Transcript Fireware Pro 9.1 What's New - WatchGuard Technologies, Inc

Fireware Pro 9.1
What’s New
What’s New in Fireware 9.1
Overview
This presentation has three categories:
• New Features in 9.1
• Enhancements to existing features
• Miscellaneous changes
2
Fireware 9.1
New Features
• Factory Shipped User Area
• New power-on mode
• New steps for Quick Setup Wizard
• Quarantine Server
• HTTP proxy exceptions
• POP3 proxy
• Automatic redirect after firewall authentication
• New authentication web server certificate
• Server load balancing
• Import/export proxy actions and rulesets
• Support for jumbo frames
• Support for Windows Vista
• Find Policy feature
3
Factory Shipped User Area
Fireware pre-loaded from factory
Benefits:
Improved out-of-box experience
Faster, easier deployment
• One computer can get to the Internet during QSW
• Register box with LSS and get feature key during QSW
• No need to disconnect from Firebox, connect to live Internet connection,
get feature key, reconnect to Firebox, continue Wizard
• User can still finish QSW if user forgot to (or did not know to) install Fireware
on the management station
Not sure yet when manufacturing cutover happens
4
Power-on options
Safe Mode & Recovery Mode
Safe Mode (New boot method)
• Power-on + down arrow button
◦ Hold button until LCD shows WatchGuard Technologies
• Available only if 9.1 image is installed on box
• Allows one computer out to the Internet
• Saves time: Loads new Fireware image only if image on computer is newer
Recovery Mode (Same as current method)
• Power-on + up arrow button
• Used to be called Safe Mode
• No Internet access until QSW is done
• Must have feature key to finish
• New Fireware image is always loaded
5
Quick Setup Wizard
New and different steps
Skip instructional steps if user knows that the box is in a
discoverable state
Next step, discovery
At least four more steps
until discovery
6
Quick Setup Wizard
New and changed steps
Set external IP address information during QSW
• External interface settings are saved to Firebox immediately
• Lets user out to Internet before or during feature key step
DNS information
• The Firebox must have DNS information for spamBlocker to work, and to get
Gateway AV/IPS updates
Feature key step of QSW: “Click to go to LiveSecurity site”
• Works only if 9.1 installed
• Works only if booted using down arrow
• Detects and displays current license if user ran the QSW previously
Remote management step
• Adds an external IP address to the From: field of WatchGuard policy
7
Quarantine Server
Quarantine spam
Works with spamBlocker only
Does not quarantine based on virus signature or content types
• SMTP proxy yes; quarantine spam, bulk, or suspect email
• POP3 proxy no; cannot quarantine POP3 email
New icon in
WatchGuard toolbar
Install with server components during WSM install
8
Quarantine Server
New “Quarantine” action in spamBlocker
• Quarantine
based on spam
classification
• Quarantine
based on
Exception
9
Quarantine Server
Server Settings
• Set maximum
database size
• Admin notification
when database
gets close to
capacity
• SMTP server
settings
10
Quarantine Server
Expiration Settings
• How long to keep
messages
• For which domains
the Quarantine
Server will keep
email
11
Quarantine Server
User notification
Customize body text for
notification emails sent to
users
12
Quarantine Server
Rules
Automatically
remove
messages
based on:
• From specific
domains
• From specific
senders
• With specific text in
the Subject
13
Quarantine Server
Statistics
Export data to:
•Excel
•CSV
Filter report by:
•Date
•Spam classification
View data by:
•Month
•Week
•Day
14
Quarantine Server
User notification
15
Quarantine Server
Simple for user to delete or release emails
16
HTTP Proxy Exceptions
Bypass rule checking
An easy way to allow content
from:
• Windows Updates
• Symantec Updates
• Other friendly sites
Proxy sets all
rules to Allow
for these sites
• Allows all content
from hosts that
match this list
17
POP3 Proxy
Server and Client POP3 proxies
18
POP3 Proxy
Benefits
Content Type filtering
• Strip or lock attachments based on declared MIME type
Filename filtering
• Strip or lock attachments based on filename pattern
AV scanning
• Strip or lock attachments if virus found
IPS scanning
• Strip or lock attachments if signature matches
spamBlocker
• Allow or tag based on categorization
• No quarantine for spam with POP3 email (only SMTP email can be
quarantined)
19
POP3 Proxy
Benefits
Simpler,
easier-tounderstand
defaults
20
POP3 Proxy
Limitations
POP3 proxy cannot block POP3 emails:
In POP3 transaction, client gets message count first
• Client keeps trying until number of messages received matches count
• We must deliver the correct number of messages
Attachment scanning
• Inline engine – not store-and-forward
• Client may get truncated attachment along with the deny message
spamBlocker cannot quarantine POP3 messages
• For the same reasons we cannot block POP3 mail
• spamBlocker can [Allow] or [Add Subject Tab] only
21
Firewall Authentication
Automatic redirect after authentication
Setup > Authentication > Authentication Settings
• Authentication settings moved here from Setup > Global settings
• New Redirect option:
User’s browser is redirected
to this URL five seconds
after successful
authentication
22
Firewall Authentication
Customizable Web Server Certificate
No more security warnings!
Why does the user get warnings from the browser?
1. The name on the certificate does not match the URL in the browser
•
•
•
Fixed with new Fireware web server certificate
Uses subject alternative names to match several possible URLs
Three different options for Fireware’s web server certificate
2. Certificate is not trusted
•
•
23
User still must import the
CA cert from the issuing
authority or the (web
server certificate itself)
Import to trusted root
store
Firewall Authentication
Customizable web server certificate
Three options:
Default certificate
• Uses each trusted interface IP
address as subject alt names
Third party certificate
• Must import using FSM
• Mark purpose as “web server”
when generating Certificate
Signing Request (CSR)
Custom Certificate
• Signed by Firebox
• Option to add more subject alt
name fields:
IP addresses or domain names
24
Server Load Balancing
Balances incoming traffic to server
clusters
Add it in a familiar,
intuitive way.
• In the To: field, select
Add > Add NAT
• New drop-down list to
select Server Load
Sharing instead of Static
NAT
• Sticky Connections
makes sure new
connections from the
same client use the
same server for the
specified time.
25
Server Load Balancing
Algorithms
Supports up to 10 servers per object
Algorithms:
• Weighted Round-robin
• Weighted Least Connections
26
Policy Manager Enhancements
Import and Export from Policy Manager
Useful for managing many boxes
Copy back and forth between XML configurations
Must be from the same version of WSM/Policy Manager
• Cannot import 9.0 object into 9.1 Policy Manager, for example
• Convert older configuration before exporting for use in newer version
Objects you can import/export:
• Proxy actions
• Individual rulesets within proxy actions
• Custom policies
• WebBlocker exceptions
• spamBlocker exceptions
• Schedules
27
Import/export
Objects you can import/export
Proxy actions
28
Import/export
Objects you can import/export
Individual rulesets within
proxy actions
• SMTP: greeting rules;
authentication schemes, content
types, filenames, mail from, mail
to, headers
• HTTP: request methods, URL
paths, headers, authentication
schemes, content types, cookies,
body content types
• DNS: OPCodes, query types,
query names
• FTP: commands, downloads,
uploads
• POP3: authentication schemes,
content types, filenames, headers
29
Must be in Advanced View to see
Import/Export buttons
Import/export
Objects you can import/export
Custom policies
30
Import/export
Objects you can import/export
WebBlocker
Exceptions
31
Import/export
Objects you can import/export
spamBlocker Exceptions
32
Import/export
Objects you can import/export
Schedules
33
Ethernet Driver Updates
Support for Jumbo Frames
You can now set MTU on Firebox interfaces up to 9000
• Previous limit was 1500
• 1500 is normal maximum MTU for Ethernet
34
WSM Enhancement
Support for Windows Vista
All variants of Windows Vista are supported in WSM v9.1 for
Firebox configuration, monitoring, and management
• Windows Vista not supported yet for MUVPN
• Vista-compatible MUVPN client scheduled for Fall
35
Policy Manager Enhancements
Find Policy (Edit  Find)
Finds policies
that match the
search criteria
36
Policy Manager Enhancement
Policy-Based Routing (PBR) Column
If a policy uses PBR:
•Interface number used for PBR listed in
new column
•Multiple interface numbers indicate that
the PBR uses failover
37
Fireware 9.1
Feature Enhancements
• Management Server
• HTTP proxy
• SMTP proxy
• FTP proxy
• GatewayAV/IPS
• spamBlocker
• WebBlocker
• Branch Office VPN
• IPSec Pass-through
• Firebox certificates
• DHCP
• HostWatch
• PMTU
38
Management Server Enhancements
Better efficiency
• Compiling and deploying policies is faster
• Better scalability
New “Hub” VPN resource
• For default-route VPNs (send all traffic through VPN)
Turn off logging of DVCP-generated VPN policies
• Custom VPN policies only
Phase 1 now configurable
• Still uses Aggressive Mode; no Main Mode tunnels
Several defects fixed
39
Management Server Enhancements
New Hub Network VPN Resource
•VPN sends all traffic through the
Firebox that has “Hub Network” as
the local resource.
•Warning tells you that a dynamic
NAT rule may be necessary to let
traffic from branch office out to
Internet.
40
HTTP Proxy Enhancements
WebDAV Support
All WebDAV methods now supported
What is WebDAV?
• Stands for Web-based Distributed Authoring and Versioning
• A set of extensions to the HTTP 1.1 specifications
• Adds new HTTP request methods to the familiar GET, HEAD, POST, etc.
• Used for collaborative authoring of documents and versioning control:
• Outlook Web Access
• SubVersion (popular open-source version control system)
• Wherever you see team authoring and version control
41
HTTP Proxy Enhancements
WebDAV Support
42
SMTP Proxy Enhancements
Benefits and limitations
• Turn off ESMTP altogether with one box
• Turn off logging of denied ESMTP verbs
• Auto-detect MIME types
43
FTP Proxy Enhancements
Benefits and limitations
Full data channel inspection
• Gateway AntiVirus
• Intrusion Prevention
New option for maximum number of failed logins
• Auto-block the source if number is exceeded
• Protects against dictionary attacks on your FTP server
44
AV/IPS Enhancements
Benefits and limitations
All inline scanning engine now
• Same inline scanning engine that has always been used in the HTTP proxy
• This means we no longer use the Clam AV scanning engine for the SMTP
• No limit to the size of attachments we can scan
• We do, however, still use Clam AV signatures
45
spamBlocker Enhancements
Benefits and limitations
• Proactive Patterns
• spamBlocker downloads small (no more than 20MB) database of
patterns
• For quicker detection of patterns no longer in the wild
• Works only on legacy Peak, any e-Series
• Trusted email forwarders
• Bulk import/export spamBlocker exceptions (white/blacklists)
• Set Allow or Deny when spamBlocker server is unavailable
46
WebBlocker Enhancements
Benefits and limitations
• New organization for categories in UI
• New UI option to change listening port of WebBlocker Server
Right-click WebBlocker Server icon in Windows taskbar
Stop service, then right-click again:
47
Branch Office VPN Enhancements
Better explanation of SA creation
Phase 2 SA creation options expanded, more user-friendly
Old
New
48
Branch Office VPN Enhancements
Rekey BOVPNs
Rekey All
• Tools menu in FSM
Rekey Selected
• Right-click the active tunnel in the Front Panel tab
49
IPSec Pass-through Enhancements
Code Overhauled
IPSec pass-through code totally overhauled
• Multiple IPSec clients behind Firebox can make outbound VPN sessions to
concentrators on the external network at the same time, with fewer problems
• Enable IPSec Pass-through at VPN > VPN Settings
50
IPSec Pass-through Enhancements
IPSec policy automatically added
IPSec policy automatically
added when IPSec passthrough enabled
1. Enable IPSec Pass-through at
VPN > VPN Settings
2. Policy Manager automatically adds
WatchGuard IPSec policy
51
Firebox Certificates
UI Enhancements
Updated wizard for Certificate Signing Request (CSR)
• Same information; clearer presentation
52
DHCP Server Enhancements
New DNS Settings
On each Firebox interface,
you can specify new
information to give DHCP
clients:
• Domain name
(connection-specific DNS suffix)
• DNS server IP addresses
53
HostWatch Enhancements
Enhancements
• External PPPoE interfaces now show properly
• You can now monitor VLANs, but you must manually type the name
• VLANs do not show in the list (right-click, select Other)
• Create any combination of interfaces to monitor using a regular expression
Type the interface
name without the
(ethx) part.
Examples:
• VLAN10
VLAN called “VLAN10”
• [RegEx] ^OptionalAll interfaces that start
with name “Optional-”
• [RegEx] Optional-[12]
First two optional
interfaces
54
PMTU Enhancement
Tune PMTU for IPSec
Some Path MTU Discovery
Parameters now
configurable
• Minimum PMTU is to guard
against Denial of Service attacks
caused by ICMP “request to
fragment” messages with trivially
low MTU
• Aging time is to return the
interface MTU value to the MTU
set at top of this tab after
specified number of
[seconds/minutes/hours/days]
55
Fireware 9.1
Miscellaneous Changes
• Remember my password
• SNMP MIBs no longer use RapidStream number
• VLANs show in Bandwidth Meter
• Terminology change Licensed Features to Feature Key
• Syslog – more facilities available
• Space allowed in interface names
56
Firebox System Manager
UI Enhancements
Remember my passphrase
• For actions that require the configuration passphrase
• No need to enter read/write passphrase every time
57
SNMP Enhancements
New arc for MIBs
Fireware MIBS now use WatchGuard private enterprise arc
• Old MIBs used RapidStream arc 1.3.6.1.4.1.4355
• New MIBs use WatchGuard arc 1.3.6.1.4.1.3097
58
Policy Manager
Miscellaneous Changes
Setup > Licensed Features changed to Setup > Feature Keys
59
Thank You