What's new in Fireware XTM 11.4 - Fastbyte ICT
Download
Report
Transcript What's new in Fireware XTM 11.4 - Fastbyte ICT
What’s New in
Fireware XTM v11.5.3
Changes in Fireware XTM v11.5.3
Routing table changes
Feature key global expiration for some XTMv keys
IP address validity checks and warnings
WatchGuard Training
2
Routing Table Changes in v11.5.3
The Routes section of the FSM Status Report now displays the routes in a
different format.
This improves consistency in the way IPv4 and IPv6 routes are displayed.
The Routes section can contain these route tables:
•
•
•
•
Route Table: main — shows all IPv4 and IPv6 static routes
Route Table: default — shows information about the default route
Route Table: ethx.out — shows active routes for an external interface, ethx,
where x is the interface number.
Route Table: zebra— shows dynamic routes received from a peer
If a route table has no entries, it does not appear.
•
For example, the zebra table does not appear if dynamic routing is disabled.
The zebra route table shows only the first 20 dynamic routes.
•
To see a complete list of the dynamic routes, see the OSPF, RIP, or BGP
section of the Status Report.
WatchGuard Training
3
Routing Table Changes in v11.5.3
Comparison of FSM Status Report Routes section in v11.5.2 and v11.5.3
Routes in v11.5.3
Routes in v11.5.2
Routes
-----------Destination
172.16.20.0/30
10.0.20.0/24
10.0.5.0/24
203.0.113.0/24
127.0.0.0/24
10.0.10.0/24
default
default
Gateway
*
*
203.0.113.10
*
*
203.0.113.10
203.0.113.1
203.0.113.1
Flags
U
U
UG
U
U
UG
UG
UG
Metric
0
0
1
0
0
20
0
50
Special routing tables
-----------eth0.out:
10.0.5.0/24 via 203.0.113.10 dev eth0 metric 1
203.0.113.0/24 dev eth0 scope link metric 1
10.0.10.0/24 via 203.0.113.10 dev eth0 metric 20
default via 203.0.113.1 dev eth0 metric 1
zebra:
10.0.10.0/24 via 203.0.113.10 dev eth0
WatchGuard Training
metric 20
Ref
0
0
0
0
0
0
0
0
Use
0
0
0
0
0
0
0
0
Iface
eth2
eth1
eth0
eth0
lo
eth0
eth0
eth0
Route Table: main
------------------172.16.20.0/30 dev eth2 proto kernel scope link
10.0.20.0/24 dev eth1 proto kernel scope link
10.0.5.0/24 via 203.0.113.10 dev eth0 metric 1
203.0.113.0/24 dev eth0 proto kernel scope link
127.0.0.0/24 dev lo scope link
default via 203.0.113.1 dev eth0
::1/128 dev lo proto kernel metric 256
Route Table: default
------------------default via 203.0.113.1 dev eth0
metric 50
Route Table: eth0.out
------------------10.0.5.0/24 via 203.0.113.10 dev eth0 metric 1
203.0.113.0/24 dev eth0 scope link metric 1
default via 203.0.113.1 dev eth0 metric 1
Route Table: zebra
------------------10.0.10.0/24 via 203.0.113.10 dev eth0
metric 20
proto zebra
4
Routing Table Changes in v11.5.3
A route bound to an XTM device interface appears in this format:
<destination> dev <device> proto kernel scope link
Example: 203.0.113.0/24 dev eth0 proto kernel scope link
A static route that you add appears in this format:
<destination> via <gateway> dev <device> metric <link>
Example: 10.0.30.0/24 via 10.0.10.254 dev eth1 metric 1
A dynamic route appears in the zebra route table in this format:
<destination> via <gateway> dev <device> proto zebra metric <metric>
Example: 10.0.10.0/24 via 203.0.113.10 dev eth0 proto zebra metric 20
Information that can appear for each route includes:
•
•
•
•
•
•
<destination> — the destination IP address for the route
dev <device> — indicates which device (usually an interface number) the route applies to;
for example eth0 for interface 0, or lo for loopback.
proto kernel —route was created by the Linux kernel
proto zebra — route is a dynamic route learned via a dynamic routing protocol
scope link — route is bound to an XTM device interface
metric <number> — the routing metric, or cost for the route
WatchGuard Training
5
IP Address Validity Checks
Error when you try to configure a primary or backup cluster IP address
that overlaps the address pool used in Mobile VPN with SSL, Mobile
VPN with IPSec, or Mobile VPN with PPTP.
•
•
You cannot save a change that would cause this type of IP address overlap.
The IP address validation and error occurs:
When you create or save changes to a FireCluster configuration
When you create or save changes to the Mobile VPN with SSL, Mobile VPN with
IPSec, or Mobile VPN with PPTP configuration
Warning when primary or backup IP addresses for Mobile VPN for SSL
or Mobile VPN for IPSec do not match an external IP address.
•
•
The warning allows the user to continue (save the change) or cancel.
The IP address validation and warning occurs:
WatchGuard Training
When you save the Mobile VPN with IPSec configuration
When you save to the Mobile VPN with SSL configuration
When you save changes to the network configuration
6
THANK YOU!