whats new in fireware xtm v11.3.4. 2watchguard training whats new in fireware xtm v11.3.4 mobile vpn...
TRANSCRIPT
What’s New What’s New in Fireware XTM v11.3.4in Fireware XTM v11.3.4
22WatchGuard Training
What’s New in Fireware XTM v11.3.4
Mobile VPN with IPSec
• Support for the Shrew Soft VPN client
Branch Office VPN
• New gateway endpoint setting to specify whether the device attempts to resolve the domain name in the remote gateway ID
Fireware XTM Web UI
• Release or renew a DHCP lease for an external VLAN in the Web UI
Proxies
• Global setting for TCP connection idle timeout
• Option to enable SSLv2 for the HTTPS-proxy
Mobile VPN with IPSecMobile VPN with IPSec
44WatchGuard Training
Changes to Mobile VPN with IPSec
As of April 20th, WatchGuard no longer distributes the WatchGuard Mobile VPN with IPSec client on the Software Downloads Center.
Technical Support will continue to support the WatchGuard Mobile VPN with IPSec client
With Fireware XTM v11.3.4, we have added support for the Shrew Soft VPN Client
• Supported on Windows only
• Download the Shrew Soft VPN Client from the Shrew Soft web site
• See the product documentation for a list of differences between the WatchGuard IPSec client and the Shrew Soft VPN client
55WatchGuard Training
Mobile VPN with IPSec — Shrew Soft VPN Client
WatchGuard supports the use of the Shrew Soft VPN client for Windows as a Mobile VPN with IPSec client.
• Profile for the Shrew Soft VPN client has a .vpn extension. .vpn file is not encrypted and cannot be set to read-only
• Policy Manager v11.4.1 generates the .vpn file when it generates the .wgx and .ini files
• In the Web UI you can choose to generate a Shrew Soft VPN (.vpn) or WatchGuard Mobile VPN (.ini) configuration file.
• In the CLI, use the newexport muvpn client-typeoption to export a .vpn file.
Mobile VPN with IPSec — Shrew Soft VPN Client
Download the Shrew Soft VPN client from http://www.shrew.net/download or the WatchGuard Software Downloads web site
• Use Shrew Soft VPN Access Manager to configure and connect. Select File > Import to import the generated .vpn profile. Select the imported profile, and click Connect.
• Use Shrew Soft VPN Trace to troubleshoot your connection.
66WatchGuard Training
77WatchGuard Training
Shrew Soft VPN Client Limitations
The Shrew Soft VPN client does not support some Mobile VPN with IPSec configuration settings and features:
• IKE keep-alive is not supported.
• Configuration of multiple VPN gateways for multi-WAN failover is not supported.
• Line management configuration settings Connection mode and Inactivity timeout are not supported.
• The Dead Peer Detection (DPD) Traffic idle timeout and Max retries configuration settings do not apply to the Shrew Soft VPN client. If DPD is enabled, Shrew Soft VPN supports DPD with a traffic idle timeout value of 15 seconds.
• RADIUS 2-factor authentication is not supported.
• The Shrew Soft VPN client does not support a read-only profile.
• The Shrew Soft VPN client does not store the user name and password. Users must type the user name and password each time they connect.
Branch Office VPNBranch Office VPN
99WatchGuard Training
Branch Office VPN Enhancements
New gateway endpoint setting specifies whether the device attempts to resolve the domain name in the Remote Gateway ID.
Select this if the remote gateway uses dynamic DNS to maintain a mapping between a dynamic IP address and a domain name.
Fireware XTM Web UIFireware XTM Web UI
Renew or Release a DHCP Lease
Fireware XTM Web UI includes a new option to release or renew a DHCP lease for an external VLAN.
• Select System Status > Interfaces.
• Select an external interface with DHCP enabled and click DHCP Release or DHCP Renew.
1111WatchGuard Training
Global TCP TimeoutGlobal TCP Timeout
Global TCP Connection Idle Timeout
New global setting in Fireware XTM Web UI in System > Global Settings.
This setting specifies the amount of time a TCP session can remain idle. Policy-based override is available on the Properties tab of a policy.
• Select the Specify Custom Idle Timeout check box to override the global timeout setting and select another time.
The new default setting is 3600 seconds (1 hour).
• Pre-v11.3.4 global TCP timeout default is 43205 seconds (12 hours 5 seconds).
• Previously, this setting could not be modified globally, except by editing the raw XML file.
• It was also necessary to use a policy-based override.
The shorter default timeout value frees up resources faster.
1313WatchGuard Training
Set globally in Fireware XTM Web UI:System > Global Settings
Global TCP Connection Idle Timeout
1414WatchGuard Training
Override the global timeout setting on the Properties tab
Enable SSLv2 — HTTPS-ProxyEnable SSLv2 — HTTPS-Proxy
Enable SSLv2 in the HTTPS-Proxy
New check box in the HTTPS-Client and HTTPS-Server proxy actions to allow connections that negotiate the SSLv2 protocol.
Enables users to connect to client or server applications that only support SSLv2.
1616WatchGuard Training
SummarySummary
Summary
Fireware XTM v11.3.4 is a release of the Fireware XTM OS only To connect to and manage a v11.3.4 device, you can use:
• Fireware XTM Web UI v11.3.4
• WatchGuard System Manager v11.4.1 or v11.3.2
Fireware XTM v11.3.4 includes these new features:
• Support for Shrew Soft VPN client
• New BOVPN gateway endpoint setting to specify whether the device attempts to resolve the domain name in the remote gateway ID
• Release or renew a DHCP lease for an external VLAN in the Web UI
• Configure a global setting for TCP connection idle timeouts
• Allow SSLv2 connections through the HTTPS-proxy
WatchGuard Training 1818
THANK YOU!THANK YOU!