whats new in fireware xtm v11.3.2. 2watchguard training new features in fireware xtm v11.3.2 dhcp...
TRANSCRIPT
What’s New What’s New in Fireware XTM v11.3.2in Fireware XTM v11.3.2
22WatchGuard Training
New Features in Fireware XTM v11.3.2
DHCP release and renew functionality in Web UI and CLI Updated default Body Content Types rule for Windows EXE/DLL files Updated CLI help text for wireless guest hotspot Ability to add an IP address range or subnet to the SSO Exceptions list Support in Web UI to use a host range or network IP address when you
add a Tunnel Address as a member of a policy Ability to edit aliases from within a policy Ability to send a log message when an SMTP command is denied Updated default WebBlocker exception for watchguard.com in Policy
Manager
33WatchGuard Training
DHCP Release and Renew in Web UI and CLI
Two new command options have been added to the dhcp command in Interface config mode. These options are available if the interface is configured to get the IP address through DHCP:
• release
• renew
These options are available in the Web UI on the System Status > Interfaces page
New CLI command options:
33WatchGuard Training
44WatchGuard Training
Updated Default Body Content Types Rule
New pattern: %0x4d5a% This new pattern successfully identifies a much larger class of
executable Windows files, including DOS and OS/2 executables, and non-PE and PE Windows executables.
This change applies only to new configurations created in Policy Manager using v11.3.2 or later. The existing configuration on your device does not change when you upgrade from a previous v11.x version.
To correct the Body Content Types rule in your existing configuration, go to the Body Content Types category in your HTTP proxy action and edit the Windows EXE/DLL rule. (Note that in Policy Manager, you must be in Advanced View to edit the rule.) Use Pattern Match and for the pattern use: %0x4d5a%*
44WatchGuard Training
55WatchGuard Training
Updated CLI Help Text for Wireless Guest Hotspot
The CLI help text was updated for wireless guest hotspot commands to indicate that the imported text file should be UTF-8 encoded. UTF-8 format is required to support languages that use double-byte character sets. This affects the CLI Help for these commands:
• wireless guest hotspot welcome-message from
• wireless guest hotspot terms-text from
55WatchGuard Training
66WatchGuard Training
Add a Range or Subnet to the SSO Exceptions List
You can now add a range of IP addresses or a subnet to the SSO Exceptions list in Policy Manager, the Web UI, and the CLI
66WatchGuard Training
Policy Manager
Fireware XTM Web UI
77WatchGuard Training
Add a Range or Subnet to the SSO Exceptions List
For the CLI, three options were added to the auth-setting single-sign-on except-ip command. These options allow users to add a host IP address, IP address range, or subnet to the SSO Exceptions list. Previously, you could only type one or more individual IP addresses. New parameters:
• host
• range
• subnet
77WatchGuard Training
88WatchGuard Training
Web UI — Flexibility in the Tunnel Address for a Policy Member
The Web UI now supports a host range or network IP address when you add a Tunnel Address as a member of a policy. Options include:
• Host IP
• Host Range
• Network IP
Previously, the Web UI only enabled configuration of a single IP address for a Tunnel Address in a policy.
88
Edit an Alias from a Policy
In previous releases, to make changes to the members of an alias, you had to open the Aliases dialog box. You can now select an alias in the New Policy Properties or Edit Policy Properties dialog boxes, and click Edit to add or delete members of the alias.
99WatchGuard Training
Changes to Proxy Policy Logging Settings
You can now also send a log message when an SMTP command is denied. On the SMTP Proxy Action Configuration General Settings page, select the Send a log message when an SMTP command is denied check box.
1010WatchGuard Training
1111WatchGuard Training
Updated Default WebBlocker Exception
Updated the default WebBlocker exception for watchguard.com in Policy Manager
• Old: *.watchguard.com/*
• New: ^[0-9a-zA-Z_\-.]{1,256}\.watchguard\.com/ More closely matches the WatchGuard domain.
• URLs that use www.watchguard.com as a path in the URL no longer match this WebBlocker Exception. For example, a URL such as www.example.com/www.watchguard.com/index.html no longer matches the default WebBlocker exception for WatchGuard.
Applies only to new configurations created in Policy Manager v11.3.2 or later. It does not apply to the Web UI. Your existing configuration does not change when you upgrade from a previous 11.x version.
To correct the WebBlocker Exception in your existing configuration: From Policy Manager, edit your WebBlocker action and go to the Exceptions tab. Edit the WatchGuard exception. Change the “Match Type” to Regular Expression and use this expression: • ^[0-9a-zA-Z_\-.]{1,256}\.watchguard\.com/
1111
SummarySummary
Summary
Fireware XTM v11.3.2 includes many new features:
• DHCP release and renew functionality in Web UI and CLI
• Updated CLI help text for wireless guest hotspot
• Ability to add an IP address range or subnet to the SSO Exceptions list
• Support in Web UI to use a host range or network IP address when you add a Tunnel Address as a member of a policy
• Edit an alias from within a policy
• Ability to send a log message when an SMTP command is denied
• Updated default WebBlocker exception for watchguard.com
1313WatchGuard Training
THANK YOU!THANK YOU!