/
What’s New in Fireware v11.12
What’s New in Fireware v11.12

What’s New in Fireware v11.12 - PowerPoint Presentation

lois-ondreau
lois-ondreau . @lois-ondreau
Follow
150 views | Public

What’s New in Fireware v11.12 - Description

Whats New in Fireware v1112 Geolocation subscription service New BOVPN virtual interface that supports nonGRE IPSec tunnels to Microsoft Azure and Cisco VTI Threat Detection and Response subscription service Beta ID: 540507 Download Presentation

Tags :

firebox proxy services enable proxy firebox enable services vpn setup device wizards virtual enabled authentication interface http proxies subscription

Share:

Link:

Embed:

Please download the presentation from below link :


Download Presentation - The PPT/PDF document "What’s New in Fireware v11.12" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation on theme: "What’s New in Fireware v11.12"— Presentation transcript

Slide1

What’s New in Fireware v11.12Slide2

What’s New in Fireware v11.12

Geolocation subscription service

New BOVPN virtual interface that supports non-GRE IPSec tunnels to Microsoft Azure and Cisco VTIThreat Detection and Response subscription service (Beta)IPv6 support in proxy policies and subscription servicesSetup wizards enable services and proxies by defaultAP device enhancements

2Slide3

What’s New in

Fireware

v11.12DHCP support for Active/Passive FireClusters X-forwarded detail in proxy headers shows client IP addresses in log messagesUse a domain name to specify a URL for external hotspot authenticationSpecify resources that guest wireless users can access without authenticationMobile VPN with SSL Enhancements

ConnectWise integration

3Slide4

What’s New in

Fireware v11.12

Other enhancementsSupport for Huawei E3372 modem variant with a different product IDProxy connection statisticsWebBlocker proxy server supportAPT Blocker file size increaseBOVPN pre-shared key length increaseActive Directory Server Settings UI UpdatesFQDN support for Log Server addresses

Change to auto-blocked sites list functionality

4Slide5

Block traffic based on geographic location

Geolocation

5Slide6

Geolocation

Geolocation is a subscription service that enables the Firebox to block connections to or from specified geographic locations

To enable Geolocation, the Firebox feature key must have the Reputation Enabled Defense (RED) subscription service enabledIf the Firebox feature key has the RED subscription service enabled, Geolocation is enabledGeolocation information is available on the Geolocation dashboard in Fireware Web UI and in log messagesNo countries are blocked by default

6Slide7

Geolocation

In

Fireware Web UI or Policy Manager, select Subscription Services > GeolocationSelect countries to block:Map — Select countries on a mapCountry List — Select countries from a listExceptions — Specify sites to never block

7Slide8

Geolocation — Map

On the

Map tab, select countries to blockLock or unlock the mapClick a country to block new connections to or from that country8Slide9

Geolocation — Country List

On the

Country List tab, select countries to blockExpand or collapse continents in the listSelect which countries to blockClick Select All to select all countries on a continent

9Slide10

Geolocation — Exceptions

On the

Exceptions tab, specify sites to never block based on geographic locationIPv4 host, network, or address rangeIPv6 host, network, or address rangeFully qualified domain name (FQDN)10Slide11

Geolocation — Update Server

Update Server

settings — Control updates to the Geolocation databaseAutomatic updates are enabled by default

11Slide12

Geolocation — Dashboard

The

Geolocation Dashboard in Fireware Web UI shows allowed connections by countryThis Dashboard page does not show blocked connections12Slide13

Geolocation Dashboard

The

Map tab visually represents the source and destination locations of connections allowed through the FireboxCountry color indicates the number of connections:Dark green — HighestLight green — LowerYellow — LowestFilter connections by:All ConnectionsSource CountryDestination Country

13Slide14

Geolocation Dashboard

The

Country List tab shows connection details by countryRanked lists show top countries by the number of hitsClick a country name to see a list of connections

14Slide15

Geolocation Dashboard

Look up the country associated with an IP address

15Slide16

Geolocation Activity

Fireware

Web UIDashboard > Subscription ServicesFirebox System ManagerSubscription Services tab16Slide17

BOVPN virtual interface support for non-GRE

IPSec tunnels to Microsoft Azure and Cisco VTI endpoints

New Virtual Interface for BOVPNs 17Slide18

New Virtual Interface for BOVPNs

A BOVPN virtual interface now supports

IPSec tunnels to third-party endpoints without GRE. Microsoft Azure and Cisco Virtual Tunnel Interface (VTI) gateway endpoints are supported.In the BOVPN Virtual Interface configuration, there is a new Remote Endpoint Type setting:Firebox — Select this option for a connection to another Firebox or another gateway endpoint that supports GRE over IPSecCloud VPN or Third-Party Gateway — Select this option for a connection to a Microsoft Azure or Cisco VTI endpoint

This establishes an

IPSec

VPN tunnel without GRE

18Slide19

New Virtual Interface for BOVPNs

The new WatchGuard BOVPN virtual interface supports OSPF and BGP

To configure dynamic routing with BGP to Microsoft Azure, you must use Microsoft PowerShellMicrosoft Azure does not support OSPFCisco VTI supports OSPF and BGP

19Slide20

New Virtual Interface for BOVPNs

To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using static routing:

Configure the Azure virtual networkIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Add a VPN route to the Azure virtual network

Configure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2

20Slide21

New Virtual Interface for BOVPNs

21Slide22

New Virtual Interface for BOVPNs

22Slide23

New Virtual Interface for BOVPNs

To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using BGP dynamic routing:

Configure the Azure virtual networkIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party GatewayConfigure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2

Add a virtual IP address for the Firebox

Add a virtual IP address for the Azure gateway. Do not use a netmask

Specify the BGP commands on the Firebox

Specify the PowerShell commands on your Azure network

23Slide24

New Virtual Interface for BOVPNs

24

Slide25

New Virtual Interface for BOVPNs

25Slide26

New Virtual Interface for BOVPNs

To configure a BOVPN virtual interface to a Cisco VTI endpoint with static routing:

Configure the Cisco deviceIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Configure the BOVPN virtual interface to use either IKEv1 or IKEv2; Cisco supports both options

Add a route to the Cisco device

26Slide27

New Virtual Interface for BOVPNs

To configure a BOVPN virtual interface to a Cisco VTI endpoint with dynamic routing (OSPF or BGP):

Configure the Cisco deviceIn your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Select

Assign virtual interface IP addresses

and type the required IP addresses

Enable OSPF or BGP on your Firebox, with the required OSPF or BGP commands

27Slide28

Extend WatchGuard’s network security to monitor and

protect the endpoint

Threat Detection and Response28Slide29

Threat Detection and Response (TDR)

Threat Detection and Response (TDR) is a new cloud-based subscription service that analyzes and responds to security events reported by the Firebox and network endpoints

Public Beta starts November 14th, 2016 Open to all, including those without Total Security SuiteSupported on Firebox models and XTMv

models only

Requires

Fireware

v11.12 or higher

Threat Detection and Response is part of the Total Security Bundle or available as a separate security subscription

Threat Detection and Response enables immediate action against new or hidden threats by correlating network and endpoint security events into a scored ranking

29Slide30

Threat Detection and Response (TDR)

Threat Detection and Response collects, analyzes, and correlates threat indicators reported by Fireboxes and hosts

Fireboxes report denied, blocked, and dropped connectionsHost Sensors use heuristics and behavioral analysis to report changes to files, processes, registry entries, and host configuration settingsThreatSync correlates threat intelligence, a cloud-based malware verification service, and the Host Sensor based heuristics and behavior analyses to evaluate and score reported indicators and incidentsIndicators are events reported by Host Sensors and Fireboxes

Incidents are groups of related indicators

Incident threat score is based on the threat score of the indicators

30Slide31

Threat Detection and Response (TDR)

Enable Threat Detection and Response on the Firebox

Log in to the Threat Detection and Response cloud to manage Host Sensors, threats, remediations, policies, and exclusions.31Slide32

IPv6 support in proxy policies and services

IPv6 Support

32Slide33

IPv6 Support — Proxy Policies

Added support for IPv6 addresses in proxy policies

33

Feature

Fireware v11.11.x

Fireware

v11.12

Packet

filter policies (all)

Proxy policies:

DNS-proxy

Explicit-proxy

FTP-proxy

HTTP-proxy

HTTPS-proxy

POP3-proxy

SMTP-proxy

TCP-UDP-proxy

Application Layer Gateways

SIP-ALG

H323-ALG

Not supportedSlide34

IPv6 Support — Proxy Policies

You can now specify an IPv6 address as the source or destination in a proxy policy

Host IPv6Network IPv6Host Range IPv634Slide35

IPv6 Support — Subscription Services

Added IPv6 support in Subscription Services

35

Feature

Fireware v11.11.x

Fireware

v11.12

Application Control

Intrusion Prevention Service

WebBlocker

Gateway

AntiVirus

APT

Blocker

spamBlocker

Data Loss

Prevention

Reputation Enabled Defense

*

*

If a client sends an HTTP request directly to an IPv6 IP address (instead of a host name), Reputation Enabled Defense does not send the IPv6 address to the server for classification Slide36

IPv6 Support — Subscription Services

Many WatchGuard partners have not yet implemented IPv6 in their cloud infrastructure

For these Subscription Services that connect to an external service for scoring, you must configure the external interface with both an IPv4 address and an IPv6 address:WebBlockerAPT BlockerspamBlocker

36Slide37

Setup wizards enable proxy policies and most licensed subscription services by default

Setup Wizards Enable Proxies and Services

37Slide38

Setup Wizards Enable Proxies and Services

The setup wizards now configure policies and enable most Subscription Services to provide better security by default

The setup wizards:Configure FTP-proxy, HTTP-proxy, HTTPS-proxy policiesConfigure DNS and Outgoing packet-filter policiesEnable licensed security services — Application Control, Gateway AntiVirus, WebBlocker, Intrusion Prevention Service, Reputation Enabled Defense, Botnet Detection, Geolocation, APT BlockerRecommend WebBlocker categories to block

The new default configuration provides better security with less manual configuration

38Slide39

Changes to default policies created by the Web Setup Wizard and Quick Setup Wizard in

Fireware

OS v11.12:

No FTP packet filter policy

New FTP-proxy, HTTP-proxy, HTTPS proxy and DNS policies

Setup Wizards Enable Proxies and Services

Default Policies in

Fireware v11.11.x and lower

Default Policies in

Fireware

v11.12

FTP

FTP-proxy

HTTP-proxy

HTTPS-proxy

WatchGuard Web UI

WatchGuard Web UI

Ping

Ping

DNS

WatchGuard

WatchGuard

Outgoing

Outgoing

39Slide40

Setup Wizards Enable Proxies and Services

In the Web Setup Wizard, the

Subscription Services step shows your Subscription Services, which will be enabled in your Firebox configuration when the wizard completes40Slide41

Setup Wizards Enable Proxies and Services

In the Web Setup Wizard, the

WebBlocker Settings step recommends the WebBlocker categories to block41Slide42

Setup Wizards Enable Proxies and Services

The

Summary page shows which Subscription Services are enabled42Slide43

Setup Wizards Enable Proxies and Services

The WatchGuard Quick Setup Wizard also has two new steps

The Subscription Services step appears only if you add a feature key that includes licensed Subscription ServicesThe WebBlocker Settings step appears only if you add a feature key that includes a WebBlocker license

43Slide44

Setup Wizards Enable Proxies and Services

Both setup wizards configure the same default policies

44Slide45

Setup Wizards Enable Proxies and Services

WebBlocker default configuration:

Enabled in the HTTP-proxy and HTTPS-proxy policiesDefault-WebBlocker action blocks the categories you selected45Slide46

Setup Wizards Enable Proxies and Services

If the Firebox cannot connect to the WebBlocker Server, the Default-WebBlocker action:

Allows the connectionSends an alarmCreates a log message If the WebBlocker license expires, the Default-WebBlocker action allows access to all sites

46Slide47

Setup Wizards Enable Proxies and Services

Gateway

AntiVirus is enabled in the FTP-proxy and HTTP-proxy policiesIn the HTTP-proxy action:HTTP-Request > URL PathsAV Scan all content

47Slide48

Setup Wizards Enable Proxies and Services

In the HTTP-proxy action:

HTTP Response > Content TypesAV Scan all content48Slide49

Setup Wizards Enable Proxies and Services

HTTP Response > Body Content Types

Deny executable and compressed archive file typesAV Scan other body content types49Slide50

Setup Wizards Enable Proxies and Services

AntiVirus

Drop connection if a virus is detectedAllow the connection if a scan error occurs50Slide51

Setup Wizards Enable Proxies and Services

Gateway-AV in the FTP-proxy

Download and UploadAV Scan all files51Slide52

Setup Wizards Enable Proxies and Services

AntiVirus

in HTTP and FTP proxy actionsDrop connection if a virus is detectedAllow the connection if a scan error occurs52Slide53

Setup Wizards Enable Proxies and Services

Intrusion Prevention Service is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies

IPS settings:Fast ScanThreat level actions:Critical, High — Drop, Alarm, LogMedium — Drop, LogLow — Allow, LogInformation — Allow

53Slide54

Setup Wizards Enable Proxies and Services

Application Control is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies

The Global action blocks:Application — Crypto AdminApplication Category — Bypass Proxies and Tunnels54Slide55

Setup Wizards Enable Proxies and Services

APT Blocker is enabled in the HTTP-proxy and FTP-proxy

Threat actions:High — Block, Alarm, LogMedium — Drop, Alarm, LogLow — Drop, Alarm, LogClean — Allow55Slide56

Setup Wizards Enable Proxies and Services

Reputation Enabled Defense is enabled in the HTTP-proxy

Immediately blocks URLS that have a bad reputationAlarm and Log are enabledDoes not bypass virus scanning for URLS with a good reputation56Slide57

Setup Wizards Enable Proxies and Services

Botnet Detection is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled

57Slide58

Setup Wizards Enable Proxies and Services

Geolocation is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled

58Slide59

Setup Wizards Enable Proxies and Services

New proxy actions are used by the default proxy policies

Default-FTP-ClientBased on FTP-Client.StandardGateway AntiVirus is enabledDefault-HTTP-ClientBased on HTTP-Client.StandardWebBlocker, Gateway

AntiVirus

,

RED, and APT blocker are enabled

Default-HTTPS-Client

Based on HTTPS-

Client.Standard

WebBlocker is enabled

Content Inspection is not enabled

59Slide60

Setup Wizards Enable Proxies and Services

The setup wizards enable logging for reports

For the Ping, DNS, and Outgoing policies, logging is enabled at the policy level Send a log message is enabledSend a log message for reports is enabledFor the FTP-proxy, HTTP-proxy, and HTTPS-proxy policies, logging is enabled in the associated proxy actionEnable logging for reports is enabled in the Default-FTP-Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions

60Slide61

Setup Wizards Enable Proxies and Services

The setup wizards enable logging of performance statistics:

External interface and VPN bandwidth statisticsSecurity Services StatisticsThese log messages enable richer Dimension reporting61Slide62

AP Device Enhancements

62Slide63

AP Device Enhancements

New and enhanced features for AP devices include:

AP device wireless automatic channel allocationAP device wireless deployment over-the-airRemote AP device deployment with Mobile VPN with SSL63Slide64

Wireless Automatic Channel Allocation

The channels used by AP devices can be automatically selected and allocated for optimal wireless channel selection across your deployment

Channels are scanned and selected during the Wireless Scan Interval configured in the Gateway Wireless Controller Settings (default is every hour)Works with all AP device modelsPreferred Channel for an AP must be set to Auto to use new auto channel selection

64Slide65

Preferred Channel Settings

For manual channel selection, the

Preferred Channel list now displays all channels. Click View Available Channels to see channels available to you based on your region and wireless configurationNote: Extension channel configuration is removed (set to lower channel only)

65Slide66

AP Device Wireless Deployment

Deploy AP300 devices over-the-air without physical cables

When the network cable is disconnected, the AP device switches to client mode and associates to the nearest wired AP300 deviceA client mode AP device deployed wirelessly broadcasts any configured SSIDs on the 2.4GHz radio only

66

The 5GHz radio is only used for the extender link and any configured SSIDs on the 5GHz radio are not broadcast by the AP wirelessly deployed in client modeSlide67

AP Device Wireless Deployment

Supported for AP300 devices only

AP devices must be initially deployed (paired or auto-deployed) with a cable before the AP device can be deployed over-the airA wired AP device must be in range for the AP device to be able to connect in client mode and deploy over-the-airWireless deployment uses the 5GHz band radio for the extender link for AP client mode connections. Must have less than the maximum 8 SSIDs configured on the 5GHz radio to workIf you reconnect a network cable, the client mode AP device reverts to normal operation and disconnects from the wired host AP device

67Slide68

AP Device Wireless Deployment

To enable, select

Network > Gateway Wireless Controller > Settings, then select Enable deployment over wireless

68Slide69

Remote AP Device Deployment

You can now deploy your AP devices in remote locations with Mobile VPN with SSL

Available for only these AP device models:AP100AP102AP200AP300

69Slide70

Remote AP Device Deployment

Remote AP device deployment uses Mobile VPN with SSL on the Firebox

You must create a user account and VPN profile on the Firebox for a remotely-deployed AP deviceAllows access through the VPN tunnel for Gateway Wireless Controller management traffic to manage the remote AP deviceTelecommuter mode can be enabled for each SSIDTraffic for the SSID enabled for telecommuter mode is bridged over the VPN to the Firebox

70Slide71

Remote AP Device Deployment

To configure your Firebox for remote AP device deployment:

In your Firebox configuration, enable Mobile VPN with SSLTo use Telecommuter mode, the VPN must be configured for Bridge VPN traffic instead of Routed VPN traffic

71Slide72

Remote AP Device Deployment

Create a user account to use for the AP devices (these can be separate for each AP device or a shared account)

Make sure the account belongs to the SSLVPN-Users authentication group

72Slide73

Remote AP Device Deployment

Download the Mobile VPN with SSL client profile from

https://<Firebox address>

73Slide74

Remote AP Device Deployment

Connect to the AP device web UI

Select Enable VPNClick Browse to select the Mobile VPN profile you downloadedType the VPN username and password

74Slide75

Remote AP Device Deployment

For telecommuter mode, enable the feature in the Gateway Wireless Controller SSID configuration

75Slide76

Enable an Active/Passive FireCluster that supports external addresses configured for DHCP

DHCP Support for FireCluster

76Slide77

DHCP Support for

FireCluster

If your external interface uses DHCP, you can now enable an Active/Passive FireClusterActive/Active FireCluster is not supported when the external interface uses DHCP

77Slide78

DHCP Support for FireCluster

FireCluster Setup Wizard

78Slide79

DHCP Support for FireCluster

FireCluster Manual Configuration

79Slide80

Updates to Mobile VPN with SSL authentication policies and the Authentication Portal

Mobile VPN with SSL Enhancements80Slide81

Mobile VPN with SSL Enhancements

In Fireware OS v11.11.4 and lower, a

WatchGuard Authentication policy was automatically added to your configuration file when you enabled Mobile VPN with SSLThis policy allowed traffic over port 4100 and included the alias Any-External in the policy From listIn Fireware OS v11.12, when you enable Mobile VPN with SSL, a WatchGuard Authentication policy that allows traffic over port 4100 is no longer created

81Slide82

Mobile VPN with SSL Enhancements

After you upgrade your Firebox to Fireware OS v11.12, if your configuration file includes a

WatchGuard Authentication policy, the alias Any-External is automatically removed If you upgrade with Policy Manager, you must manually reload the configuration from the Firebox after the upgrade completes to avoid adding the alias back with a subsequent configuration save (since Policy Manager is an offline configuration tool)IMPORTANT: The alias Any-External

is automatically removed from the

WatchGuard Authentication

policy even if you manually added the alias, and regardless of whether Mobile VPN with SSL is enabled

82Slide83

Mobile VPN with SSL Enhancements

The Mobile VPN with SSL authentication and software download pages are no longer accessible at port 4100

Use these port 443 URLs, or specify a custom port Port 443https://<Firebox-IP-address> https://<Firebox-IP-address>/sslvpn.htmlCustom porthttps://<Firebox-IP-address>:<port>https://<Firebox-IP-address>:<port>/sslvpn.html

83Slide84

Mobile VPN with SSL Enhancements

In Fireware OS v11.11.4 and lower, when you enable Mobile VPN with SSL, all user authentication methods appear in the Authentication Portal Domain drop-down list at https://<Firebox-IP-address>

In Fireware OS v11.12, when Mobile VPN with SSL is enabled on your Firebox, and you connect to the Authentication Portal at https://<Firebox-IP-address>, you only see the authentication servers that you have configured on your Firebox for Mobile VPN with SSL

84Slide85

Mobile VPN with SSL Enhancements

For example, if the only authentication server specified in your Mobile VPN with SSL settings is Firebox-DB, the Domain drop-down list does not appear in the Authentication Portal

85Slide86

X-forwarded information from the proxy header includes the IP addresses of clients behind a proxy policy

See X-Forwarded Details in Proxy Headers

86Slide87

See X-Forwarded Details in Proxy Headers

Log messages and Dimension reports can now show the IP addresses of clients behind proxy policies

The Firebox sends the IP address of the proxy server (for example, Squid, Webmarhal, and XCS) and the client IP address in the X-forwarded information from the header, which can now be found in the log messages in the ori_src detail

87Slide88

See X-Forwarded Details in Proxy Headers

88Slide89

See X-Forwarded Details in Proxy Headers

Example log message shows the

ori_src detail:<ProxyMatch

d="2016-09-02T10:54:35"

orig

="

gary_xtmv

"

cname

=""

proc_id

="http-proxy"

pri

="6"

rc

="594"

seq

="276"

disp

="Deny"

msg_id

="1AFF-0028"

src_intf

="1-Trusted"

dst_intf

="0-External" policy="HTTP-proxy-00"

src_ip

="10.0.1.2"

dst_ip

="100.100.100.3"

src_port

="41208"

dst_port

="80"

pr

="http/

tcp

"

msg

="

ProxyDrop

: HTTP Virus found"

proxy_act

="HTTP-Client.Standard.1"

ori_src

="1.1.1.1"

virus="Object

tmp

/scan_03.UTvg4d detected as PUP (Potentially Unwanted Program)" host="100.100.100.3" path="/

ss

/0db44a8f3bffa0488793e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e20a9"

log_type

="

tr

"/>

<

ProxyHTTPReq

d="2016-09-02T10:54:35"

orig

="

gary_xtmv

"

cname

=""

proc_id

="http-proxy"

pri

="6"

rc

="525"

seq

="277"

disp

="Allow"

msg_id

="1AFF-0024"

src_intf

="1-Trusted"

dst_intf

="0-External" policy="HTTP-proxy-00"

src_ip

="10.0.1.2"

dst_ip

="100.100.100.3"

src_port

="41208"

dst_port

="80"

pr

="http/

tcp

"

msg

="HTTP request"

proxy_act

="HTTP-Client.Standard.1"

ori_src

="1.1.1.1"

op="GET"

dstname

="100.100.100.3"

arg

="/

ss

/0db44a8f3bffa0488793e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e20a9"

sent_bytes

="233"

rcvd_bytes

="2406296"

elapsed_time

="0.026119 sec(s)" reputation="-1" reason="262184" action="drop"

log_type

="

tr

"/>

89Slide90

See X-Forwarded Details in Proxy Headers

When you review log messages and reports, instead of the IP address of the proxy server, you now see the real IP address of the client where the traffic originated

Available in reports only with Dimension v2.1.1 and higher90Slide91

Use a domain name to specify an authentication server

External Hotspot Authentication URL

91Slide92

External Hotspot Authentication URL

When you set up external guest authentication for a wireless hotspot, you must specify the URL of an authentication server

In Fireware v11.12, you can now specify a domain name for the authentication server URL

92Slide93

External Hotspot Authentication URL

93Slide94

Allow wireless guests to access select network resources without authenticating

Wireless Authentication Exceptions

94Slide95

Wireless Authentication Exceptions

The hotspot configuration now includes an

Authentication Exception list, where you can specify the resources that guest wireless users can use without authenticationThe Authentication Exception list can include:FQDN addressesIPv4 hostsIPv4 networksIPv4 ranges

95Slide96

Wireless Authentication Exceptions

On the Hotspot

Authentication tab:

96Slide97

Wireless Authentication Exceptions

On the Hotspot

External Guest Authentication tab:

97Slide98

Integrate your Firebox with ConnectWise

ConnectWise Integration

98Slide99

ConnectWise Integration

You can integrate your Firebox directly with ConnectWise, the leading professional service automation tool

Enables service providers to automatically synchronize customer asset information for more efficient device management and monitoringAuto Synchronization of Asset Information — Automatically synchronizes Firebox information and security service subscription statuses, including subscription start and end dates, Firebox serial numbers, and OS versionsClosed-Loop Ticketing of System, Security, and Subscription Events — Configure event thresholds on a wide range of parameters, including subscription services, device statistics, and subscription statuses that automatically trigger the creation and closure of tickets

99Slide100

ConnectWise Integration

To enable your Firebox to communicate with ConnectWise, you must have a private and public API key generated by your ConnectWise user account

100Slide101

ConnectWise Integration

On the Firebox:

Fireware Web UI — System > Technology IntegrationsPolicy Manager — Setup > Technology Integrations ConnectWise integration settings are also available in Device Configuration Templates for your Fireboxes under Centralized Management101Slide102

ConnectWise Integration

To see your Firebox in ConnectWise:

Select Companies > ConfigurationsFrom the configuration list, select a Firebox102Slide103

ConnectWise Integration

Firebox details, such as the serial number, model number, and expiration date are automatically synchronized when you activate ConnectWise integration on your Firebox

103Slide104

ConnectWise Integration

For each Firebox, you can set Configuration Questions

These are thresholds of system events that enables you to customize the events that generate tickets104Slide105

ConnectWise Integration

Tickets are automatically opened and closed based on your thresholds

Eliminates ticket flooding and false alarms while automatically closing tickets when issues are resolvedIf the event reoccurs, the same ticket is opened up so that you can track repeated occurrences of the same event

105Slide106

ConnectWise Integration

106Slide107

Other Enhancements

107Slide108

Huawei Modem Support

Added support

for Huawei E3372 modem variant with a different product ID108

Modem Name

Vendor ID

Product ID

Fireware OS Requirement

Huawei E3372

0x12d1

0x1506

v11.10.7 or higher

Huawei E3372

0x12d1

0x14dc

v11.12 or higherSlide109

Proxy Connection Statistics

Proxy connection statistics are now available in the Firebox System Manager

Status Report109Slide110

WebBlocker Proxy Server Support

You can now configure WebBlocker to use a proxy server to connect to the Websense cloud for lookups

On the WebBlocker configuration page, click SettingsThe Server address must be an IPv4 address or host nameIf you select Basic or NTLM for authentication, you must specify the User name, User domain, and Password

110Slide111

APT Blocker File Size Increase

The maximum file size that APT Blocker can submit to the

Lastline data center for analysis increased from 8MB to 10MBThis file size limit is the same for all Firebox models and is not configurable111Slide112

BOVPN Shared Key Length Increase

The BOVPN pre-shared key length increased to 79 characters

This applies to traditional BOVPN gateways, BOVPN virtual interfaces, and Mobile VPN with L2TP over IPSec112Slide113

Active Directory Server Settings UI Updates

The

Dead Time text box now appears below the Timeout text box, because these values are related The Login Attribute text box appears above the DN of Searching User and Password of Searching User text boxesIf you select the

sAMAccountName

attribute, these text boxes are not available, because they are not required:

DN of Searching User

Password of Searching User

113Slide114

FQDN Support for Log Server Addresses

You can now use fully qualified domain names when you specify a WatchGuard Log Server

DNS must be enabled to use FQDN addresses114Slide115

Auto-Blocked Sites

List Functionality

The deny functionality for auto-blocked sites changedIn Fireware v11.12, the Firebox:denies connections from auto-blocked sitesdoes not deny connections to auto-blocked sitesIn prior versions of Fireware, the Firebox denied connections both to and from auto-blocked sitesThe deny functionality for permanently blocked sites did not change

The Firebox denies connections both to and From permanently blocked sites

115Slide116

Thank You!

116Slide117