What’s New What’s New in Fireware XTM v11.3.2in Fireware XTM v11.3.2

22WatchGuard Training

New Features in Fireware XTM v11.3.2

DHCP release and renew functionality in Web UI and CLI Updated default Body Content Types rule for Windows EXE/DLL files Updated CLI help text for wireless guest hotspot Ability to add an IP address range or subnet to the SSO Exceptions list Support in Web UI to use a host range or network IP address when you

add a Tunnel Address as a member of a policy Ability to edit aliases from within a policy Ability to send a log message when an SMTP command is denied Updated default WebBlocker exception for watchguard.com in Policy

Manager

33WatchGuard Training

DHCP Release and Renew in Web UI and CLI

Two new command options have been added to the dhcp command in Interface config mode. These options are available if the interface is configured to get the IP address through DHCP:

• release

• renew

These options are available in the Web UI on the System Status > Interfaces page

New CLI command options:

33WatchGuard Training

44WatchGuard Training

Updated Default Body Content Types Rule

New pattern: %0x4d5a% This new pattern successfully identifies a much larger class of

executable Windows files, including DOS and OS/2 executables, and non-PE and PE Windows executables.

This change applies only to new configurations created in Policy Manager using v11.3.2 or later. The existing configuration on your device does not change when you upgrade from a previous v11.x version.

To correct the Body Content Types rule in your existing configuration, go to the Body Content Types category in your HTTP proxy action and edit the Windows EXE/DLL rule. (Note that in Policy Manager, you must be in Advanced View to edit the rule.) Use Pattern Match and for the pattern use: %0x4d5a%*

44WatchGuard Training

55WatchGuard Training

Updated CLI Help Text for Wireless Guest Hotspot

The CLI help text was updated for wireless guest hotspot commands to indicate that the imported text file should be UTF-8 encoded. UTF-8 format is required to support languages that use double-byte character sets. This affects the CLI Help for these commands:

• wireless guest hotspot welcome-message from

• wireless guest hotspot terms-text from

55WatchGuard Training

66WatchGuard Training

Add a Range or Subnet to the SSO Exceptions List

You can now add a range of IP addresses or a subnet to the SSO Exceptions list in Policy Manager, the Web UI, and the CLI

66WatchGuard Training

Policy Manager

Fireware XTM Web UI

77WatchGuard Training

Add a Range or Subnet to the SSO Exceptions List

For the CLI, three options were added to the auth-setting single-sign-on except-ip command. These options allow users to add a host IP address, IP address range, or subnet to the SSO Exceptions list. Previously, you could only type one or more individual IP addresses. New parameters:

• host

• range

• subnet

77WatchGuard Training

88WatchGuard Training

Web UI — Flexibility in the Tunnel Address for a Policy Member

The Web UI now supports a host range or network IP address when you add a Tunnel Address as a member of a policy. Options include:

• Host IP

• Host Range

• Network IP

Previously, the Web UI only enabled configuration of a single IP address for a Tunnel Address in a policy.

88

Edit an Alias from a Policy

In previous releases, to make changes to the members of an alias, you had to open the Aliases dialog box. You can now select an alias in the New Policy Properties or Edit Policy Properties dialog boxes, and click Edit to add or delete members of the alias.

99WatchGuard Training

Changes to Proxy Policy Logging Settings

You can now also send a log message when an SMTP command is denied. On the SMTP Proxy Action Configuration General Settings page, select the Send a log message when an SMTP command is denied check box.

1010WatchGuard Training

1111WatchGuard Training

Updated Default WebBlocker Exception

Updated the default WebBlocker exception for watchguard.com in Policy Manager

• Old: *.watchguard.com/*

• New: ^[0-9a-zA-Z_\-.]{1,256}\.watchguard\.com/ More closely matches the WatchGuard domain.

• URLs that use www.watchguard.com as a path in the URL no longer match this WebBlocker Exception. For example, a URL such as www.example.com/www.watchguard.com/index.html no longer matches the default WebBlocker exception for WatchGuard.

Applies only to new configurations created in Policy Manager v11.3.2 or later. It does not apply to the Web UI. Your existing configuration does not change when you upgrade from a previous 11.x version.

To correct the WebBlocker Exception in your existing configuration: From Policy Manager, edit your WebBlocker action and go to the Exceptions tab. Edit the WatchGuard exception. Change the “Match Type” to Regular Expression and use this expression: • ^[0-9a-zA-Z_\-.]{1,256}\.watchguard\.com/

1111

SummarySummary

Summary

Fireware XTM v11.3.2 includes many new features:

• DHCP release and renew functionality in Web UI and CLI

• Updated CLI help text for wireless guest hotspot

• Ability to add an IP address range or subnet to the SSO Exceptions list

• Support in Web UI to use a host range or network IP address when you add a Tunnel Address as a member of a policy

• Edit an alias from within a policy

• Ability to send a log message when an SMTP command is denied

• Updated default WebBlocker exception for watchguard.com

1313WatchGuard Training

THANK YOU!THANK YOU!