Transcript What's New in WSM 10 and Fireware 10

What’s New in WSM 10 and
Fireware 10
Presenter
Date
What’s New in WSM/Fireware 10
WSM 10 Overview
New in WSM 10
• New SQL-based logging and reporting architecture
• WatchGuard Management Server enhancements
• Firebox System Manager enhancements
• New help system with search and Table of Contents
2
What’s New in WSM/Fireware 10
Fireware 10 Overview
New in Fireware 10
• Mobile VPN with SSL
• New proxies for VoIP support
• New TCP/UDP proxy for multiple protocol detection
• Enhancements to security subscriptions
• Single Sign-On
• More integration with LiveSecurity
• BOVPN and Mobile VPN with IPSec enhancements
• New notifications
• Networking enhancements
3
New in WSM 10
New Logging and
Reporting Architecture
5
New Logging and Reporting Architecture
Overview
The new logging and reporting architecture includes:
• New SQL-based Log Server
• Totally redesigned LogViewer application
• New Report Server
• New Report Manager (replaces Historical Reports)
One change to the WatchGuard Toolbar:
New Report Server icon
6
New Logging and Reporting Architecture
About the SQL Database
Uses PostgreSQL
• Postgres is installed during either:
• Log Server Setup Wizard
• Report Server Setup Wizard
• The server you set up first (Report Server or Log Server) installs
Postgres
• Because Postgres does not install over an RDP session, do not run the
Log Server or Report Server Setup Wizard over RDP
• PostgreSQL installation creates the data directory and its structure
• There is no UI option to change the location of the data directory after
Postgres is installed
• Installs a non-admin user account watchguard_pg_user
• Do not alter this account; it is for the Postgres service
• In this release, you must use command line for:
• Importing old XML log files into the database
• Restoring a backup of the database
7
New Log Server
SQL-based
Advantages to using SQL database for logs
• Much more scalable
• Logs from multiple appliances now stored in one database
• No more discrete XML log files
• Faster and more powerful log file search
• Faster report generation
• Report can be run on data stored in different Log Servers
Automatic maintenance jobs are user-configurable:
• Automatic daily deletion of old logs
• Automatic daily backup
8
New Log Server
Log Server Setup Wizard
Click once on the Log Server icon to start the Log Server
Setup Wizard
9
New Log Server
Setup Wizard
PostgreSQL is installed and the database directory is
created when you run either:
•The Log Server Setup Wizard
or
•The Report Server Setup Wizard
10
New Log Server
Setup Wizard
Pay close attention to this screen of the Setup Wizard
• To change the log data directory after PostgreSQL is installed, you
must run the Setup Wizard again.
11
New Log Server -
Admin User Interface
Configure the Log Server
To configure the Log Server, left-click once on the Log
Server icon in the WatchGuard toolbar.
Or, right-click and select Configure
12
New Log Server Server Settings Tab
Log Server Configuration
The Log Server can
send notifications
about itself to
this address.
Firebox Event
Notifications also
go to this address
13
New Log Server -
Log Server Configuration
Expiration Settings Tab
Automatically purge
old logs
Automatically back
up logs
Send appliance
notifications
14
New Log Server -
Log Server Configuration
Logging/Monitoring Settings tab
All Firebox appliances
that send logs show
here
Send log messages
about the Log Server
itself to:
• The Windows
Event Viewer
• A text file
15
New LogViewer
Total Redesign for Maximum Usability
All-new enhanced LogViewer gives powerful new features
16
New LogViewer
Launch and Connect to a Log Server
Start LogViewer from the WatchGuard
System Manager.
Then, connect to a Log Server.
17
New Log Viewer
Select the appliance or server to view logs
Select one or
more devices to
see their logs
All devices
logging to this Log
Server (including
other servers)
show here
Report Server and
Management
Server can also
send logs to Log
Server!
18
New LogViewer
Arrange the windows for the different devices’ logs
Cascade the windows
Or tile them
19
New Log Viewer
Category View
View:
• All logs
•Only traffic logs
•Only alarms
•Only events
•Only debug logs
•Only bandwidth
statistics messages
20
New LogViewer
Date Range View
Select a preconfigured range
21
Or make a custom time filter
New LogViewer –
String Search
Search
Simple string search is very useful
Search for:
• An IP address
• Blocked sites / blocked ports
• All messages with a key word, for example:
• IKE
• Type of email or HTTP header
• A username
22
New Log Viewer –
Search
Put context to the message
When Search finds an interesting log message, you can
show the log messages before and after it.
Right-click the
message and select
Show Log Excerpt
Or press F5
You see 50 messages
before and after the
target log message
23
New LogViewer
Preferences
Store general
preferences
• Your primary Log Server
• How many messages
before and after the
target in Log Excerpt
• How many searches to
remember
24
New LogViewer
Preferences
Store viewing
preferences
• Default log type
• Font size
• Which columns to
display for the different
log types
25
New LogViewer
Search Manager
Tools 
Search
Manager
Create powerful
searches and
save them for
later use
Advanced Search
shows why a
SQL database is
better
26
New LogViewer
Multiple export options
Export logs as:
• CSV (commaseparated value) file
• HTML page
• PDF
• XML file
Instantly email logs
as:
• CSV file
• PDF
Select and copy as plain text
27
New Report Server What it does
Overview
Collects and presents log data
• Periodic collection from Log Server
• Periodic generation of reports
• Provides reports to Report Manager via XMLRPC
• Reports are immediately viewable and automatically refresh
28
New Report Server What It Does
Overview
Log Data
Log
Server
Consolidated
Log Data
Reports
29
New Report Server –
Expiration Settings tab
Server Settings tab is
identical to same tab in Log
Server
Expiration Settings tab:
• Automatically delete
old reports
• Turn on notification of
events about the
Report Server itself
30
Configuration
New Report Server –
Report Generation tab
Tell the Report
Server where to
get data
This is the server
management
passphrase, not the
log encryption key!
31
Configuration
New Report Manager
Overview
Report Manager
is the client
application
that connects
to the Report
Server
Replaces old
Historical Reports
The left-hand pane
shows the
available reports
The right-hand
pane is a browser
(based on
Internet Explorer)
showing the
selected report
32
New Report Manager
Launch and Connect to a Report Server
Start Report Manager
from WSM.
Then, connect to a
Report Server.
33
Report Server
Available Reports
Reports carried forward from earlier Historical Reports:
• Denied Packet Summary
• Denied Packet Detail
• Incoming
• Outgoing
• SMTP Summary
• SMTP Server Summary
• SMTP Detail
• SPAM Summary
• Firebox Statistics
• POP3 Summary
• POP3 Detail
• Alarms
• Packet Filter Host Summary
• Proxy Host Summary
34
• HTTP Most Popular Domain
• HTTP Summary
• HTTP URL Detail
• IPS Packet
• IPS Summary and its detail subreports:
•Protocol
•Severity
•Source
•Signature
• AV Summary and its detail subreports:
•Protocol
•Host
•Virus
•Sender
• WebBlocker Detail
Report Server
Available Reports
New Reports in 10:
• HTTP Most Active Client
• Web Surfing
• External Interface Bandwidth Report
• Management Server Audit Trail
• Management Server Audit Trail Detail
• Management Server Authentication
• BUM “Boxes Under Management”
35
Management Server
Enhancements
36
What’s New in WSM/Fireware 10
Management Server Enhancements - Overview
Multi-user support
Record locking
Configuration passphrase caching
Force comments on Config Change
Folders with lockout
Notification enhancements
LiveSecurity Alerts
37
Management Server Enhancements
Multi-user support
Add users on new Users tab of Management Server
Configuration
38
Management Server Enhancements
Multi-user support
Management Server user accounts:
• Admin privileges
• Can create new user accounts on the Management Server
• Can administer all devices under management with WSM
connection to Management Server
• Read-Write privileges
• Can administer all devices under management with WSM
connection to Management Server
• Read-Only privileges
• Can view all devices under management
• This user connects to the Management Server in Monitoring
Mode
39
Management Server Enhancements
Multi-user support
Users must now provide
username and
passphrase when
connecting
• Provides audit trail in
Management Server report
Default account is admin
• This account uses the
server management
passphrase
• This is the same password
you used before to connect
to your Management
Server from WSM
40
Management Server Enhancements
Record locking and caching passphrases
When you bring up Policy Manager for a managed device:
• WSM prevents others from using Policy Manager for that device
when they connect to the Management Server
• Reduces the chance that conflicting edits are made at the same
time by different users
• Policy Manager automatically enters the device’s configuration
passphrase when you save the configuration back to the Firebox
• No need to remember the configuration passphrases for all your
managed devices
• No need to share managed devices’ configuration passphrases
with others
For this to work:
• Firebox you manage must be running Fireware 10
• You must launch Policy Manager via a connection to the
Management Server (not a connection to the device itself)
41
Management Server Enhancements
Record locking
Connect to
Management Server
using WSM  Launch
Policy Manager for an
appliance
• The device record is
locked
When a different user
connects to the
Management Server at
the same time:
• A “Maintenance Alert”
shows for that device
• Policy Manager is not
available for that device
42
Management Server Enhancements
Configuration passphrase caching
When you use that instance of Policy Manager to save the
configuration, Policy Manager automatically puts the
appliance’s configuration passphrase into the entry field
When you close Policy Manager (or use it to File > Open a
different Firebox) the lock is released
43
Management Server Enhancements
Force comments
Force comments on config
change
• Turn this on in Management
Server Configuration
44
Users must add comment
when saving config via a
connection to
Management Server
Management Server Enhancements
Folders with lockout
Right-click Management Server and select Add New Folder
45
Management Server Enhancements
Folders with lockout
You can make a VPN between
two devices inside the same
locked folder
You cannot make a VPN tunnel
between a device in a locked
folder and a device not in the
same locked folder
• Prevent “mistake” VPNs
• Those can cost the managed
security provider $$ and reputation
Locked folder has a padlock on the folder’s icon
46
Management Server Enhancements
Notification enhancements
Get notified if a managed device does not contact the
Management Server when its DVCP lease expires
From: [email protected]
Subject: Notice from Management Server
Host: dc01
Time: Fri Feb 08 09:15:34 2008
Process: 3848:3900
Message:
Information (8249), no contact from device with
name Miami_X6500e, id 50.50.50.254, and IP
address 50.50.50.254
47
Management Server Enhancements
LiveSecurity Alerts
WSM displays LiveSecurity broadcasts when you select the
Management Server
Alerts that will appear:
• New software updates available
• WatchGuard vulnerabilities
48
Quarantine Server
Enhancements
49
Quarantine Server Enhancements
Quarantine email based on virus classification
You can now send SMTP mail to the Quarantine Server
based on whether Gateway AntiVirus detected a virus
50
Quarantine Server Enhancements
Quarantine mail based on virus classification
You can send SMTP mail to the Quarantine Server based on
whether spamBlocker’s Virus Outbreak Detection detected
a virus
51
Firebox System Manager
Enhancements
52
What’s New in WSM/Fireware 10
Firebox System Manager Enhancements - Overview
Front Panel tab updated for Mobile VPN with SSL
Search Traffic Monitor
Display logs by type of message
Multiple-line select (ctrl-click or shift-click) and copy
Select notifications from entire event catalog
Service Watch graph by bandwidth
53
Firebox System Manager Enhancements
Front Panel Tab
Mobile VPN with SSL sessions displayed on Front Panel tab
54
Firebox System Manager Enhancements
Front Panel Tab
Log off remote users from Front Panel tab
55
Firebox System Manager Enhancements
Traffic Monitor Tab
Search Traffic Monitor
56
Firebox System Manager Enhancements
Traffic Monitor Tab
View:
• All logs
•Only traffic logs
•Only alarms
•Only events
•Only debug logs
•Only bandwidth
statistics messages
57
Firebox System Manager Enhancements
Traffic Monitor Tab
Multiple-line select (ctrl-click or shift-click) and copy
58
Firebox System Manager Enhancements
Traffic Monitor Tab
Select Notifications from Event Catalog
Right-click an event in Traffic
Monitor
• Instantly set up notification for the
next time that event happens
59
Firebox System Manager Enhancements
Service Watch Tab
Use Service Watch to:
• Graph the traffic
going through each
policy by bandwidth
• See the number of
sessions going
through each policy
60
New Help System
61
New Help System
Searchable, with Table of Contents
62
New in Fireware 10
63
Mobile VPN with SSL
64
Mobile VPN with SSL
Overview
PC and Mac compatible – one download page for both
65
Mobile VPN with SSL
URL for users to get the software
URL to authenticate and get the client software:
• https://[firebox.ip.address]:4100/sslvpn.html
• Note the /sslvpn.html at the end
URL to authenticate only remains the same
• https://[firebox.ip.address]:4100
66
Mobile VPN with SSL
Configuration in Policy Manager
Simple straightforward
configuration
• Policy Manager:
VPN  Mobile VPN 
SSL
• Use any authentication
server
• Specify which WAN users
connect to first and
second (failover)
• Allow granular access or
access to all connected
networks
67
New Proxies for VoIP Support
68
New Proxies for VoIP
H.323 and SIP
These proxies work to allow some VoIP/Videoconferencing
through the Firebox:
• SIP Proxy
• H.323 Proxy
H.323 proxy supports NAT-traversal for voice and video
traffic
• H.323 Gatekeeper (“PBX” hosting/trunking) and T.120 multimedia
support not in this release.
• H.323 support is limited to point-to-point connections
SIP proxy supports NAT-traversal for voice and video traffic
• Does not provide the PBX registration capabilities of a typical
standalone SIP Registrar-Proxy
• Must have your own Registrar-Proxy server to route these
connections
• SIP proxy has only been tested with PBX’s located on the
external segment of the Firebox (hosted scenario, no trunking).
69
New Proxies for VoIP
H.323 and SIP
Simple to configure
H323
70
SIP
New Proxies for VoIP
TFTP
Trivial File Transfer Protocol
• For more than just VoIP
Typically for:
• Sending updates to VoIP
devices under management
• Sending configuration files
• Sending ROM images or
firmware updates
TFTP Proxy lets you allow or deny
content by matching file name
patterns for:
• Downloads
• Uploads
71
New TCP-UDP Proxy
Multiple Protocol Detection
TCP-UDP Proxy detects what protocol the traffic is:
• HTTP
• HTTPS
• SIP
• FTP
72
New HTTPS Proxy
What it can do
HTTPS Proxy
Block objectionable
HTTPS sites using
WebBlocker
Allow or deny access to web
sites based on Domain
Names
• Fireware matches
Domain Name patterns
against the Subject field
in the web site’s SSL
certificate
73
Enhancements to Security
Subscriptions
74
What’s New in WSM/Fireware 10
Enhancements to Security Subscriptions
Intrusion Prevention (IPS) Enhancements
• New signature set
• Broader range of signatures
• Botnet protection for servers
• Updated signature scanning engine
• Approximately 40% increase in IPS performance
• Simpler IPS Configuration
• P2P and IM now integral part of Fireware (no IPS license required)
WebBlocker Enhancements
• Expanded Category List
• WebBlocker for HTTPS
spamBlocker Enhancements
• Virus Outbreak Detection
75
WebBlocker Enhancements
40 Category to 54 Category Mapping
40-Category List name
54-Category List name
Arts & Entertainment
Arts
Entertainment
Drugs, Alcohol, Tobacco
Illegal Drugs
Alcohol & Tobacco
Violence
Violence
Tasteless & Offensive
Hacking
Hacking
Spyware
Computing & Internet
Computing & Internet
Downloads
Criminal Skills
Criminal Activity
Phishing & Fraud
Glamour & Intimate Apparel
Intimate Apparel &
Swimwear
Fashion & Beauty
Government & Politics
Government
Politics
Lifestyle & Culture
Society & Culture
Philanthropic & Professional Organizations
Remote Proxies
Proxies & Translators
Peer-to-Peer
NOT REPRESENTED
Spam URLs
NOT REPRESENTED
Infrastructure
NOT REPRESENTED
Business
76
Ringtones / Mobile Phone
Downloads
Single Sign-On
77
Single Sign-On
Requirements
Only for Active Directory domains
• Install WatchGuard Authentication Gateway software on a domain
computer
• This computer called the SSO Agent
• The domain account under which the agent software runs must:
• Have “Log on as a service” permission granted (for the service
to run automatically)
• Be a member of Domain Admins group (to query PCs running
Vista)
• All domain PCs must allow connections over 139 and 445
• Add exceptions to Windows Firewall for File and Printer Sharing,
or turn off Windows Firewall
78
Single Sign-On
Settings
Policy Manager:
Setup  Authentication 
Authentication Settings
• IP address of the PC running
WatchGuard Authentication
Gateway software (the SSO
agent)
• How long the SSO agent
should cache responses it gets
from PCs it queries
• IP addresses that the Firebox
will not ask about
79
Single Sign-On
How it works 1
• Firebox sees traffic come from a trusted or optional or VLAN interface
• SSO does not work for traffic coming from an external interface
• Firebox sends query to SSO agent (PC running WatchGuard Authentication Gateway
software)
• This is a port 4114 connection. Command is get user <ip.address>
• SSO agent checks its cache.
• If it has an entry for this IP address, it returns an answer to the Firebox
• If not in cache, SSO agent queries that IP address
• Uses Windows NetWkstaUserEnum() call
• Windows Networking connection over port 139 and/or 445
• If SSO agent PC gets no reply, send error message to Firebox
• The IP address is not added to authentication list
80
Single Sign-On
How it works 2
• PC returns answer to SSO agent. There can be more than one answer
• SSO agent uses only the first answer it gets from the PC
• SSO agent sends query to Active Directory server to find what groups the user is a
member of
• Active Directory returns all values of memberOf attribute tied to that user object
• SSO agent PC returns answer to Firebox
•User name logged in to that PC and groups of which the user is a member
• Firebox puts <IP address>, <user name>, and <groups of which the user is a
member> in its internal list of authenticated users
• Authentication List tab of Firebox System Manager displays the IP address and
user name of authenticated users
81
Single Sign-On
How it works 3
Use user names and Active Directory groups in your policies
to restrict access
82
BOVPN
and
Mobile VPN with IPSec
Enhancements
83
What’s New in WSM/Fireware 10
VPN Enhancements
Selective Auto-start of BOVPN Tunnels
Dead Peer Detection
Mobile VPN with IPSec Policies More Configurable
Notification of BOVPN Events
84
VPN Enhancements
Selective auto-start of BOVPN tunnels
At the bottom of the General Settings tab of the Gateway
85
VPN Enhancements
Mobile VPN with IPSec more configurable
You can now edit the Mobile
VPN/IPSec policy to change
the allowed access.
The policy is no longer tied
to the “allowed resources”
assigned to the Mobile
VPN/IPSec Group
86
VPN Enhancements
Dead Peer Detection
On the Phase 1 Settings
tab of the Gateway
87
VPN Enhancements
Notification of BOVPN events
VPN > VPN Settings > BOVPN Notification button
88
New Notification Options
89
New Logging and Reporting Architecture
Notification enhancements
SNMPv3 Support
New WebBlocker Alarm Options
The Firebox can now send notifications for:
• Multi-WAN Events
• BOVPN Down
• Lost contact with WebBlocker Server
90
Networking Enhancements
91
What’s New in WSM/Fireware 10
Networking Enhancements
Static MAC/IP Address
Binding
• Edit an interface 
Advanced tab
• Select Only allow
traffic sent from or to
these MAC/IP
Addresses to lock out
all other traffic on this
interface
• Keep the box cleared
to add only Static
ARP entries
92
More Integration with
LiveSecurity®
93
What’s New in WSM/Fireware 10
LiveSecurity Integration
Quick Setup Wizard pulls feature key from LiveSecurity
• Appliance must be registered before you can use the QSW to get
the Feature Key
• If the appliance is not
registered, you can get
to the Internet during
the Quick Setup Wizard
to register it
• You can skip this step of
the Wizard if you have
not registered the
device yet
• If there is no Feature
Key, one user can get to
the Internet after it is
configured
94
What’s New in WSM/Fireware 10
LiveSecurity Integration
New
Updated feature key display
• Easier to understand
• Easier to see when features
expire
Old
95
Thank You!
96