected branch office VPN gateway.

Click Report to see the report.

WatchGuard
Training

Click Show Tunnel Details to

add tunnel details to the report.
Select HTML or Plain text format.
Save or Print the report.
35

BOVPN Tunnel Configuration Report

The BOVPN Tunnel Configuration Report shows settings for the selected
branch office VPN tunnel.

Click Report to see the report.

WatchGuard
Training

Click Show Gateway Details to add

gateway details to the report.
Select HTML or Plain text format.
Save or Print the report.
36

BOVPN Virtual Interface Configuration Report

The BOVPN Virtual Interface Configuration Report shows settings
for the selected BOVPN virtual interface.

Click Report to see the report.

WatchGuard
Training

Select HTML or Plain text format.

Save or Print the report.

37

BOVPN Configuration Reports in the Web UI

In the Web UI, reports are available for BOVPN gateways and
tunnels.

WatchGuard
Training

Click Report to see the XTM Configuration Report in a new browser

window, scrolled to the section for the tunnel or gateway you selected.
Make sure that your browser is configured to allow pop-ups for Fireware XTM
Web UI.

This is the same report available from the System > Configuration
File page.

38

VPN Global Settings Update

The Global VPN setting Enable IPSec Pass-through has been
renamed to clarify that this adds a policy to enable outbound
IPSec traffic.
The functionality of the new Add a Policy to enable outbound
IPSec pass-through check box is unchanged.

WatchGuard
Training

When you select this option, a policy called WatchGuard IPSec is

automatically generated.
This policy allows IPSec VPN clients on the trusted or optional networks
to make outbound IPSec VPN connections.

39

Enable/Disable SSLv3 in
HTTPS and SMTP Proxy Actions

WatchGuard
Training

40

Enable/Disable SSLv3 in HTTPS & SMTP Proxy

Actions
There are recent vulnerabilities discovered with the SSLv3 protocol
(POODLE vulnerability).
You can now disable or enable SSLv3 in the HTTPS proxy action (Content
Inspection) and the SMTP proxy action (TLS Encryption).
SSLv3 and SSLv2 are disabled by default.

WatchGuard
Training

41

31-bit and 32-bit Subnet Mask Support

You can now configure an external interface IP address with a /31
or /32 subnet mask.

/31 and /32 addresses are used to conserve IPv4 address space.
Supported in Mixed Routing mode only.

31-bit Subnet Mask (/31)

Supported for any external interface (physical, VLAN, Bridge, Link

Aggregation).
Often used for point-to-point networks as described in RFC 3021.

32-bit Subnet Mask (/32)

Supported only for physical external interfaces.

Not supported for virtual interfaces (VLAN, Link Aggregation, Bridge)
A 32-bit subnet mask defines a network with only one IPaddress.
You cannot use a /32 subnet mask for a virtual external interface, because
these interfaces do not support a gateway on a different subnet.

WatchGuard
Training

42

Offline Signature Updates

WatchGuard
Training

43

Offline Signature Updates

For security reasons, some customer environments require direct control
over the distribution and installation of periodic signature updates for
signature services such as Gateway AntiVirus, Intrusion Prevention, and
Data Loss Prevention.
WatchGuard now offers Offline Signature Updates that enables you to
download the latest signatures for these services directly from WatchGuard,
and then use a special utility to manually install these files on your
WatchGuard Firebox or XTM devices.
A special set of credentials are required to access the signature
update files from the WatchGuard servers. For more information,
please contact your local WatchGuard representative.

WatchGuard
Training

44

Management Server Enhancements

WatchGuard
Training

45

Distribution IP Address List

Change the order of IP
addresses in the
Distribution IP Address
list.
This feature is important for
Management Tunnels, to
make sure that the private IP
address of the Management
Server appears first in the
list.

WatchGuard
Training

46

Expire Lease on Device Folder

When you connect to your
Management Server in
WSM, you can now expire
the lease on all the devices
in these folders:

Filtered View >

Pending
Any folder in the Devices
tree

Right-click the folder and

select Expire Lease to
expire the lease on all
devices in that folder.

WatchGuard
Training

47

New Device Configuration Template Version

The Management Server now
includes a new version option
for Device Configuration
Templates
When you create a new
template, select from these
new options:

WatchGuard
Training

Fireware XTM v11.4-11.9.3

Fireware XTM v11.9.4 or later

48

Monitoring Enhancements

WatchGuard
Training

49

View VPN Statistics

From the Fireware XTM Web
UI System Status > VPN
Statistics page, on the
Branch Office VPN tab, you
can see the statistics for the
virtual interfaces and
gateways configured for the
Branch Office VPNs on your
device.
You can filter the page
details to see only virtual
interfaces, gateways, or
both.
You can also use the Search
feature to locate an interface
or gateway in the list.
WatchGuard
Training

50

View VPN Statistics

Expand a gateway or
virtual interface to see the
active tunnels.
Expand a tunnel to see
statistics for that tunnel.
Click Edit to go to the
Branch Office VPN / Edit
page for the selected
gateway.

If the tunnel was created

by the Management
Server, the Edit button is
not available.

Click Rekey tunnel to

rekey the selected tunnel.

WatchGuard
Training

51

View VPN Statistics

Fireware XTM Web UI
now includes statistics
for all Mobile VPN
types on one tab.

Select System
Status > VPN
Statistics.
Select the Mobile
VPN tab.
Select the Mobile VPN
type to show:

WatchGuard
Training

All
IPSec
SSL
PPTP
L2TP

52

View VPN Statistics

For each Mobile VPN type that you select, a list of users for that
tunnel type appears.
Click a user to see statistics for that user.

WatchGuard
Training

53

Clear WebBlocker Cache

From Firebox System
Manager, clear the
WebBlocker cache

WatchGuard
Training

Select Tools > Clear

WebBlocker Cache
Supported for single
Firebox or XTM devices
and FireClusters

54

View DNS Server Details

When you configure the external interface on your device to use
PPPoE, you can see the DNS server information in the Firebox
status in the Web UI, WSM, and FSM.
Web UI DASHBOARD > Interfaces > Detail

WatchGuard
Training

55

View DNS Server Details

WSM Device Status >
Firebox Status > DNS
Servers

WatchGuard
Training

56

Monitoring Enhancements View DNS Server

Details
FSM Front Panel > DNS Servers

WatchGuard
Training

57

SNMP Enhancements

WatchGuard
Training

58

SNMP Enhancements
You can now enable

your
device to use NAT for
connections through the
SNMP application layer
gateway.
When you enable this
option, all SNMP
connections are forced to
use NAT.
In the Web UI, select
System > SNMP and
select the Use NAT for
connections through
the SNMP application
layer gateway check box.

WatchGuard
Training

59

SNMP Enhancements
In Policy Manager, select

Setup > SNMP and select

the Use NAT for
connections through
the SNMP application
layer gateway check box.

WatchGuard
Training

60

Other Enhancements

WatchGuard
Training

61

Other Enhancements
You can now set the maximum time interval for failed FTP logins per
connection in the FTP client and server proxy actions.
You can now manage the Gateway Wireless Controller from the Command
Line Interface (CLI).
MAC address reservations for AP wireless devices are now limited
to 256.

WatchGuard
Training

62

Support for New Firebox Models

WatchGuard
Training

63

Support for New Firebox Models

WatchGuard System Manager v11.9.4 adds support for
management of two new Firebox models.

Firebox M400
Firebox M500

Fireware XTM OS v11.9.4 is the first OS update available for these

models:

WatchGuard
Training

Firebox
Firebox
Firebox
Firebox

M400
M500
M440
T10-D

64

New Models Firebox M400 and Firebox

M500
Firebox M400

6x 1 Gb interfaces
2x 1 Gb SFP ports
150 to 350 users
Replaces XTM 525

Firebox M500

6x 1 Gb interfaces
2x 1 Gb SFP ports
350 to 750 users
Replaces XTM 535 and XTM 545

SFP transceivers available as accessories

1 Gb Fiber to Copper
1 Gb Fiber

WatchGuard
Training

65

New Model Firebox M440

Support for Firebox M440 was added in v11.9.3.

WatchGuard
Training

25 1 Gb interfaces, 8 with Power over Ethernet

2 10 Gb SFP+ fiber interfaces (transceivers sold separately)

66

Firebox T10-D
The Firebox T10-D is a DSL device.

Interface 0 is an ADSL/VDSL RJ11 interface.

DSL specifications:
VDSL2 8a, 8b, 8c, 8d, 12a, 12b, 17a, 30a profiles
ADSL1/2/2+
DSLmode: Annex A

DSL settings are automatically configured

There are no user-configurable DSL settings.

The Firebox T10-D is supported only in

Europe, Australia, and New Zealand.

WatchGuard
Training

67

Firebox T10-D ADSL

ADSL service providers require the DSL device to use specific Virtual
Path Identifier (VPI) and Virtual Circuit Identifier (VCI) settings.

The Firebox T10-D supports eight VPI/VCI combinations:

VPI = 8, VCI =
VPI = 0, VCI =
35
32
VPI = 0, VCI =
VPI = 8, VCI =
38
35
VPI = 0, VCI =
VPI = 8, VCI =
If the connection
100 fails with these VPI/VCI
36 settings, the Firebox automatically
polls the ISPVPI
to =
try1,
additional
0/32, 0/33, 0/34, 0/50,
combinations:
VCI = VPI/VCI
VPI = 8, VCI =
0/67, 1/33, 32
1/39, 1/50, 2/32, 8/67, 8/81,
4814/24.

If the ISP disables ATM OAM F5 ping responses, automatic polling cannot use these
alternate VPI/VCI combinations to establish a connection.

Work with your local WatchGuard Sales Engineer if you are interested in
exploring and testing DSL configurations that are not supported by default.

For a list of VPI and VCI settings required by some service providers see:
Firebox T10-D VDSL and ADSL requirements by service provider

WatchGuard
Training

68

Firebox T10-D VDSL

For VDSL, the external interface must use a VLAN ID specified by the ISP.
To configure the required VLAN:

Add an external VLAN, with the VLAN ID and external network settings
(PPPoE, static IP address, or DHCP).
Configure Interface 0 to send and receive tagged traffic for the external VLAN.

For a list of VLAN IDs required by some service providers see:

Firebox T10-D VDSL and ADSL requirements by service provider
WatchGuard
Training

69

Firebox T10-D DSL Status

The Status Report tab in Firebox System Manager shows DSL
status

DSL link status

DSL mode
DSL firmware version

The same status information is available with the CLI command

diagnose hardware dsl

WatchGuard
Training

70

What Else is New?

WatchGuard
Training

71

VPN Troubleshooting Help

New troubleshooting guides for Mobile VPN with IPSec, SSL, L2TP,
and PPTP.

WatchGuard
Training

Tips to help resolve the most common mobile VPN configuration issues.
Find them in the WatchGuard System Manager Help and Fireware XTM
Web UI Help for each mobile VPN type.

72

Additional Resources

WatchGuard
Training

73

Additional Resources
Information about the new and enhanced features included in this
release is available from these resources on the Product
Documentation pages of the WatchGuard website:

From the Help systems:

WatchGuard System Manager Help Whats New in This Release

Fireware XTM Web UI Help Whats New in This Release
WatchGuard Dimension Help Whats New in This Release
The Whats New in This Release topics also include information about
features and enhancements for recent previous releases.

From the Whats New presentation:

Whats New in Fireware XTM v11.9.4

WatchGuard
Training

74

Thank You!

WatchGuard
Training

75