What s New in Fireware XTM v11.5.1

Similar documents
Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Fireware Essentials Exam Study Guide

WatchGuard Training. Introduction to WatchGuard Dimension

Fireware XTM v is a maintenance release for XTM 21, XTM 22, and XTM 23 wired and wireless devices.

Release Notes for XTM 2, 5, and 8 Series, XTM 1050, and Firebox X Peak, Core and Edge e-series Appliances

WatchGuard Dimension v1.1 Update 1 Release Notes

Fireware How To Network Configuration

XTM 3, 5, 8, 800, 1500, and 2500 Series XTM 25, XTM 26, XTM 1050, XTM 2050 Firebox T10, XTMv, WatchGuard AP

Branch Office VPN Tunnels and Mobile VPN

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Basic IPv6 WAN and LAN Configuration

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Fireware XTM Traffic Management

VPN Wizard Default Settings and General Information

XTM 3, 5, 8, 800, 1500, and 2500 Series XTM 25, XTM 26, XTM 1050, XTM 2050 Firebox T10, XTMv, WatchGuard AP

How do I set up a branch office VPN tunnel with the Management Server?

Funkwerk UTM Release Notes (english)

Advanced Administration

VPN Configuration Guide WatchGuard Fireware XTM

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

XTM 3, 5, 8, 800, 1500, and 2500 Series XTM 25, XTM 26, XTM 1050, XTM 2050 Firebox T10, Firebox M400, M440, and M500, XTMv, WatchGuard AP

Release Notes for XTM 2, 5, and 8 Series, XTM 1050, and Firebox X Peak, Core and Edge e-series Appliances

STATIC IP SET UP GUIDE VERIZON 7500 WIRELESS ROUTER/MODEM

V310 Support Note Version 1.0 November, 2011

Configure IPSec VPN Tunnels With the Wizard

DOWNTIME CAN SPELL DISASTER

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

How To Industrial Networking

WatchGuard System Manager User Guide. WatchGuard System Manager v8.0

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

VPN. VPN For BIPAC 741/743GE

NETASQ SSO Agent Installation and deployment

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Fireware How To Logging and Notification

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

McAfee Firewall Enterprise 8.3.1

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

McAfee Firewall Enterprise 8.2.1

IPSec Pass through via Gateway to Gateway VPN Connection

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

How To Authenticate On An Xtma On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Password Protected (For An Ipad) On An Ipa Or Ipa (For Mac) With A Log

Fireware How To Authentication

WatchGuard is pleased to announce the release of Fireware v11.11 and WatchGuard System Manager v11.11.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

FIPS Security Policy for WatchGuard XTM

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

Application Note: Onsight Device VPN Configuration V1.1

Configuring Windows Server 2008 Network Infrastructure

Configuration Guide BES12. Version 12.2

Understanding the Cisco VPN Client

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Firebox X550e, Firebox X750e, Firebox X1250e Firebox X5500e, Firebox X6500e, Firebox X8500e, Firebox X8500e-F

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Scenario: Remote-Access VPN Configuration

Configuration Example

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

If you have questions or find errors in the guide, please, contact us under the following address:

Watchguard Firebox X Edge e-series

R4: Configuring Windows Server 2008 Network Infrastructure

BlackBerry Enterprise Service 10. Version: Configuration Guide

Configuration Example

FortiOS Handbook IPsec VPN for FortiOS 5.0

Copyright 2012 Trend Micro Incorporated. All rights reserved.

F-Secure Messaging Security Gateway. Deployment Guide

Microsoft Azure Configuration

Authentication Node Configuration. WatchGuard XTM

Configuration Guide BES12. Version 12.1

Windows XP VPN Client Example

VPNC Interoperability Profile

Configuration Guide BES12. Version 12.3

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CenturyLink Cloud Configuration

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

WatchGuard System Manager and Fireware

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

SSL SSL VPN

Configuration Guide. Websense Web Security Solutions Version 7.8.1

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Integration Guide. LogicNow MAXfocus

Chapter 5 Virtual Private Networking Using IPsec

Chapter 4 Virtual Private Networking

ZyWALL USG ZLD 3.0 Support Notes

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuration Example

TheGreenBow VPN Client. User Guide

Configuration Information

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Avalanche Remote Control User Guide. Version 4.1.3

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

FortiOS Handbook - IPsec VPN VERSION 5.2.2

7.1. Remote Access Connection

Global VPN Client Getting Started Guide

Transcription:

What s New in Fireware XTM v11.5.1

New Features in Fireware XTM v11.5.1 Major Changes IPv6 Network Configuration and Routing FIPS 140-2 Dynamic Routing Enhancements Clientless SSO Log and Report Manager Log Server UTC Timestamp Conversion ConnectWise Integration SMTP-Proxy TLS Encryption 2

New Features in Fireware XTM v11.5.1 Minor Changes Debug Logging Per Proxy Action (60099) WSM Management Server Search (62143) ios Mobile VPN with IPSec (41602) Export Auto-Blocked Sites (62511) Negotiate PPPoE Client IP Address (61930) New Platforms XTM 330 XTM 2050 3

IPv6

IPv6 Refresher WatchGuard IPv6 http://www.watchguard.com/ipv6/index.asp Hype or Reality Video and PPT Security Implications Video and PPT What to Expect Video and PPT Network Prefix Interface ID 2561:1900:4545:0003:0200:F8FF:FE21:67CF 16-bits IPv6 is manageable If you impose a false minimum of a /24 on IPv4 Subnetting IPv4 /8 ~ IPv6 /48 16-bits 10.0.0.254 5

IPv6 in 11.5.1 If it routes, the traffic will pass No security policies, features, or configurations are applied Static configuration of IPv6 addresses and DNS Router Advertisement for stateless address auto-configuration Static routes 6

IPv6 Certifications IPv6 Ready Phase 1, Silver Logo, was in v11.4.2 Phase 2, Gold Logo, Core is in this release The Phase 2 Logo is a requirement for extended test categories, including: IPSec IKEv2 MIPv6 NEMO DHCPv6 SIP SNMP-MIBs MLDv2 7

IPv6 Roadmap IPv6 Planned Features IPv6 Stage 1, (11.5.1) Future Features Static configuration of IPv6 addresses Router Advertisement for stateless address auto-configuration Static routes and DNS servers DHCPv6 client for external interface V6 policies Blocked sites/ports, and auto-block Default threat protection BOVPN 6-in6, 6-in-4, 4-in-6 6-to-4 transition tunnel IPv6 Stage 2 IPv6 Stage 3 Authentication, SSO, Terminal Service DHCP Server/Relay for trusted/optional interface Transparent bridge and drop-in mode Traffic management and QoS 4-to-6 transition tunnel Proxy and security services (WebBloker, GAV, ) Application Control and IPS Mobile User VPN Cluster

FIPS 140-2

FIPS Support in Fireware XTM FIPS 140-2 Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules Describes the NIST requirements and standards for cryptographic modules for use by federal government departments and agencies Defines four security levels WatchGuard XTM XTM Devices and Fireware XTM are designed to meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPScompliant manner 10

FIPS Support in Fireware XTM FIPS Mode You must use the CLI to enable FIPS mode on an XTM device When the XTM device operates in FIPS mode, each time the device is powered on, it runs a set of self-tests required by the FIPS 140-2 specification If any of the tests fail, the XTM device writes a message to the log file and shuts down If you start the device in safe mode or recovery mode, the device is not in FIPS mode Use the CLI command fips enable to enable FIPS mode operation You can use the CLI command show fips to determine if the XTM device is configured in FIPS mode 11

FIPS Mode Constraints FIPS Mode does not enforce a FIPS compliant configuration Configure the Admin and Status administrative accounts to use passwords with a minimum of 8 characters When you configure VPN tunnels, you must choose only FIPS-approved authentication and encryption algorithms: SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, and AES-256. When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE Phase 1 negotiation Use a minimum of 1024-bits for all RSA keys Do not configure FireCluster for high availability Do not use Mobile VPN with PPTP Do not use PPPoE Do not use WatchGuard System Manager to manage the device For access to Fireware XTM Web UI, the web browser must be configured to use only TLS 1.0 and FIPS approved cipher suites For network access to the CLI, clients must use SSH V2.0 protocol 12

Dynamic Routing Enhancements

Dynamic Routing Enhancements FireCluster is now supported Configuration validation ensures working configuration Enhanced troubleshooting capabilities Enable debugging at runtime Obtain more logs from Quagga Enhanced output in the Firebox System Manager Status Report 14

Dynamic Routing Diagnostic Logging Change the Diagnostic Log Level setting for Dynamic Routing to the Debug level to see detailed log messages from all log levels. 15

Clientless Single Sign-On (SSO)

Clientless SSO Use the SSO Agent and Event Log Monitor for SSO, without the SSO Client Support for both single domain and multiple domains Provides the same accuracy as the SSO Client solution Token Groups SSO Client SSO ELM Manual Authentication with samaccountname Group Attribute Manual Authentication and Non-Active Directory Does not return nested groups 17

Clientless SSO Process Install the SSO Agent on your network. Install the Event Log Monitor on each domain controller in your network. The Event Log Monitor collects user credentials when users log on to the domain. The SSO Agent queries the Event Log Monitor for user credentials. 18

Clientless SSO Work Flow 19

Clientless SSO Contact Priority Select whether the SSO Agent first contacts the Event Log Monitor or the SSO Client for user credentials. 20

Clientless SSO Supported OS Use clientless SSO with these operating systems: Operating System Windows XP SP2/SP3 (32-Bit) Windows Vista (32-Bit) Windows 7 (32-Bit) Windows Server 2003 (32-Bit) Windows Server 2003 (64-Bit) Windows Server 2008 (32-Bit) Windows Server 2008 & 2008 R2 (64-Bit) SSO Agent Event Log Monitor 21

Log and Report Manager

Log and Report Manager Log Viewer and Report Manager are replaced in v11.5.1 with the new Log and Report Manager web UI. Select either the Log Viewer or Report Manager icon in WatchGuard System Manager to launch the default web browser. The user is prompted to connect to the WatchGuard Log Server or Report Server with administrative credentials. 23

Log and Report Manager View Logs Select the Actions drop-down list at the right to choose a time filter for the log display, or select a Timeslice Analysis to show a summary of log types recorded over time. 24

Log and Report Manager View Logs 25

Log and Report Manager View Reports Select REPORTS > Devices to see a list of devices with reports on the Report Server. Select a device to see the report options. 26

Log and Report Manager View Reports View Available Reports: Select Daily or Weekly time filters, and specify a date range. Select the tab for a report type: Dashboard, Traffic, Web, Mail, Services, Device, and Detail. To generate Per Client and On-Demand Reports for devices, click a link at the right side of the page. 27

Log and Report Manager On-Demand Reports Select the Start and End date and time, the type of report to generate, and click Run Report to generate an On-Demand report. 28

Log and Report Manager On-Demand Reports Reports include graphical and textual summary information 29

Log Server and Report Server UTC Time Conversion

Log and Report Server Upgrade When the Log Server or Report Server is upgraded to v11.5.1, the server database is upgraded to PostgreSQL 8.2.21. If an external Log Server or Report Server database is used instead of the built-in database, the user must manually upgrade the server to PostgreSQL 8.2.21 before the Log Server or Report Server is upgraded. 31

Log and Report Server UTC Conversion Previously, the Log and Report Server database used the timestamp of the host server. In v11.5.1, the UTC time stamp is used for log messages. When an existing server is upgraded to v11.5.1, the log message time stamps are converted from the old format to UTC format. This can take some time depending on the size of the log database. An audit log is written when the conversion process starts and finishes. If email notification is enabled, notifications are sent when conversion starts and when conversion is complete. 32

ConnectWise Integration

ConnectWise Integration Your v11.5.1 Report Server can send specific reports it generates to the third-party ConnectWise service to be included in the reports ConnectWise produces. The Report Server must be configured with the information for a ConnectWise server and ConnectWise account. 34

ConnectWise Integration In the Report Server Server Settings, enable ConnectWise integration and add the information for the ConnectWise server and ConnectWise account. Make sure to import the CA certificate for your ConnectWise server to your Report Server. 35

ConnectWise Integration Create a Report Schedule and specify the reports to generate and send to ConnectWise. Reports available for ConnectWise integration include: Firebox Statistics Intrusion Prevention Service Summary WebBlocker Summary Most Popular Domains To send reports to ConnectWise, you must select at least one of these reports. Reports must be scheduled to run daily 36

SMTP-Proxy TLS Encryption

SMTP-Proxy TLS Encryption Settings v11.5.1 includes new options for TLS encryption settings in the ESMTP category of the SMTP proxy action. If an SMTP-proxy is used for mail traffic sent through an XTM device, TLS encryption can be applied to the traffic. Certificates used by the HTTPS-proxy are also used by the SMTP-proxy for TLS encryption. The FSM certificate import feature is also used to import TLS encryption certificates to the XTM device. 38

SMTP-Proxy TLS Encryption Settings Configure rules to determine which recipient domains receive TLS encrypted email: If Recipient Encryption is Required, the XTM device does not send email if TLS negotiation fails. If Recipient Encryption is Preferred, the XTM device tries to negotiate a TLS connection, but if negotiation fails the email is sent unencrypted. If Recipient Encryption is Allowed, the email client can select to encrypt or not encrypt email, and the XTM device sends the email whether it is encrypted or unencrypted. 39

SMTP-Proxy TLS Encryption Settings If Sender Encryption is Required, an option can be enabled to encrypt not only the email data but also the sender, recipient, and body information in the message. 40

SMTP-Proxy TLS Encryption Settings The Authentication category of the ESMTP settings includes an option to require encryption of plain-text ESMTP authentication information. 41

Minor Changes

Diagnostic Log Level For Proxy Actions Set the Diagnostic Log Level for each proxy action in the General Settings category. Diagnostic Log Levels: Error Warning Information Debug Reduce log messages from high-traffic proxy actions. To disable logging for a single proxy action, you must disable logging for that proxy type globally, then enable logging for all other proxy actions. 43

WSM Management Server Search New Search folder for the Management Server on the Device Management tab. Search supports: Device display name Device IP addresses Device host names Polled device name Polled IP address Polled serial number Polled software version Search does not support: Serial number for backup master Secondary addresses Polling multi-wan IP addresses 44

ios Mobile VPN with IPSec No Profile to use, specific configuration only ios: Setting up VPN Configure Fireware XTM Shared Key Only (no certificates) Force all traffic through tunnel Phase 1 Authentication MD5 or SHA-1 Encryption DES, 3DES, AES-128, AES-256 (no AES-192) SA Life 1 hour Key Group DH Group 2 Phase 2 Authentication MD5 or SHA-1 Encryption 3DES, AES-128, or AES-256 Key Expiration 1 hour and 0 Kb Disable PFS 45

Export Auto-Blocked Sites To export the list of blocked sites, right-click the Blocked Sites list in Firebox System Manager Save the list as the blocked_sites.txt file 46

Negotiate PPPoE Client IP Address and DNS Configure an external interface, select the IPv4 tab, select Use PPPoE, select Use IP address, and click Advanced Properties Send the PPPoE client static IP address during PPPoE negotiation When selected, the configured address is requested, but other addresses will also be accepted for negotiation When not selected, the IP address is not negotiated in PPPoE Negotiate DNS with PPPoE Server 47

New Platforms

Form Factor: Rackmount (1U) Network Interfaces: 7x GbE (RJ45) Other Interfaces: 2x USB 1x RJ45 serial Weight: 7.55 lbs Power Supply: 100-240 VAC Autosensing XTM 330 XTM 2050 Rackmount (2U) 16x GbE (RJ45) 2x 10G SFP+ Fiber 1x GbE RJ45 management 2x USB 1x RJ45 serial 48.5 lbs Dual 100-240 VAC Autosensing 49

THANK YOU!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information