Whats New in Fireware v1112 Geolocation subscription service New BOVPN virtual interface that supports nonGRE IPSec tunnels to Microsoft Azure and Cisco VTI Threat Detection and Response subscription service Beta ID: 540507
Download Presentation The PPT/PDF document "What’s New in Fireware v11.12" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
What’s New in Fireware v11.12Slide2
What’s New in Fireware v11.12
Geolocation subscription service
New BOVPN virtual interface that supports non-GRE IPSec tunnels to Microsoft Azure and Cisco VTIThreat Detection and Response subscription service (Beta)IPv6 support in proxy policies and subscription servicesSetup wizards enable services and proxies by defaultAP device enhancements
2Slide3
What’s New in
Fireware
v11.12DHCP support for Active/Passive FireClusters X-forwarded detail in proxy headers shows client IP addresses in log messagesUse a domain name to specify a URL for external hotspot authenticationSpecify resources that guest wireless users can access without authenticationMobile VPN with SSL Enhancements
ConnectWise integration
3Slide4
What’s New in
Fireware v11.12
Other enhancementsSupport for Huawei E3372 modem variant with a different product IDProxy connection statisticsWebBlocker proxy server supportAPT Blocker file size increaseBOVPN pre-shared key length increaseActive Directory Server Settings UI UpdatesFQDN support for Log Server addresses
Change to auto-blocked sites list functionality
4Slide5
Block traffic based on geographic location
Geolocation
5Slide6
Geolocation
Geolocation is a subscription service that enables the Firebox to block connections to or from specified geographic locations
To enable Geolocation, the Firebox feature key must have the Reputation Enabled Defense (RED) subscription service enabledIf the Firebox feature key has the RED subscription service enabled, Geolocation is enabledGeolocation information is available on the Geolocation dashboard in Fireware Web UI and in log messagesNo countries are blocked by default
6Slide7
Geolocation
In
Fireware Web UI or Policy Manager, select Subscription Services > GeolocationSelect countries to block:Map — Select countries on a mapCountry List — Select countries from a listExceptions — Specify sites to never block
7Slide8
Geolocation — Map
On the
Map tab, select countries to blockLock or unlock the mapClick a country to block new connections to or from that country8Slide9
Geolocation — Country List
On the
Country List tab, select countries to blockExpand or collapse continents in the listSelect which countries to blockClick Select All to select all countries on a continent
9Slide10
Geolocation — Exceptions
On the
Exceptions tab, specify sites to never block based on geographic locationIPv4 host, network, or address rangeIPv6 host, network, or address rangeFully qualified domain name (FQDN)10Slide11
Geolocation — Update Server
Update Server
settings — Control updates to the Geolocation databaseAutomatic updates are enabled by default
11Slide12
Geolocation — Dashboard
The
Geolocation Dashboard in Fireware Web UI shows allowed connections by countryThis Dashboard page does not show blocked connections12Slide13
Geolocation Dashboard
The
Map tab visually represents the source and destination locations of connections allowed through the FireboxCountry color indicates the number of connections:Dark green — HighestLight green — LowerYellow — LowestFilter connections by:All ConnectionsSource CountryDestination Country
13Slide14
Geolocation Dashboard
The
Country List tab shows connection details by countryRanked lists show top countries by the number of hitsClick a country name to see a list of connections
14Slide15
Geolocation Dashboard
Look up the country associated with an IP address
15Slide16
Geolocation Activity
Fireware
Web UIDashboard > Subscription ServicesFirebox System ManagerSubscription Services tab16Slide17
BOVPN virtual interface support for non-GRE
IPSec tunnels to Microsoft Azure and Cisco VTI endpoints
New Virtual Interface for BOVPNs 17Slide18
New Virtual Interface for BOVPNs
A BOVPN virtual interface now supports
IPSec tunnels to third-party endpoints without GRE. Microsoft Azure and Cisco Virtual Tunnel Interface (VTI) gateway endpoints are supported.In the BOVPN Virtual Interface configuration, there is a new Remote Endpoint Type setting:Firebox — Select this option for a connection to another Firebox or another gateway endpoint that supports GRE over IPSecCloud VPN or Third-Party Gateway — Select this option for a connection to a Microsoft Azure or Cisco VTI endpoint
This establishes an
IPSec
VPN tunnel without GRE
18Slide19
New Virtual Interface for BOVPNs
The new WatchGuard BOVPN virtual interface supports OSPF and BGP
To configure dynamic routing with BGP to Microsoft Azure, you must use Microsoft PowerShellMicrosoft Azure does not support OSPFCisco VTI supports OSPF and BGP
19Slide20
New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using static routing:
Configure the Azure virtual networkIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Add a VPN route to the Azure virtual network
Configure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2
20Slide21
New Virtual Interface for BOVPNs
21Slide22
New Virtual Interface for BOVPNs
22Slide23
New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using BGP dynamic routing:
Configure the Azure virtual networkIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party GatewayConfigure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2
Add a virtual IP address for the Firebox
Add a virtual IP address for the Azure gateway. Do not use a netmask
Specify the BGP commands on the Firebox
Specify the PowerShell commands on your Azure network
23Slide24
New Virtual Interface for BOVPNs
24
Slide25
New Virtual Interface for BOVPNs
25Slide26
New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Cisco VTI endpoint with static routing:
Configure the Cisco deviceIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Configure the BOVPN virtual interface to use either IKEv1 or IKEv2; Cisco supports both options
Add a route to the Cisco device
26Slide27
New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Cisco VTI endpoint with dynamic routing (OSPF or BGP):
Configure the Cisco deviceIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Select
Assign virtual interface IP addresses
and type the required IP addresses
Enable OSPF or BGP on your Firebox, with the required OSPF or BGP commands
27Slide28
Extend WatchGuard’s network security to monitor and
protect the endpoint
Threat Detection and Response28Slide29
Threat Detection and Response (TDR)
Threat Detection and Response (TDR) is a new cloud-based subscription service that analyzes and responds to security events reported by the Firebox and network endpoints
Public Beta starts November 14th, 2016 Open to all, including those without Total Security SuiteSupported on Firebox models and XTMv
models only
Requires
Fireware
v11.12 or higher
Threat Detection and Response is part of the Total Security Bundle or available as a separate security subscription
Threat Detection and Response enables immediate action against new or hidden threats by correlating network and endpoint security events into a scored ranking
29Slide30
Threat Detection and Response (TDR)
Threat Detection and Response collects, analyzes, and correlates threat indicators reported by Fireboxes and hosts
Fireboxes report denied, blocked, and dropped connectionsHost Sensors use heuristics and behavioral analysis to report changes to files, processes, registry entries, and host configuration settingsThreatSync correlates threat intelligence, a cloud-based malware verification service, and the Host Sensor based heuristics and behavior analyses to evaluate and score reported indicators and incidentsIndicators are events reported by Host Sensors and Fireboxes
Incidents are groups of related indicators
Incident threat score is based on the threat score of the indicators
30Slide31
Threat Detection and Response (TDR)
Enable Threat Detection and Response on the Firebox
Log in to the Threat Detection and Response cloud to manage Host Sensors, threats, remediations, policies, and exclusions.31Slide32
IPv6 support in proxy policies and services
IPv6 Support
32Slide33
IPv6 Support — Proxy Policies
Added support for IPv6 addresses in proxy policies
33
Feature
Fireware v11.11.x
Fireware
v11.12
Packet
filter policies (all)
Proxy policies:
DNS-proxy
Explicit-proxy
FTP-proxy
HTTP-proxy
HTTPS-proxy
POP3-proxy
SMTP-proxy
TCP-UDP-proxy
Application Layer Gateways
SIP-ALG
H323-ALG
Not supportedSlide34
IPv6 Support — Proxy Policies
You can now specify an IPv6 address as the source or destination in a proxy policy
Host IPv6Network IPv6Host Range IPv634Slide35
IPv6 Support — Subscription Services
Added IPv6 support in Subscription Services
35
Feature
Fireware v11.11.x
Fireware
v11.12
Application Control
Intrusion Prevention Service
WebBlocker
Gateway
AntiVirus
APT
Blocker
spamBlocker
Data Loss
Prevention
Reputation Enabled Defense
*
*
If a client sends an HTTP request directly to an IPv6 IP address (instead of a host name), Reputation Enabled Defense does not send the IPv6 address to the server for classification Slide36
IPv6 Support — Subscription Services
Many WatchGuard partners have not yet implemented IPv6 in their cloud infrastructure
For these Subscription Services that connect to an external service for scoring, you must configure the external interface with both an IPv4 address and an IPv6 address:WebBlockerAPT BlockerspamBlocker
36Slide37
Setup wizards enable proxy policies and most licensed subscription services by default
Setup Wizards Enable Proxies and Services
37Slide38
Setup Wizards Enable Proxies and Services
The setup wizards now configure policies and enable most Subscription Services to provide better security by default
The setup wizards:Configure FTP-proxy, HTTP-proxy, HTTPS-proxy policiesConfigure DNS and Outgoing packet-filter policiesEnable licensed security services — Application Control, Gateway AntiVirus, WebBlocker, Intrusion Prevention Service, Reputation Enabled Defense, Botnet Detection, Geolocation, APT BlockerRecommend WebBlocker categories to block
The new default configuration provides better security with less manual configuration
38Slide39
Changes to default policies created by the Web Setup Wizard and Quick Setup Wizard in
Fireware
OS v11.12:
No FTP packet filter policy
New FTP-proxy, HTTP-proxy, HTTPS proxy and DNS policies
Setup Wizards Enable Proxies and Services
Default Policies in
Fireware v11.11.x and lower
Default Policies in
Fireware
v11.12
FTP
FTP-proxy
HTTP-proxy
HTTPS-proxy
WatchGuard Web UI
WatchGuard Web UI
Ping
Ping
DNS
WatchGuard
WatchGuard
Outgoing
Outgoing
39Slide40
Setup Wizards Enable Proxies and Services
In the Web Setup Wizard, the
Subscription Services step shows your Subscription Services, which will be enabled in your Firebox configuration when the wizard completes40Slide41
Setup Wizards Enable Proxies and Services
In the Web Setup Wizard, the
WebBlocker Settings step recommends the WebBlocker categories to block41Slide42
Setup Wizards Enable Proxies and Services
The
Summary page shows which Subscription Services are enabled42Slide43
Setup Wizards Enable Proxies and Services
The WatchGuard Quick Setup Wizard also has two new steps
The Subscription Services step appears only if you add a feature key that includes licensed Subscription ServicesThe WebBlocker Settings step appears only if you add a feature key that includes a WebBlocker license
43Slide44
Setup Wizards Enable Proxies and Services
Both setup wizards configure the same default policies
44Slide45
Setup Wizards Enable Proxies and Services
WebBlocker default configuration:
Enabled in the HTTP-proxy and HTTPS-proxy policiesDefault-WebBlocker action blocks the categories you selected45Slide46
Setup Wizards Enable Proxies and Services
If the Firebox cannot connect to the WebBlocker Server, the Default-WebBlocker action:
Allows the connectionSends an alarmCreates a log message If the WebBlocker license expires, the Default-WebBlocker action allows access to all sites
46Slide47
Setup Wizards Enable Proxies and Services
Gateway
AntiVirus is enabled in the FTP-proxy and HTTP-proxy policiesIn the HTTP-proxy action:HTTP-Request > URL PathsAV Scan all content
47Slide48
Setup Wizards Enable Proxies and Services
In the HTTP-proxy action:
HTTP Response > Content TypesAV Scan all content48Slide49
Setup Wizards Enable Proxies and Services
HTTP Response > Body Content Types
Deny executable and compressed archive file typesAV Scan other body content types49Slide50
Setup Wizards Enable Proxies and Services
AntiVirus
Drop connection if a virus is detectedAllow the connection if a scan error occurs50Slide51
Setup Wizards Enable Proxies and Services
Gateway-AV in the FTP-proxy
Download and UploadAV Scan all files51Slide52
Setup Wizards Enable Proxies and Services
AntiVirus
in HTTP and FTP proxy actionsDrop connection if a virus is detectedAllow the connection if a scan error occurs52Slide53
Setup Wizards Enable Proxies and Services
Intrusion Prevention Service is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies
IPS settings:Fast ScanThreat level actions:Critical, High — Drop, Alarm, LogMedium — Drop, LogLow — Allow, LogInformation — Allow
53Slide54
Setup Wizards Enable Proxies and Services
Application Control is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies
The Global action blocks:Application — Crypto AdminApplication Category — Bypass Proxies and Tunnels54Slide55
Setup Wizards Enable Proxies and Services
APT Blocker is enabled in the HTTP-proxy and FTP-proxy
Threat actions:High — Block, Alarm, LogMedium — Drop, Alarm, LogLow — Drop, Alarm, LogClean — Allow55Slide56
Setup Wizards Enable Proxies and Services
Reputation Enabled Defense is enabled in the HTTP-proxy
Immediately blocks URLS that have a bad reputationAlarm and Log are enabledDoes not bypass virus scanning for URLS with a good reputation56Slide57
Setup Wizards Enable Proxies and Services
Botnet Detection is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled
57Slide58
Setup Wizards Enable Proxies and Services
Geolocation is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled
58Slide59
Setup Wizards Enable Proxies and Services
New proxy actions are used by the default proxy policies
Default-FTP-ClientBased on FTP-Client.StandardGateway AntiVirus is enabledDefault-HTTP-ClientBased on HTTP-Client.StandardWebBlocker, Gateway
AntiVirus
,
RED, and APT blocker are enabled
Default-HTTPS-Client
Based on HTTPS-
Client.Standard
WebBlocker is enabled
Content Inspection is not enabled
59Slide60
Setup Wizards Enable Proxies and Services
The setup wizards enable logging for reports
For the Ping, DNS, and Outgoing policies, logging is enabled at the policy level Send a log message is enabledSend a log message for reports is enabledFor the FTP-proxy, HTTP-proxy, and HTTPS-proxy policies, logging is enabled in the associated proxy actionEnable logging for reports is enabled in the Default-FTP-Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions
60Slide61
Setup Wizards Enable Proxies and Services
The setup wizards enable logging of performance statistics:
External interface and VPN bandwidth statisticsSecurity Services StatisticsThese log messages enable richer Dimension reporting61Slide62
AP Device Enhancements
62Slide63
AP Device Enhancements
New and enhanced features for AP devices include:
AP device wireless automatic channel allocationAP device wireless deployment over-the-airRemote AP device deployment with Mobile VPN with SSL63Slide64
Wireless Automatic Channel Allocation
The channels used by AP devices can be automatically selected and allocated for optimal wireless channel selection across your deployment
Channels are scanned and selected during the Wireless Scan Interval configured in the Gateway Wireless Controller Settings (default is every hour)Works with all AP device modelsPreferred Channel for an AP must be set to Auto to use new auto channel selection
64Slide65
Preferred Channel Settings
For manual channel selection, the
Preferred Channel list now displays all channels. Click View Available Channels to see channels available to you based on your region and wireless configurationNote: Extension channel configuration is removed (set to lower channel only)
65Slide66
AP Device Wireless Deployment
Deploy AP300 devices over-the-air without physical cables
When the network cable is disconnected, the AP device switches to client mode and associates to the nearest wired AP300 deviceA client mode AP device deployed wirelessly broadcasts any configured SSIDs on the 2.4GHz radio only
66
The 5GHz radio is only used for the extender link and any configured SSIDs on the 5GHz radio are not broadcast by the AP wirelessly deployed in client modeSlide67
AP Device Wireless Deployment
Supported for AP300 devices only
AP devices must be initially deployed (paired or auto-deployed) with a cable before the AP device can be deployed over-the airA wired AP device must be in range for the AP device to be able to connect in client mode and deploy over-the-airWireless deployment uses the 5GHz band radio for the extender link for AP client mode connections. Must have less than the maximum 8 SSIDs configured on the 5GHz radio to workIf you reconnect a network cable, the client mode AP device reverts to normal operation and disconnects from the wired host AP device
67Slide68
AP Device Wireless Deployment
To enable, select
Network > Gateway Wireless Controller > Settings, then select Enable deployment over wireless
68Slide69
Remote AP Device Deployment
You can now deploy your AP devices in remote locations with Mobile VPN with SSL
Available for only these AP device models:AP100AP102AP200AP300
69Slide70
Remote AP Device Deployment
Remote AP device deployment uses Mobile VPN with SSL on the Firebox
You must create a user account and VPN profile on the Firebox for a remotely-deployed AP deviceAllows access through the VPN tunnel for Gateway Wireless Controller management traffic to manage the remote AP deviceTelecommuter mode can be enabled for each SSIDTraffic for the SSID enabled for telecommuter mode is bridged over the VPN to the Firebox
70Slide71
Remote AP Device Deployment
To configure your Firebox for remote AP device deployment:
In your Firebox configuration, enable Mobile VPN with SSLTo use Telecommuter mode, the VPN must be configured for Bridge VPN traffic instead of Routed VPN traffic
71Slide72
Remote AP Device Deployment
Create a user account to use for the AP devices (these can be separate for each AP device or a shared account)
Make sure the account belongs to the SSLVPN-Users authentication group
72Slide73
Remote AP Device Deployment
Download the Mobile VPN with SSL client profile from
https://<Firebox address>
73Slide74
Remote AP Device Deployment
Connect to the AP device web UI
Select Enable VPNClick Browse to select the Mobile VPN profile you downloadedType the VPN username and password
74Slide75
Remote AP Device Deployment
For telecommuter mode, enable the feature in the Gateway Wireless Controller SSID configuration
75Slide76
Enable an Active/Passive FireCluster that supports external addresses configured for DHCP
DHCP Support for FireCluster
76Slide77
DHCP Support for
FireCluster
If your external interface uses DHCP, you can now enable an Active/Passive FireClusterActive/Active FireCluster is not supported when the external interface uses DHCP
77Slide78
DHCP Support for FireCluster
FireCluster Setup Wizard
78Slide79
DHCP Support for FireCluster
FireCluster Manual Configuration
79Slide80
Updates to Mobile VPN with SSL authentication policies and the Authentication Portal
Mobile VPN with SSL Enhancements80Slide81
Mobile VPN with SSL Enhancements
In Fireware OS v11.11.4 and lower, a
WatchGuard Authentication policy was automatically added to your configuration file when you enabled Mobile VPN with SSLThis policy allowed traffic over port 4100 and included the alias Any-External in the policy From listIn Fireware OS v11.12, when you enable Mobile VPN with SSL, a WatchGuard Authentication policy that allows traffic over port 4100 is no longer created
81Slide82
Mobile VPN with SSL Enhancements
After you upgrade your Firebox to Fireware OS v11.12, if your configuration file includes a
WatchGuard Authentication policy, the alias Any-External is automatically removed If you upgrade with Policy Manager, you must manually reload the configuration from the Firebox after the upgrade completes to avoid adding the alias back with a subsequent configuration save (since Policy Manager is an offline configuration tool)IMPORTANT: The alias Any-External
is automatically removed from the
WatchGuard Authentication
policy even if you manually added the alias, and regardless of whether Mobile VPN with SSL is enabled
82Slide83
Mobile VPN with SSL Enhancements
The Mobile VPN with SSL authentication and software download pages are no longer accessible at port 4100
Use these port 443 URLs, or specify a custom port Port 443https://<Firebox-IP-address> https://<Firebox-IP-address>/sslvpn.htmlCustom porthttps://<Firebox-IP-address>:<port>https://<Firebox-IP-address>:<port>/sslvpn.html
83Slide84
Mobile VPN with SSL Enhancements
In Fireware OS v11.11.4 and lower, when you enable Mobile VPN with SSL, all user authentication methods appear in the Authentication Portal Domain drop-down list at https://<Firebox-IP-address>
In Fireware OS v11.12, when Mobile VPN with SSL is enabled on your Firebox, and you connect to the Authentication Portal at https://<Firebox-IP-address>, you only see the authentication servers that you have configured on your Firebox for Mobile VPN with SSL
84Slide85
Mobile VPN with SSL Enhancements
For example, if the only authentication server specified in your Mobile VPN with SSL settings is Firebox-DB, the Domain drop-down list does not appear in the Authentication Portal
85Slide86
X-forwarded information from the proxy header includes the IP addresses of clients behind a proxy policy
See X-Forwarded Details in Proxy Headers
86Slide87
See X-Forwarded Details in Proxy Headers
Log messages and Dimension reports can now show the IP addresses of clients behind proxy policies
The Firebox sends the IP address of the proxy server (for example, Squid, Webmarhal, and XCS) and the client IP address in the X-forwarded information from the header, which can now be found in the log messages in the ori_src detail
87Slide88
See X-Forwarded Details in Proxy Headers
88Slide89
See X-Forwarded Details in Proxy Headers
Example log message shows the
ori_src detail:<ProxyMatch
d="2016-09-02T10:54:35"
orig
="
gary_xtmv
"
cname
=""
proc_id
="http-proxy"
pri
="6"
rc
="594"
seq
="276"
disp
="Deny"
msg_id
="1AFF-0028"
src_intf
="1-Trusted"
dst_intf
="0-External" policy="HTTP-proxy-00"
src_ip
="10.0.1.2"
dst_ip
="100.100.100.3"
src_port
="41208"
dst_port
="80"
pr
="http/
tcp
"
msg
="
ProxyDrop
: HTTP Virus found"
proxy_act
="HTTP-Client.Standard.1"
ori_src
="1.1.1.1"
virus="Object
tmp
/scan_03.UTvg4d detected as PUP (Potentially Unwanted Program)" host="100.100.100.3" path="/
ss
/0db44a8f3bffa0488793e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e20a9"
log_type
="
tr
"/>
<
ProxyHTTPReq
d="2016-09-02T10:54:35"
orig
="
gary_xtmv
"
cname
=""
proc_id
="http-proxy"
pri
="6"
rc
="525"
seq
="277"
disp
="Allow"
msg_id
="1AFF-0024"
src_intf
="1-Trusted"
dst_intf
="0-External" policy="HTTP-proxy-00"
src_ip
="10.0.1.2"
dst_ip
="100.100.100.3"
src_port
="41208"
dst_port
="80"
pr
="http/
tcp
"
msg
="HTTP request"
proxy_act
="HTTP-Client.Standard.1"
ori_src
="1.1.1.1"
op="GET"
dstname
="100.100.100.3"
arg
="/
ss
/0db44a8f3bffa0488793e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e20a9"
sent_bytes
="233"
rcvd_bytes
="2406296"
elapsed_time
="0.026119 sec(s)" reputation="-1" reason="262184" action="drop"
log_type
="
tr
"/>
89Slide90
See X-Forwarded Details in Proxy Headers
When you review log messages and reports, instead of the IP address of the proxy server, you now see the real IP address of the client where the traffic originated
Available in reports only with Dimension v2.1.1 and higher90Slide91
Use a domain name to specify an authentication server
External Hotspot Authentication URL
91Slide92
External Hotspot Authentication URL
When you set up external guest authentication for a wireless hotspot, you must specify the URL of an authentication server
In Fireware v11.12, you can now specify a domain name for the authentication server URL
92Slide93
External Hotspot Authentication URL
93Slide94
Allow wireless guests to access select network resources without authenticating
Wireless Authentication Exceptions
94Slide95
Wireless Authentication Exceptions
The hotspot configuration now includes an
Authentication Exception list, where you can specify the resources that guest wireless users can use without authenticationThe Authentication Exception list can include:FQDN addressesIPv4 hostsIPv4 networksIPv4 ranges
95Slide96
Wireless Authentication Exceptions
On the Hotspot
Authentication tab:
96Slide97
Wireless Authentication Exceptions
On the Hotspot
External Guest Authentication tab:
97Slide98
Integrate your Firebox with ConnectWise
ConnectWise Integration
98Slide99
ConnectWise Integration
You can integrate your Firebox directly with ConnectWise, the leading professional service automation tool
Enables service providers to automatically synchronize customer asset information for more efficient device management and monitoringAuto Synchronization of Asset Information — Automatically synchronizes Firebox information and security service subscription statuses, including subscription start and end dates, Firebox serial numbers, and OS versionsClosed-Loop Ticketing of System, Security, and Subscription Events — Configure event thresholds on a wide range of parameters, including subscription services, device statistics, and subscription statuses that automatically trigger the creation and closure of tickets
99Slide100
ConnectWise Integration
To enable your Firebox to communicate with ConnectWise, you must have a private and public API key generated by your ConnectWise user account
100Slide101
ConnectWise Integration
On the Firebox:
Fireware Web UI — System > Technology IntegrationsPolicy Manager — Setup > Technology Integrations ConnectWise integration settings are also available in Device Configuration Templates for your Fireboxes under Centralized Management101Slide102
ConnectWise Integration
To see your Firebox in ConnectWise:
Select Companies > ConfigurationsFrom the configuration list, select a Firebox102Slide103
ConnectWise Integration
Firebox details, such as the serial number, model number, and expiration date are automatically synchronized when you activate ConnectWise integration on your Firebox
103Slide104
ConnectWise Integration
For each Firebox, you can set Configuration Questions
These are thresholds of system events that enables you to customize the events that generate tickets104Slide105
ConnectWise Integration
Tickets are automatically opened and closed based on your thresholds
Eliminates ticket flooding and false alarms while automatically closing tickets when issues are resolvedIf the event reoccurs, the same ticket is opened up so that you can track repeated occurrences of the same event
105Slide106
ConnectWise Integration
106Slide107
Other Enhancements
107Slide108
Huawei Modem Support
Added support
for Huawei E3372 modem variant with a different product ID108
Modem Name
Vendor ID
Product ID
Fireware OS Requirement
Huawei E3372
0x12d1
0x1506
v11.10.7 or higher
Huawei E3372
0x12d1
0x14dc
v11.12 or higherSlide109
Proxy Connection Statistics
Proxy connection statistics are now available in the Firebox System Manager
Status Report109Slide110
WebBlocker Proxy Server Support
You can now configure WebBlocker to use a proxy server to connect to the Websense cloud for lookups
On the WebBlocker configuration page, click SettingsThe Server address must be an IPv4 address or host nameIf you select Basic or NTLM for authentication, you must specify the User name, User domain, and Password
110Slide111
APT Blocker File Size Increase
The maximum file size that APT Blocker can submit to the
Lastline data center for analysis increased from 8MB to 10MBThis file size limit is the same for all Firebox models and is not configurable111Slide112
BOVPN Shared Key Length Increase
The BOVPN pre-shared key length increased to 79 characters
This applies to traditional BOVPN gateways, BOVPN virtual interfaces, and Mobile VPN with L2TP over IPSec112Slide113
Active Directory Server Settings UI Updates
The
Dead Time text box now appears below the Timeout text box, because these values are related The Login Attribute text box appears above the DN of Searching User and Password of Searching User text boxesIf you select the
sAMAccountName
attribute, these text boxes are not available, because they are not required:
DN of Searching User
Password of Searching User
113Slide114
FQDN Support for Log Server Addresses
You can now use fully qualified domain names when you specify a WatchGuard Log Server
DNS must be enabled to use FQDN addresses114Slide115
Auto-Blocked Sites
List Functionality
The deny functionality for auto-blocked sites changedIn Fireware v11.12, the Firebox:denies connections from auto-blocked sitesdoes not deny connections to auto-blocked sitesIn prior versions of Fireware, the Firebox denied connections both to and from auto-blocked sitesThe deny functionality for permanently blocked sites did not change
The Firebox denies connections both to and From permanently blocked sites
115Slide116
Thank You!
116Slide117