whats_new_in_XTM_11_7

Download Report

Transcript whats_new_in_XTM_11_7

What’s New in Fireware XTM 11.7

New Features in Fireware XTM v11.7

  Networking • IPv6 • • • • Additional external interfaces DHCP options Dynamic NAT — Configurable source IP address Serial modem failover on XTM 5 Series and XTM 330 • • • Branch office VPN modem failover Wireless hotspot external guest authentication Link aggregation Mobile VPN • Mobile VPN with L2TP • • Mobile VPN apps for Android and iOS Mobile VPN with SSL client changes

WatchGuard Training

2

New Features in Fireware XTM v11.7

   System • FireCluster  Wireless XTM devices • •  Hardware health monitoring for failover Save TCP dump data to a PCAP file — FSM & Web UI Automatic feature key synchronization Authentication • Configure authentication login limits per user or group Policies • Policy tags and filters • Sort policies by column in manual order mode

WatchGuard Training

3

New Features in Fireware XTM v11.7

  Management • Report Server enforces the

Maximum database size

• • • • • CA Manager in WatchGuard WebCenter Updated UI for management of quarantined messages by recipients 1-to-1 NAT for managed VPN tunnels Centralized Management for XTM devices behind NAT gateways Windows 8 and Server 2012 support setting Services • Intrusion Prevention Service (IPS) scan modes • • IPS and Application Control for HTTPS WebBlocker with Websense Cloud

WatchGuard Training

4

Networking

IPv6 Functionality

   Fireware XTM v11.6.x supported: • IPv6 interface addresses in mixed routing mode • • • • IPv6 management connections to the Web UI or CLI IPv6 DNS servers IPv6 static routes IPv6 diagnostic logging Fireware XTM v11.7 adds support for: • IPv6 addresses in packet filter policies • • • • • MAC access control for both IPv6 and IPv4 traffic Inspection of IPv6 traffic received and sent by the same interface IPv6 addresses in blocked sites and exceptions Blocked ports configuration applies to IPv6 traffic TCP SYN checking setting applies to IPv6 traffic All other networking and security features do not yet support IPv6 traffic • WatchGuard IPv6 roadmap: http://www.watchguard.com/ipv6/index.asp

WatchGuard Training

6

IPv6 Refresher

 WatchGuard IPv6 — • Hype or Reality — • • What to Expect — http://www.watchguard.com/ipv6/index.asp

Video Security Implications — Video and PPT Video and PPT and PPT

Network Prefix Interface ID 2561:1900:4545:0003:0200:F8FF:FE21:67CF

16-bits

IPv6 is manageable • Subnetting IPv4 /8 ~ IPv6 /48 (If you impose a false minimum of a /24 on IPv4)

16-bits 10.0.0.254

WatchGuard Training

7

IPv6 in 11.5.x and 11.6.x

    Static configuration of IPv6 addresses and DNS Router Advertisement for stateless address auto-configuration on Trusted or Optional interfaces Address auto-configuration on External interfaces Static routes

WatchGuard Training

8

IPv6 Functionality — Blocked Sites

   Blocked Sites list and Blocked Sites Exceptions now support IPv6 addresses Blocked site and blocked site exception types are: • Host IPv4 • • • • • • Network IPv4 Host Range IPv4 Host IPv6 Network IPv6 Host Range IPv6 Host Name (DNS lookup) Auto-blocked sites can also include IPv6 addresses

WatchGuard Training

9

IPv6 Functionality — Packet Filter Policies

 Packet filter policies now support IPv6 traffic

WatchGuard Training

10

Additional External Interfaces

  You can now configure more than four interfaces as external interfaces Previously, the maximum number of external interfaces was four

WatchGuard Training

11

DHCP Options for VoIP

    There are two new settings for DHCP options. Many VoIP phones use these DHCP options to download the boot configuration. The new settings are: •

TFTP Server IP

— The IP address of the TFTP server where the DHCP client can download the boot configuration. This corresponds to these DHCP options: •  Option 66 (TFTP server name)  Option 150 (TFTP server IP address)

TFTP Boot Filename

— The name of the boot file. This corresponds to this DHCP option:  Option 67 (boot file name) Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IP phones.

WatchGuard Training

12

DHCP Options for VoIP

 To configure the DHCP options: • Edit a trusted or optional interface • • Select

Use DHCP Server

Click

DHCP Options

• Type the

TFTP Server IP

and

TFTP Boot Filename

required by your VoIP phones

WatchGuard Training

13

Network Dynamic NAT — Set Source IP Address

 When you configure a new dynamic NAT rule, you can specify the source IP address to use for traffic that matches that rule. • The XTM device changes the source IP address for packets that match this rule to the source IP address you specify. • The source IP address must be on the same subnet as the primary or secondary IP address of the interface specified as the

To

location.

WatchGuard Training

14

Network Dynamic NAT — Set Source IP Address

  Previously, you could set the source IP address only in the dynamic NAT settings in a policy.

If you do not set the source IP address, or if the source IP address is not on the same subnet as the outgoing interface, dynamic NAT changes the source IP address to the IP address of the interface from which the packet is sent.

WatchGuard Training

15

Serial Modem Failover on XTM 330 and XTM 5 Series

  Serial modem failover is supported for XTM 2, 3, and 5 Series devices.

• Previously, modem failover was supported for XTM 2 Series and XTM 33 only.

• This release adds modem support for XTM 330 and all 5 Series devices.

The

Network > Modem

option is now available for XTM 2, 3, and 5 Series devices.

WatchGuard Training

16

Branch Office VPN Modem Failover

   Branch Office VPN can use a modem for failover if modem failover is enabled for the device.

To configure a VPN gateway for modem failover: • Enable modem failover in

Network > Modem

.

• Configure the local gateway endpoint to use a domain name ID for tunnel authentication.

• Select the

Use modem for failover

check box.

If the device has multiple external interfaces: • You must add a gateway endpoint for each physical external interface.

• The local gateway ID for each external interface must be unique.

WatchGuard Training

17

Branch Office VPN Modem Failover

  When failover occurs: • If all external interfaces are down, the XTM device starts a serial modem connection between the two sites. • • The XTM device initiates a VPN connection over the modem connection. The XTM device uses the first local gateway ID configured for the external interface as the local gateway ID for the modem connection. Because the device with modem failover enabled uses an ID for tunnel authentication, the device with the modem must initiate the VPN connection. • This means that you cannot enable modem failover for both gateway endpoints for the same branch office VPN tunnel.

WatchGuard Training

18

Hotspot External Guest Authentication

 When you enable a hotspot on the Wireless Guest network, you can now select the

Hotspot Type

: •

Custom Page

— This is the hotspot splash screen on the XTM device. It presents the hotspot user with terms and conditions they must agree to before they can use the hotspot.

External Guest Authentication

— This new option allows you to redirect new hotspot users to an external web server for user authentication.

  The

Authentication URL

and

Authentication Failure URL

values are pages on an external web server.

The

Shared Secret

is used to validate responses from the web server.

WatchGuard Training

19

Hotspot External Guest Authentication

   When you set the hotspot type to

External Guest Authentication

, you must provide this information : • The

Authentication URL

on your external web server of a page that does hotspot user authentication or collects other information.

• The

Authentication Failure URL

on your external web server of a page to redirect users to if external guest authentication fails.

• A

Shared secret

that is used to validate the access response from the external web server.

You must configure the external web server to: • Accept an access request from the XTM device.

• Authenticate the user (or perform any other function that you want to use as a criteria for hotspot access.) • Provide an access decision to the XTM device.

All communication between the XTM device and the external web server occurs in the form of URL query strings sent through the hotspot client browser.

WatchGuard Training

20

Hotspot External Guest Authentication

Interaction workflow: 3.

4.

5.

6.

7.

1.

2.

8.

A wireless hotspot user tries to browse to a web page.

If this is a new hotspot user, the XTM device sends the browser a redirect to the Authentication URL on the external web server.

This URL includes a query string that contains the access request.

The browser sends the access request to the external web server. The external web server sends the Authentication page to the browser The hotspot user types the requested information and submits the form to the external web server.

The external web server processes the authentication information and sends an HTML page to the browser.

The browser sends the access decision to the XTM device.

This URL contains a query string that contains the access decision, a checksum, and a redirect URL.

The XTM device reads the access decision, verifies the checksum, and sends a redirect URL to the hotspot user's browser.

Based on the outcome of the external authentication process, the redirect URL can be: • The original URL the user browsed to • • A different redirect URL, if specified by the external web server The authentication failure URL, if authentication failed or access was denied.

WatchGuard Training

21

Link Aggregation

 New Network Configuration tab

WatchGuard Training

22

Link Aggregation — Configure Virtual Interface

 Select the Link Aggregation (LA)

Mode

: • Static  The same physical interface is always used for traffic between a given source and destination based on source/destination MAC address and source/destination IP address • Dynamic (802.3ad)  The physical interface used for traffic between any source and destination is selected based on Link Aggregation Control Protocol • Active-backup  One member interface in the link aggregation group is active at a time, other member interfaces in the link aggregation group become active only if the active interface fails

WatchGuard Training

23

Link Aggregation — Configure Virtual Interface

 Select LA interface

Type

: • Trusted • • • • Optional External Bridge VLAN

WatchGuard Training

24

Link Aggregation — Configure Virtual Interface

  Select the

Link Speed

and

Maximum Transmission Unit (MTU)

on the

Advanced

tab The member physical interfaces of an LA group support the same link speed

WatchGuard Training

25

Link Aggregation — Assign Physical Interfaces

WatchGuard Training

26

Link Aggregation — FSM

WatchGuard Training

27

Link Aggregation — FireCluster

 Only Active/Passive is supported

WatchGuard Training

28

Link Aggregation — FireCluster

 You can select a LA interface as the FireCluster Management Interface

WatchGuard Training

29

Link Aggregation — FireCluster

 Monitored link includes only virtual interface and not member interfaces

WatchGuard Training

30

Link Aggregation — FireCluster

 FSM Cluster View

WatchGuard Training

31

Link Aggregation — FireCluster

 When you configure Link Aggregation for an existing FireCluster, only Active/Passive mode is supported. 1.

2.

3.

Break the FireCluster.

Configure the Link Aggregation settings —

This is important because of the changes in the MAC Address on the LA Virtual Interface.

Rebuild the Active/Passive FireCluster.

WatchGuard Training

32

Mobile VPN

Mobile VPN with L2TP

    Supports L2TP connections from VPN clients native to many operating systems such as Windows, Mac OS, Linux, Android, and iOS.

L2TP is a more secure alternative to PPTP. • More robust than PPTP because the data is encapsulated in IPSec • Uses Aggressive Mode to connect remote clients to the firewall (like Mobile VPN with IPSec) Supported authentication methods: • Firebox-DB local authentication • RADIUS Mobile VPN with L2TP supports multiple authentication methods (like Mobile VPN with SSL) • Can enable more than one authentication method • If the primary method fails, you can connect with another authentication method (such as Firebox-DB)

WatchGuard Training

34

Mobile VPN with L2TP

  Mobile VPN with L2TP appears with the other Mobile VPN options.

Select

VPN > Mobile VPN > L2TP

.

• Select

Activate

to start the L2TP Setup Wizard.

• Select

Configure

to edit the configuration.

WatchGuard Training

35

Mobile VPN with L2TP

  Run the WatchGuard L2TP Setup Wizard to simplify L2TP configuration.

Select the authentication server.

WatchGuard Training

36

Mobile VPN with L2TP

  As with Mobile VPN with SSL, you can define your own group in your server, locally, or use the default group, L2TP-Users. You can specify the allowed resources.

• Allow access to all resources • Restrict access to specific IP addresses or subnets

WatchGuard Training

37

Mobile VPN with L2TP

  Specify the virtual IP address pool range for the clients. • If you use a subnet within your Trusted or Optional networks, make sure this range is not used in an existing DHCP pool.

Select the pre-shared key or certificate to use for IPSec negotiation.

WatchGuard Training

38

Mobile VPN with L2TP

 When you enable Mobile VPN with L2TP, two new policies are created automatically: •

WatchGuard L2TP

Allow L2TP-Users

— Enables port UDP1701 for L2TP — Enables L2TP group members to connect to firewall resources

WatchGuard Training

39

Mobile VPN with L2TP

 To edit the configuration, select

VPN > Mobile VPN > L2TP > Configure

.

WatchGuard Training

40

Mobile VPN Apps for Android and iOS

  WatchGuard Mobile VPN App for Android • Free app available from the Google Play app store • • Supported on mobile devices that use Android 4.0.x and 4.1.x

Uses a .wgm Mobile VPN with IPSec configuration profile to configure an IPSec VPN connection in the WatchGuard Mobile VPN app • • An IPSec VPN client you can use instead of the native VPN client Does not support L2TP WatchGuard Mobile VPN App for iOS • Free app available from the Apple app store • • Supported on mobile devices that use iOS 5.x and 6.x

Uses a .wgm configuration profile to configure an IPSec or L2TP VPN connection in the native iOS VPN client • Not a VPN client — Creates an L2TP or IPSec VPN connection in the native iOS VPN client, with the correct settings to connect to the XTM device

WatchGuard Training

41

Generate a .wgm File — Mobile VPN with IPSec

   For Mobile VPN with IPSec, the .wgm file is generated (with the .ini, .wgx, and .vpn files) when you select a profile and click

Generate

.

The file name is

.wgm

The.wgm file for IPSec can be used with the WatchGuard Mobile VPN apps for Android and iOS

WatchGuard Training

42

Generate a .wgm File — Mobile VPN with L2TP

    Generate an L2TP configuration file to send to mobile users of an iOS device.

Select

VPN > Mobile VPN > L2TP > Mobile clients

• Type a Profile Name (default is L2TP) • Type the IP address of the external interface to connect to • Type and confirm an encryption password for the .wgm file The file name is

.wgm

The .wgm file for L2TP can be used only with the Mobile VPN app for iOS.

WatchGuard Training

43

Use a .wgm File to Configure an iOS Device

   Send the .wgm file to the iOS users as an email attachment. Use a secure method to give the encryption password to the users.

• For Mobile VPN with IPSec, the encryption password is the tunnel passphrase.

• For Mobile VPN with L2TP, the encryption password is the password you set when you generated the configuration profile. On the iOS device, users must: 1.

Install the free WatchGuard Mobile VPN app from the Apple app store.

2.

3.

4.

5.

Open the email that contains the .wgm file attachment. Open the .wgm file attachment.

The WatchGuard Mobile VPN app launches.

Type the passphrase from the administrator to decrypt the file.

The WatchGuard Mobile VPN app imports the configuration and creates an IPSec or L2TP VPN configuration profile in the iOS VPN client.

To start the VPN connection, click the VPN switch in the iOS Settings list. When the connection is established, the VPN icon appears in the status bar.

WatchGuard Training

44

Use a .wgm File to Configure an Android Device

   Send the .wgm file to the Android users as an email attachment. Use a secure method to give the tunnel passphrase to the users.

• For Mobile VPN with IPSec, the encryption password is the tunnel passphrase.

On the Android device, users must: 1.

2.

3.

4.

5.

Install the free WatchGuard Mobile VPN app from the Google Play app store.

Open the email that contains the .wgm file attachment. Open the .wgm file attachment.

The WatchGuard Mobile VPN app launches.

Type the passphrase from the administrator to decrypt the file.

The WatchGuard Mobile VPN app imports the configuration and creates an IPSec VPN configuration profile in the WatchGuard VPN app.

Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN connection.

WatchGuard Training

45

Mobile VPN with SSL Client

 The

Remember connection details

check box in the Mobile VPN with SSL clients for both Mac and Windows, enables the client to remember the Server, Username, and Password settings.

SSL VPN client for Mac

WatchGuard Training

SSL VPN client for Windows 46

System

FireCluster on Wireless Devices

    FireCluster is now supported on XTM 25-W, 26-W, and 33-W devices.

When wireless is enabled, you can configure FireCluster only in active/passive mode.

When you enable FireCluster for wireless XTM devices, the configuration must meet these requirements: • The XTM device must be configured as a wireless access point. FireCluster is not supported when wireless is enabled as an external interface.

• The FireCluster Interface for management IP address cannot be an interface that is bridged to a wireless network. • The FireCluster primary cluster interface and backup cluster interface cannot be interfaces that are bridged to a wireless network. All other FireCluster requirements and restrictions also apply to wireless devices.

WatchGuard Training

48

FireCluster Failover Based on Health Indexes

   Each cluster member has a Weighted Average Index (WAI) that indicates the health of the device.

The

Cluster Health

section of the Firebox System Manager Status Report shows these health index values for each cluster member: • System Health Index (SHI) — Health of monitored processes. • • • Hardware Health Index (HHI) — Health status of hardware.

Monitored Ports Health Index (MPHI) — Status of monitored ports. Weighted Average Index (WAI) — This index is used to compare the overall health of two cluster members.   By default, the WAI for a cluster member is a weighted average of the SHI and MPHI for that device. HHI is not use in the calculation of WAI unless you enable it. WAI can be a range from 0 –100. A WAI of 100 indicates no issues.

The cluster master fails over if the WAI of the cluster master is lower than the WAI of the backup master.

WatchGuard Training

49

Hardware Health Index (HHI)

  The Hardware Health Index (HHI) indicates the status of critical hardware components. • If no hardware failures are detected, the HHI value is 100. • If a critical monitored hardware component fails, the HHI value is zero. The HHI is based on the status of: • CPU and system fan speeds • • • • • CPU and system temperatures System voltages Cryptographic chip Power supply (XTM 1050 and XTM 2050) Hard disk (XTM 2050)

WatchGuard Training

50

Hardware Health Index (HHI)

  By default, hardware health status is not used in the calculation of the weighted average index (WAI) for the cluster members.

You can enable this option in the FireCluster Advanced settings.

• When this option is enabled, the WAI calculation is a weighted average of the SHI, HHI, and MPHI. • Exception — if the HHI of a cluster member is zero, the WAI is zero.

WatchGuard Training

51

Configurable FireCluster Lost Heartbeat Threshold

    The cluster master sends a VRRP heartbeat packet that contains the WAI health index of the cluster master through the primary and backup cluster interfaces once per second. The Lost Heartbeat Threshold determines the number of consecutive heartbeats not received by the backup master to trigger a failover. Configure this threshold in the FireCluster Advanced settings.

• The default value is 3.

• The maximum value is 10.

If a FireCluster experiences unexplained failovers, with no known cause, increasing the Lost Heartbeat Threshold might increase cluster stability.

WatchGuard Training

52

Save TCP Dump Data to a PCAP File — FSM & Web UI

   In many situations technical support needs to be able to obtain a packet capture from the XTM device. With Fireware XTM v11.6.1, the method of capturing data was limited by: • The size of the temporary storage • The visualization of data The v11.6.1 implementation: • Required the data to be temporarily stored on the device and then downloaded as the capture became available.

• Allowed the raw PCAP data from the session to only be downloaded if the capture was made from Firebox System Manager

WatchGuard Training

53

Save TCP Dump Data to a PCAP File — FSM & Web UI

     For v11.7, from FSM and Fireware XTM Web UI, you can stream the TCP dump data directly to a PCAP file on your computer. From FSM, you can also save the data on the XTM device to later save in a PCAP file.

Both options are only available when the and

TCP Dump

task are selected.

Advanced Options

check box When PCAP data is sent directly to a file, no data appears in the

Results

list.

The amount of TCP dump data included in the PCAP file that is saved directly to your computer is limited by the amount of free space on your computer, or the file size restriction enforced by your computer’s operating system.

If you use FSM and save the TCP dump data to your XTM device and later save the PCAP file, the amount of data captured can be several megabytes.

WatchGuard Training

54

Save TCP Dump Data to a PCAP File — FSM

  To save the TCP dump data directly in a PCAP file, from FSM, select

Tools > Diagnostic Tasks

, and select the

Advanced Options

check box.

You must select the

Stream data to file

check box and click

Browse

to specify the location and file name for the PCAP file.

WatchGuard Training

55

Save TCP Dump Data to a PCAP File — FSM

   To save the TCP dump data on the XTM device and later save a PCAP file to your computer, select the

Buffer data to save later

check box.

When the task runs, the data appears in the

Results

list.

After the task runs, click the

Save Pcap file

button and specify a file name and location to save the file.

WatchGuard Training

56

Save TCP Dump Data to a PCAP File — Web UI

   To save the data directly in a PCAP file, in the Web UI, select

System Status > Diagnostics

.

When you select the

TCP Dump

task and the

Advanced Options

check box, you can select the new

Stream data to file

check box.

When you run the task, the

Select file

button appears. You must click this button to specify a file name and location to save the PCAP file.

WatchGuard Training

57

Save TCP Dump Data to a PCAP File — Web UI

  Once the task starts, the

Run Task

button changes to

Stop Task

. The number of bytes downloaded appears above the

Results

list, but details of the TCP dump task do not appear in the

Results

list.

Click

Stop Task

to stop collecting task results.

WatchGuard Training

58

Automatic Feature Key Synchronization

  Automatic feature key synchronization allows the XTM device to automatically download the latest feature key from the WatchGuard web site when any feature in the feature key is expired or about to expire. It is not enabled by default.

To enable automatic feature key synchronization: • In Policy Manager, select

Setup > Feature Keys

.

• Select the

Enable automatic feature key synchronization

check box.

WatchGuard Training

59

Automatic Feature Key Synchronization

  When you enable automatic feature key synchronization: • The XTM device immediately checks the expiration dates in the feature key, and continues to check once each day.

• If any feature is expired, or will expire within three days, the XTM device automatically downloads the latest feature key from WatchGuard once each day, until it successfully downloads a feature key that does not have expired features.

In a FireCluster, the cluster master synchronizes the feature keys for both cluster members.

WatchGuard Training

60

Authentication

Authentication Login Limits Per User or Group

 You can specify how many times each user or group member can use the same credentials to log in from more than one location at the same time.

WatchGuard Training

62

Authentication Login Limits Per User or Group

  The settings you specify in the user or group configuration override the global authentication settings you configure on the

Firewall Authentication

tab for an XTM device.

In Policy Manager, select

Setup > Authentication > Authorized Users/Groups

and add or edit a user or group.

WatchGuard Training

63

Authentication Login Limits Per User or Group

  Select the

Enable login limits for each user or group

check box.

To enable users or group members to log in with the same account credentials as many times as they choose, select the

Allow unlimited concurrent firewall authentication logins from the same account

option.

WatchGuard Training

64

Authentication Login Limits Per User or Group

  To restrict the number of times a user or group member can log in, select the

Limit concurrent user sessions to

option, and specify the number of times each user or group member can log in.

Select the action the XTM device takes when the user reaches the specified login limit: •

Reject subsequent login attempts

Allow subsequent attempts and log off the first session

WatchGuard Training

65

Policies

Policy Tags & Filters

    To improve visibility and troubleshooting, you can now create

groups

of policies.

To create groups, apply

policy tags

to your policies and create

filters

that use the policy tags to specify which policies are visible in the policy list. You can also sort the policy list by the

Tags

column.

You can save filters so you can apply them again. Remove a filter to see the full list of policies again.

Policy tags and filters can be managed in Policy Manager and Fireware XTM Web UI.

WatchGuard Training

67

Policy Tags & Filters

  First, define policy tags and add them to policies. Hold down

Ctrl

to apply a tag to multiple policies at the same time.

Right-click a policy and select

Policy Tags > Add to policy > New

.

Or, select

View > Policy Tags > Manage

.

WatchGuard Training

68

Policy Tags & Filters

 Name the policy tag and select a color for the name of the policy tag.

The color only applies to the name of the policy tag, and appears in the

Tags

column.

WatchGuard Training

69

Policy Tags & Filters

 When you have applied policy tags to all the policies you want to group, click on the

Tags

column to select the policy tags you want to see in the policy list.

WatchGuard Training

70

Policy Tags & Filters

  Filtered view for only policies with the specified tag. For example, the

Web

tag.

The red filter icon ( ) indicates that a filter is applied to the policy list, and the filer has not been saved.

WatchGuard Training

71

Policy Tags & Filters

  To save a filter, click .

Specify a name for the filter.

WatchGuard Training

72

Policy Tags & Filters

 From the

Filter

drop-down list, you can easily select another filter, create a new custom filter, or remove all filters.

WatchGuard Training

73

Policy Tags & Filters

 To remove a tag from a policy in Policy Manager, choose a method: • Select a policy in the policy list and select

View > Policy Tags > Remove from policy >

.

• Right-click the policy and select

Policy Tags > Remove from policy >

.

WatchGuard Training

74

Policy Tags & Filters

 To remove a tag from a policy in Fireware XTM Web UI, select a policy in the policy list and select

Tags > Remove from policy >

.

WatchGuard Training

75

Policy Tags & Filters

   If you save the configuration file to your XTM device with a filter applied, the next time you connect to the device with Fireware XTM Web UI, or open Policy Manager, the configuration file opens with the last filter applied, not with the default policy list view.

Make sure the

Tags

column is completely visible so the Tag Filter icon is not hidden. You cannot apply a new filter if you cannot select the Tag Filter icon. Tags and filters are only available for XTM devices with Fireware XTM OS v11.7 and later.

WatchGuard Training

76

Manually Change the Policy Order

  With a policy filter applied, you can switch to Manual Order Mode and change the policy order. The correct policy order number appears in the

Order

column.

WatchGuard Training

77

Management

Limit the Size of the Report Server Database

 In WSM v11.7, there are now two methods you can choose from to limit the size of your Report Server database: • Delete reports after a specified number of days • Delete reports at a maximum database size

WatchGuard Training

79

Limit the Size of the Report Server Database

    The Report Server automatically deletes reports after the specified number of days elapse. • The default setting is every 14 days at 12:00 AM.

• You can change this setting to meet the needs of your organization.

You can also can now set a

Maximum database size

for your Report Server. • When the size you specify is reached, the Report Server deletes reports until the database is within the size you specify. • This option might delete reports before the specified number of days elapse.

If you do not specify a

Maximum database size

, you can enable the Report Server to send you a notification message when the database reaches the preferred size warning threshold that you specify.

If you do specify a

Maximum database size

, you can enable the Report Server to send you a notification message when reports are deleted.

WatchGuard Training

80

CA Manager in WatchGuard WebCenter

   CA Manager is now available in the new

WatchGuard WebCenter

web UI, with Log Manager and Report Manager.

WebCenter and CA Manager are automatically installed when you install a WatchGuard Management Server.

The configuration options for CA Manager are unchanged and all available in the CA Manager pages of WatchGuard WebCenter.

WatchGuard Training

81

CA Manager in WatchGuard WebCenter

 To connect to WebCenter for CA Manager, open WatchGuard System Manager and click .

Or, select

Tools > CA Manager

.

Or, open a web browser and go to

https://:4130

.

WatchGuard Training

82

CA Manager in WatchGuard WebCenter

v11.6.1 and earlier CA Manager

WatchGuard Training

v11.7 CA Manager 83

Quarantined Email Web UI

 When you enable notification on the Quarantine Server, the intended recipients of quarantined mail receive a notification message.

 The notification message includes: • A link to a web page on the Quarantine Server where users can manage their quarantined messages. This web page has been redesigned in v11.7.

• • A report of the last 50 quarantined messages.

The total number of quarantined messages.

WatchGuard Training

84

Quarantined Email Web UI

 When you click the link in the notification email, the Quarantine Email web page launches with quarantined messages on two tabs: •

Spam

— Messages quarantined by spamBlocker •

Virus

— Messages quarantined by Gateway AntiVirus  From this page, you can: • Click any message subject to see the message body.

• • Delete messages from the

Virus

Mark messages on the

Spam

or

Spam

tab.

tab as

Not Spam

, which releases them from quarantine.

WatchGuard Training

85

Quarantined Email Web UI

 Users can also select whether to receive future notifications about quarantined email messages.

WatchGuard Training

86

1-to-1 NAT for Managed VPN Tunnels

 Administrators can now configure 1-to-1 NAT in managed VPN tunnels • Setting is available in the VPN Resource configuration

WatchGuard Training

87

Centralized Management for XTM Devices Behind NAT Gateways

 Our customers might not control a third-party firewall or router, but they want to use Centralized Management for their XTM devices behind the third-party firewall or router.

Internet XTM Gateway 3 rd Party Firewall (NAT) Gateway Private Network Airport Parking Garage WSM Client Management Log and Report Server Servers

Management Network

WatchGuard Training

88

Centralized Management for XTM Devices Behind NAT Gateways

 Requirements: • An XTM device (gateway Firebox) is required in front of the Management Server.

• • • • Management Tunnels are only supported for XTM devices in Routed Mode. An XTM OS update may be required on remote devices due to BUG65928.

Remote devices must be configured as dynamic devices in WSM.

External interface(s) cannot be disabled or removed while a Management Tunnel is established.

• • Each remote device in a Management Tunnel uses one tunnel route.

The gateway Firebox uses one tunnel route for each remote device in a Management Tunnel.

WatchGuard Training

89

Centralized Management for XTM Devices Behind NAT Gateways

   Management Tunnels enable you to make a management connection to your remote XTM devices that are behind a third-party NAT gateway device, so you can centrally manage your remote XTM devices.

Each Management Tunnel has the Management Server gateway Firebox at one end of the tunnel, and one or more remote XTM devices at the other end of the tunnel.

The configuration options are simplified based on which end of the tunnel each device is located.

WatchGuard Training

90

Centralized Management for XTM Devices Behind NAT Gateways

  The Management Network in the previous diagram should be defined by a VPN resource for the gateway Firebox.

• For example, consider that if the Management Server is on the Optional-1 network behind the gateway Firebox, select

Optional-1 Network

as the VPN resource. For other scenarios, you can use a custom VPN resource.

A remote XTM device’s management IP address is a virtual IP address that is used to establish the Management Tunnel and to connect to the remote XTM device. The IP address is used as the outward facing 1-to-1 NAT address for the Management Tunnel.

WatchGuard Training

91

Windows 8 and Server 2012 Support

WatchGuard Training

Windows 8 Windows Server 2012 (requires GUI) 92

Services

Intrusion Prevention Service (IPS) Scan Modes

 IPS now includes two scan modes: • Full Scan — Scans all packets for policies that have IPS enabled. This is the default setting.

• Fast Scan — Scans fewer packets to increase performance. This mode greatly improves the throughput for scanned traffic, but does not provide the comprehensive coverage of Full Scan mode.

WatchGuard Training

94

IPS and Application Control for HTTPS

   The HTTPS-proxy now performs Application Control and Intrusion Prevention Service (IPS) scanning for decrypted HTTPS content when deep inspection of HTTPS content is enabled.

There are no changes to the configuration settings for the HTTPS-proxy, Application Control, or IPS.

Deep inspection of HTTPS content must be enabled: • For IPS to scan HTTPS content • For Application Control to identify applications that use HTTPS

WatchGuard Training

95

WebBlocker with Websense Cloud

   WebBlocker now supports two server options.

Websense cloud (new) • Uses a cloud-based URL categorization database with 125 content categories, provided by Websense • • Websense cloud does not use a locally installed WebBlocker Server URL categorization queries are sent over HTTP WebBlocker Server • Uses a WatchGuard WebBlocker Server with 54 categories, provided by SurfControl • Requires a locally installed WebBlocker Server  XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by WatchGuard • The WebBlocker Server supports the same SurfControl content categories as in prior releases • URL categorization queries sent over UDP 5003

WatchGuard Training

96

WebBlocker with Websense Cloud

  You identify the WebBlocker server type you want to use when you activate WebBlocker.

Websense cloud is selected by default.

WatchGuard Training

97

WebBlocker with Websense Cloud

 The available categories depend on which type of server you choose.

Websense cloud — 125 categories

WatchGuard Training

WebBlocker Server — 54 categories 98

WebBlocker with Websense Cloud

  You can control how the XTM device handles traffic that does not match a content category.

• From the

When a URL is uncategorized

drop-down list select

Allow

or

Deny

.

• The default setting is

Allow

.

This setting appears in the

Category

tab when you edit a WebBlocker configuration.

WatchGuard Training

99

WebBlocker with Websense Cloud

   When you upgrade to v11.7, the existing WebBlocker configuration is not changed automatically. To use Websense cloud, edit the WebBlocker configuration and select the Websense cloud option. You can choose whether to automatically convert your existing category selections.

WatchGuard Training

100

WebBlocker with Websense Cloud — Site Lookup

   To see how Websense categorizes a site go to www.aceinsight.com

.

In the

Site Analysis

section, type the URL or IP address to look up.

Click

Analyze

.

WatchGuard Training

101

WebBlocker with Websense Cloud — Site Lookup

  On the

Search Results

page, the security risk for the site appears.

Click the URL Website Categorization icon at the bottom of the page.

WatchGuard Training

102

WebBlocker with Websense Cloud — Site Lookup

 The static category is the category WebBlocker uses for this site.

WatchGuard Training

103

WebBlocker with Websense Cloud — Send Feedback

   If you think a site is categorized incorrectly, you can send feedback to Websense to request a change in the categorization of a site.

You can email feedback to [email protected]

.

In the email, include: • The URL of the site • • From which categories you think the site should be removed To which categories you think the site should be added

WatchGuard Training

104

THANK YOU!