What's new in Fireware XTM 11.4 - Fastbyte ICT

Download Report

Transcript What's new in Fireware XTM 11.4 - Fastbyte ICT 

What’s New in
Fireware XTM v11.5.3
Changes in Fireware XTM v11.5.3
 Routing table changes
 Feature key global expiration for some XTMv keys
 IP address validity checks and warnings
WatchGuard Training
2
Routing Table Changes in v11.5.3
 The Routes section of the FSM Status Report now displays the routes in a
different format.
 This improves consistency in the way IPv4 and IPv6 routes are displayed.
 The Routes section can contain these route tables:
•
•
•
•
Route Table: main — shows all IPv4 and IPv6 static routes
Route Table: default — shows information about the default route
Route Table: ethx.out — shows active routes for an external interface, ethx,
where x is the interface number.
Route Table: zebra— shows dynamic routes received from a peer
 If a route table has no entries, it does not appear.
•
For example, the zebra table does not appear if dynamic routing is disabled.
 The zebra route table shows only the first 20 dynamic routes.
•
To see a complete list of the dynamic routes, see the OSPF, RIP, or BGP
section of the Status Report.
WatchGuard Training
3
Routing Table Changes in v11.5.3
Comparison of FSM Status Report Routes section in v11.5.2 and v11.5.3
Routes in v11.5.3
Routes in v11.5.2
Routes
-----------Destination
172.16.20.0/30
10.0.20.0/24
10.0.5.0/24
203.0.113.0/24
127.0.0.0/24
10.0.10.0/24
default
default
Gateway
*
*
203.0.113.10
*
*
203.0.113.10
203.0.113.1
203.0.113.1
Flags
U
U
UG
U
U
UG
UG
UG
Metric
0
0
1
0
0
20
0
50
Special routing tables
-----------eth0.out:
10.0.5.0/24 via 203.0.113.10 dev eth0 metric 1
203.0.113.0/24 dev eth0 scope link metric 1
10.0.10.0/24 via 203.0.113.10 dev eth0 metric 20
default via 203.0.113.1 dev eth0 metric 1
zebra:
10.0.10.0/24 via 203.0.113.10 dev eth0
WatchGuard Training
metric 20
Ref
0
0
0
0
0
0
0
0
Use
0
0
0
0
0
0
0
0
Iface
eth2
eth1
eth0
eth0
lo
eth0
eth0
eth0
Route Table: main
------------------172.16.20.0/30 dev eth2 proto kernel scope link
10.0.20.0/24 dev eth1 proto kernel scope link
10.0.5.0/24 via 203.0.113.10 dev eth0 metric 1
203.0.113.0/24 dev eth0 proto kernel scope link
127.0.0.0/24 dev lo scope link
default via 203.0.113.1 dev eth0
::1/128 dev lo proto kernel metric 256
Route Table: default
------------------default via 203.0.113.1 dev eth0
metric 50
Route Table: eth0.out
------------------10.0.5.0/24 via 203.0.113.10 dev eth0 metric 1
203.0.113.0/24 dev eth0 scope link metric 1
default via 203.0.113.1 dev eth0 metric 1
Route Table: zebra
------------------10.0.10.0/24 via 203.0.113.10 dev eth0
metric 20
proto zebra
4
Routing Table Changes in v11.5.3
 A route bound to an XTM device interface appears in this format:
<destination> dev <device> proto kernel scope link
Example: 203.0.113.0/24 dev eth0 proto kernel scope link
 A static route that you add appears in this format:
<destination> via <gateway> dev <device> metric <link>
Example: 10.0.30.0/24 via 10.0.10.254 dev eth1 metric 1
 A dynamic route appears in the zebra route table in this format:
<destination> via <gateway> dev <device> proto zebra metric <metric>
Example: 10.0.10.0/24 via 203.0.113.10 dev eth0 proto zebra metric 20
 Information that can appear for each route includes:
•
•
•
•
•
•
<destination> — the destination IP address for the route
dev <device> — indicates which device (usually an interface number) the route applies to;
for example eth0 for interface 0, or lo for loopback.
proto kernel —route was created by the Linux kernel
proto zebra — route is a dynamic route learned via a dynamic routing protocol
scope link — route is bound to an XTM device interface
metric <number> — the routing metric, or cost for the route
WatchGuard Training
5
IP Address Validity Checks
 Error when you try to configure a primary or backup cluster IP address
that overlaps the address pool used in Mobile VPN with SSL, Mobile
VPN with IPSec, or Mobile VPN with PPTP.
•
•
You cannot save a change that would cause this type of IP address overlap.
The IP address validation and error occurs:


When you create or save changes to a FireCluster configuration
When you create or save changes to the Mobile VPN with SSL, Mobile VPN with
IPSec, or Mobile VPN with PPTP configuration
 Warning when primary or backup IP addresses for Mobile VPN for SSL
or Mobile VPN for IPSec do not match an external IP address.
•
•
The warning allows the user to continue (save the change) or cancel.
The IP address validation and warning occurs:



WatchGuard Training
When you save the Mobile VPN with IPSec configuration
When you save to the Mobile VPN with SSL configuration
When you save changes to the network configuration
6
THANK YOU!