What’s New in Fireware XTM 11.7

Download What’s New in Fireware XTM 11.7

Post on 06-Jan-2016




1 download

Embed Size (px)


Whats New in Fireware XTM 11.7. New Features in Fireware XTM v11.7. Networking IPv6 Additional external interfaces DHCP options Dynamic NAT Configurable source IP address Serial modem failover on XTM 5 Series and XTM 330 Branch office VPN modem failover - PowerPoint PPT Presentation


<ul><li><p>Whats New inFireware XTM 11.7</p><p>WatchGuard Training</p></li><li><p>New Features in Fireware XTM v11.7NetworkingIPv6Additional external interfacesDHCP optionsDynamic NAT Configurable source IP addressSerial modem failover on XTM 5 Series and XTM 330Branch office VPN modem failoverWireless hotspot external guest authenticationLink aggregationMobile VPNMobile VPN with L2TPMobile VPN apps for Android and iOSMobile VPN with SSL client changesWatchGuard Training*</p><p>WatchGuard Training</p></li><li><p>New Features in Fireware XTM v11.7SystemFireClusterWireless XTM devicesHardware health monitoring for failoverSave TCP dump data to a PCAP file FSM &amp; Web UIAutomatic feature key synchronizationAuthenticationConfigure authentication login limits per user or groupPoliciesPolicy tags and filtersSort policies by column in manual order modeWatchGuard Training*</p><p>WatchGuard Training</p></li><li><p>New Features in Fireware XTM v11.7ManagementReport Server enforces the Maximum database size settingCA Manager in WatchGuard WebCenterUpdated UI for management of quarantined messages by recipients1-to-1 NAT for managed VPN tunnelsCentralized Management for XTM devices behind NAT gatewaysWindows 8 and Server 2012 supportServicesIntrusion Prevention Service (IPS) scan modesIPS and Application Control for HTTPSWebBlocker with Websense CloudWatchGuard Training*</p><p>WatchGuard Training</p></li><li><p>Networking</p><p>WatchGuard Training</p></li><li><p>IPv6 FunctionalityFireware XTM v11.6.x supported:IPv6 interface addresses in mixed routing modeIPv6 management connections to the Web UI or CLIIPv6 DNS serversIPv6 static routesIPv6 diagnostic loggingFireware XTM v11.7 adds support for:IPv6 addresses in packet filter policiesMAC access control for both IPv6 and IPv4 trafficInspection of IPv6 traffic received and sent by the same interfaceIPv6 addresses in blocked sites and exceptionsBlocked ports configuration applies to IPv6 trafficTCPSYN checking setting applies to IPv6 trafficAll other networking and security features do not yet support IPv6 trafficWatchGuard IPv6 roadmap: http://www.watchguard.com/ipv6/index.asp</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>IPv6 RefresherWatchGuard IPv6 http://www.watchguard.com/ipv6/index.aspHype or Reality Video and PPTSecurity Implications Video and PPTWhat to Expect Video and PPT</p><p>IPv6 is manageableSubnetting IPv4 /8 ~ IPv6 /48(If you impose a false minimum of a /24 on IPv4)</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>IPv6 in 11.5.x and 11.6.xStatic configuration of IPv6 addresses and DNSRouter Advertisement for stateless address auto-configuration on Trusted or Optional interfacesAddress auto-configuration on External interfacesStatic routes</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>IPv6 Functionality Blocked SitesBlocked Sites list and Blocked Sites Exceptions now support IPv6 addressesBlocked site and blocked site exception types are:Host IPv4Network IPv4Host Range IPv4Host IPv6Network IPv6Host Range IPv6Host Name (DNS lookup)Auto-blocked sites can also include IPv6 addresses*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>IPv6 Functionality Packet Filter PoliciesPacket filter policies now support IPv6 traffic*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Additional External InterfacesYou can now configure more than four interfaces as external interfacesPreviously, the maximum number of external interfaces was four*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>DHCP Options for VoIPThere are two new settings for DHCP options. Many VoIP phones use these DHCPoptions to download the boot configuration. The new settings are:TFTP Server IP The IPaddress of the TFTP server where the DHCP client can download the boot configuration. This corresponds to these DHCP options:Option 66 (TFTPserver name) Option 150 (TFTPserver IPaddress)TFTP Boot Filename The name of the boot file. This corresponds to this DHCPoption:Option 67 (boot file name)Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IPphones.</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>To configure the DHCP options:Edit a trusted or optional interfaceSelect Use DHCP ServerClick DHCP Options</p><p>Type the TFTP Server IP and TFTP Boot Filename required by your VoIP phonesDHCP Options for VoIP*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Network Dynamic NAT Set Source IP AddressWhen you configure a new dynamic NAT rule, you can specify the source IP address to use for traffic that matches that rule. The XTM device changes the source IPaddress for packets that match this rule to the source IP address you specify. The source IP address must be on the same subnet as the primary or secondary IP address of the interface specified as the To location. *WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Network Dynamic NAT Set Source IP AddressPreviously, you could set the source IP address only in the dynamic NAT settings in a policy.If you do not set the source IP address, or if the source IP address is not on the same subnet as the outgoing interface, dynamic NAT changes the source IP address to the IP address of the interface from which the packet is sent. *WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Serial Modem Failover on XTM 330 and XTM 5 SeriesSerial modem failover is supported for XTM 2, 3, and 5 Series devices.Previously, modem failover was supported for XTM 2 Series and XTM 33 only.This release adds modem support for XTM 330 and all 5 Series devices.The Network &gt; Modem option is now available for XTM 2, 3, and 5 Series devices. *WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Branch Office VPN can use a modem for failover if modem failover is enabled for the device.To configure a VPN gateway for modem failover:Enable modem failover in Network &gt; Modem.Configure the local gateway endpoint to use a domain name ID for tunnel authentication.Select the Use modem for failover check box.If the device has multiple external interfaces:You must add a gateway endpoint for each physical external interface.The local gateway ID for each external interface must be unique.Branch Office VPN Modem Failover*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Branch Office VPN Modem FailoverWhen failover occurs:If all external interfaces are down, the XTM device starts a serial modem connection between the two sites. The XTM device initiates a VPNconnection over the modem connection. The XTM device uses the first local gateway IDconfigured for the external interface as the local gateway ID for the modem connection. Because the device with modem failover enabled uses an ID for tunnel authentication, the device with the modem must initiate the VPN connection. This means that you cannot enable modem failover for both gateway endpoints for the same branch office VPN tunnel.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Hotspot External Guest AuthenticationWhen you enable a hotspot on the Wireless Guest network, you can now select the Hotspot Type:Custom Page This is the hotspot splash screen on the XTM device. It presents the hotspot user with terms and conditions they must agree to before they can use the hotspot.External Guest Authentication This new option allows you to redirect new hotspot users to an external web server for user authentication.The Authentication URL and Authentication Failure URL values are pages on an external web server.The Shared Secret is used to validate responses from the web server.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Hotspot External Guest AuthenticationWhen you set the hotspot type to External Guest Authentication, you must provide this information :The Authentication URL on your external web server of a page that does hotspot user authentication or collects other information.The Authentication Failure URL on your external web server of a page to redirect users to if external guest authentication fails.A Shared secret that is used to validate the access response from the external web server.You must configure the external web server to: Accept an access request from the XTM device.Authenticate the user (or perform any other function that you want to use as a criteria for hotspot access.)Provide an access decision to the XTM device.All communication between the XTM device and the external web server occurs in the form of URL query strings sent through the hotspot client browser.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Hotspot External Guest AuthenticationA wireless hotspot user tries to browse to a web page.If this is a new hotspot user, the XTM device sends the browser a redirect to the Authentication URL on the external web server. This URLincludes a query string that contains the access request.The browser sends the access request to the external web server. The external web server sends the Authentication page to the browserThe hotspot user types the requested information and submits the form to the external web server.The external web server processes the authentication information and sends an HTML page to the browser.The browser sends the access decision to the XTM device. This URL contains a query string that contains the access decision, a checksum, and a redirect URL. *WatchGuard TrainingThe XTM device reads the access decision, verifies the checksum, and sends a redirect URL to the hotspot user's browser. Based on the outcome of the external authentication process, the redirect URL can be:The original URL the user browsed toA different redirect URL,if specified by the external web serverThe authentication failure URL, if authentication failed or access was denied.Interaction workflow:</p><p>WatchGuard Training</p></li><li><p>Link AggregationNew Network Configuration tab</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation Configure Virtual InterfaceSelect the Link Aggregation (LA) Mode:StaticThe same physical interface is always used for traffic between a given source and destination based on source/destination MAC address and source/destination IP addressDynamic (802.3ad)The physical interface used for traffic between any source and destination is selected based on Link Aggregation Control ProtocolActive-backupOne member interface in the link aggregation group is active at a time, other member interfaces in the link aggregation group become active only if the active interface fails</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation Configure Virtual Interface Select LA interface Type:TrustedOptionalExternalBridgeVLAN</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation Configure Virtual Interface Select the Link Speed and Maximum Transmission Unit (MTU) on the Advanced tabThe member physical interfaces of an LA group support the same link speed*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation Assign Physical Interfaces*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation FSM*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation FireClusterOnly Active/Passive is supported</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation FireClusterYou can select a LA interface as the FireCluster Management Interface*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation FireClusterMonitored link includes only virtual interface and not member interfaces*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation FireClusterFSM Cluster View</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Link Aggregation FireClusterWhen you configure Link Aggregation for an existing FireCluster, only Active/Passive mode is supported. Break the FireCluster.Configure the Link Aggregation settings This is important because of the changes in the MAC Address on the LA Virtual Interface.Rebuild the Active/Passive FireCluster.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPSupports L2TP connections from VPN clients native to many operating systems such as Windows, Mac OS, Linux, Android, and iOS.L2TP is a more secure alternative to PPTP. More robust than PPTP because the data is encapsulated in IPSecUses Aggressive Mode to connect remote clients to the firewall (like Mobile VPN with IPSec)Supported authentication methods:Firebox-DB local authenticationRADIUSMobile VPN with L2TP supports multiple authentication methods (like Mobile VPN with SSL)Can enable more than one authentication methodIf the primary method fails, you can connect with another authentication method (such as Firebox-DB) *WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPMobile VPN with L2TP appears with the other Mobile VPN options.Select VPN &gt; Mobile VPN &gt; L2TP.Select Activate to start the L2TP Setup Wizard.Select Configure to edit the configuration.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPRun the WatchGuard L2TP Setup Wizard to simplify L2TP configuration.Select the authentication server.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPAs with Mobile VPN with SSL, you can define your own group in your server, locally, or use the default group, L2TP-Users. You can specify the allowed resources.Allow access to all resourcesRestrict access to specific IP addresses or subnets*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPSpecify the virtual IP address pool range for the clients. If you use a subnet within your Trusted or Optional networks, make sure this range is not used in an existing DHCP pool.Select the pre-shared key or certificate to use for IPSec negotiation.*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPWhen you enable Mobile VPN with L2TP, two new policies are created automatically: WatchGuard L2TP Enables port UDP1701 for L2TPAllow L2TP-Users Enables L2TP group members to connect to firewall resources*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN with L2TPTo edit the configuration, select VPN &gt; Mobile VPN &gt; L2TP &gt; Configure. *WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Mobile VPN Apps for Android and iOSWatchGuard Mobile VPN App for AndroidFree app available from the Google Play app storeSupported on mobile devices that use Android 4.0.x and 4.1.xUses a .wgm Mobile VPN with IPSec configuration profile to configure an IPSec VPN connection in the WatchGuard Mobile VPN appAn IPSec VPN client you can use instead of the native VPN clientDoes not support L2TPWatchGuard Mobile VPN App for iOSFree app available from the Apple app storeSupported on mobile devices that use iOS 5.x and 6.xUses a .wgm configuration profile to configure an IPSec or L2TP VPN connection in the native iOS VPN clientNot a VPN client Creates an L2TP or IPSec VPN connection in the native iOS VPN client, with the correct settings to connect to the XTM device*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Generate a .wgm File Mobile VPN with IPSecFor Mobile VPN with IPSec, the .wgm file is generated (with the .ini, .wgx, and .vpn files) when you select a profile and click Generate.The file name is .wgmThe.wgm file for IPSec can be used with the WatchGuard Mobile VPN apps for Android and iOS</p><p>*WatchGuard Training</p><p>WatchGuard Training</p></li><li><p>Generate a .wgm File Mobile VPN with L2TPGenerate an L2TP configuration file to send to mobile users of an iOS device.Select VPN &gt; Mobile VPN &gt; L2TP &gt; Mobile clientsType a Profile Name (d...</p></li></ul>


View more >