what’s new in fireware xtm v11.7.3

What’s New in Fireware XTM What’s New in Fireware XTM v11.7.3v11.7.3

WatchGuard Training

New & Updated Features in Fireware XTM & WSM New & Updated Features in Fireware XTM & WSM v11.7.3v11.7.3 XTMv on Hyper-V WatchGuard AP device enhancements

• MAC access control whitelist

• AP device monitoring enhancements

• Station isolation

• No automatic AP device reboot after AP configuration change

• See the AP device radio used by each wireless client Set source IP address in static NAT and server load balancing

actions 3G / 4G modem support for failover

WatchGuard Training 2

New & Updated Features in Fireware XTM & WSM New & Updated Features in Fireware XTM & WSM v11.7.3v11.7.3 Quarantine Server end-user web UI improvements New Websense categories Configurable syslog server port Set the diagnostic log level for the Gateway Wireless Controller Updated hotspot policies Log off hotspot user sessions Send device feedback to WatchGuard


XTMv on Hyper-VXTMv on Hyper-V


XTMv on Hyper-VXTMv on Hyper-V

Fireware XTM v11.7.3 continues to support for XTMv on vSphere ESXi 4.1 and 5.0.

In v11.7.3, support is added for XTMv on Microsoft Hyper-V hypervisors.• Windows Server 2012 with a Hyper-V role

• Hyper-V Server 2012

• Windows Server 2008 R2 with a Hyper-V role

• Hyper-V Server 2008 R2


XTMv Editions and Licensing XTMv Editions and Licensing

The four XTMv device editions are the same on VMware and Hyper-V.

The recommended resource requirements and feature key limits for each edition are the same for XTMv, whether it is deployed on VMware or Hyper-V.


Product CPU (Min rec) Memory (Min rec) Feature Key Limits

Small Office Edition

1 Core 1 GB 200 Mbps throughput50 VPN Tunnels30K Connections10 Interfaces

Medium Office Edition

2 Cores 2 GB 2.5 Gbps throughput600 VPN Tunnels350K Connections10 Interfaces

Large Office Edition

4 Cores 4 GB 5 Gbps throughput6K VPN Tunnels1M Connections10 Interfaces

Datacenter Edition

8 or more Cores

4 GB or more Unlimited throughput10K VPN Tunnels2.5M Connections10 Interfaces

XTMv on Hyper-V — Limitations for Hyper-V (not XTMv on Hyper-V — Limitations for Hyper-V (not ESXi)ESXi) The maximum number of configurable interfaces for an XTMv

virtual machine (VM) in a Hyper-V environment is eight. • Hyper-V supports two types of virtual adapters:

Network adapters (Hyper-V supports a maximum of 8) Legacy network adapters (Hyper-V supports a maximum of 4)

• XTMv does not support the use of legacy network adapters.

• You must assign a minimum of two network adapters to an XTMv VM.

• The number of network adapters you add to your XTMv VM determines the number of interfaces you can configure.

These networking features are not supported for XTMv on Hyper-V because they require the virtual adapter to be configured in promiscuous mode, which is not supported in Hyper-V: • Bridge mode network configuration

• Network bridge

• Mobile VPN with SSL with the Bridged VPN Traffic setting


XTMv Software Distribution and Installation on XTMv Software Distribution and Installation on Hyper-VHyper-V For Hyper-V, XTMv is distributed as a zipped Virtual Hard Disk

(.vhd) file.• The file name inside the zip file is xtmv_<xtm-version>.vhd.

• Copy the .zip file to the Windows server where Hyper-V is installed.

• Extract the .vhd file from the .zip file. You cannot use the same .vhd file for more than one virtual machine. To deploy multiple XTMv virtual machines:

– Save a copy of the unzipped .vhd file with a unique name for each XTMv VM.– When you add the VM in Hyper-V, select a different .vhd file for each XTMv VM.

To install an XTMv VM on Hyper-V:1. Use the Hyper-V New Virtual Machine Wizard to add the XTMv VM.2. Add network adapters to the XTMv VM.3. Power on the XTMv VM. 4. Use the Fireware XTM Web Setup Wizard to set up a basic configuration

file. 5. Allocate additional resources to the XTMv VM.


WatchGuard AP EnhancementsWatchGuard AP Enhancements


AP MAC Access Control WhitelistAP MAC Access Control Whitelist

The MAC Access Control now supports two MAC Access Control lists:• Denied MAC Addresses (blacklist)

• Allowed MAC Addresses (whitelist) Configure MAC access control in the Gateway Wireless Controller

settings In each SSID, enable MAC access control and select which list to

use.


AP Device Station IsolationAP Device Station Isolation

You can now enable station isolation in the SSID configuration. Station isolation prevents direct communication between wireless

clients connected to the SSID on the same AP radio. • It does not prevent direct communication between wireless clients on

different radios or different AP devices, even if they connect to the same SSID.

We recommended you enable station isolation for wireless guest networks, where the wireless clients should not trust each other.


AP Device MonitoringAP Device Monitoring

The LiveSecurity column shows the AP device activation status. Click Network Statistics to see these network statistics for the

selected AP device:• Interface statistics

• Routing table

• ARP table


AP Device Radio Used by Wireless ClientsAP Device Radio Used by Wireless Clients

The Gateway Wireless Controller now includes a column that shows the radio channel on the AP device that is used by each wireless client.

Select the Wireless Clients tab in the Gateway Wireless Controller.


AP Device Configuration Update Without a RebootAP Device Configuration Update Without a Reboot

Paired AP devices no longer automatically reboot after you save an AP configuration change to the XTM device.


Other EnhancementsOther Enhancements


Set Source IP Address in SNAT ActionsSet Source IP Address in SNAT Actions

You can now set the source IP address in SNAT actions.• In a server load balancing SNAT action you can set one source IP

address for all servers.

• In a static NAT action you can set one source IP address for each server.


In the Modem Configuration on XTM 2 Series, 3 Series, and 5 Series devices, you can now enable 3G/4G modem support.

When you enable 3G/4G modem support:• The telephone number is set to *99#

by default.

• All other account settings are optional. The telephone number and account settings

required to connect vary by wireless carrier. WatchGuard tested these 3G/4G modems:

• ZTE MF683 (T-Mobile Rocket 3.0 4G)

• Franklin U602 (Sprint 3G/4G Plug-in-Connect USB)

• Sierra Wireless AirCard 250U (Sprint 3G/4G USB 250U)

3G / 4G Modem Failover3G / 4G Modem Failover


Updated UI for User Quarantine Message Updated UI for User Quarantine Message ManagementManagement The options in the Quarantine message management UI have

been improved.• Send to Mailbox — Releases the selected messages from quarantine

and sends them to the recipient.

• Delete Selected — Deletes the selected spam or virus messages for this user from the Quarantine Server.

• Delete All — Deletes all spam and virus messages for this user from the Quarantine Server.


New Websense CategoriesNew Websense Categories

Added two new Websense security categories:• Compromised Websites

ID — 220 Description — Site whose code indicates possible alteration by an external

third-party to include hidden links, scripts, or iframe tags that download or redirect the user to malicious or unwanted content.

• Newly Registered Websites ID — 221 Description — Sites with a recently registered domain name.


Specify a Syslog Server PortSpecify a Syslog Server Port

You can now specify the port for connections to a syslog server.

The default port (514) alwaysappears as the default setting.


Set the Log Level for the Gateway Wireless Set the Log Level for the Gateway Wireless ControllerController When you configure the

Diagnostic Log Level settings for your XTM device, you can specify the log level for the Gateway Wireless Controller.

In Policy Manager, select the Networking category and select a log level for the GWC option.


Set the Log Level for the Gateway Wireless Set the Log Level for the Gateway Wireless ControllerController In Fireware XTM Web UI, select

System > Diagnostic Log, and select a log level for the Gateway Wireless Controller option in the Networking section.


Updated Hotspot PoliciesUpdated Hotspot Policies

When you enable a hotspot on your XTM device, these policies are automatically added to your configuration file:• Allow External Web Server — Allows TCP connections from users on

the guest network to the external web server IP address and the port you use for hotspot external guest authentication.

• Allow Hotspot Session Mgmt — Allows connections from the external web server IP address to the XTM device.

• Allow Hotspot-Users — Allows connections from the hotspot to addresses external to the XTM device.


Log Off Hotspot User SessionsLog Off Hotspot User Sessions

When a hotspot is configured for external guest authentication, the external hotspot authentication server can send a logoff URL to the XTM device to terminate a user hotspot session.• The logoff URL includes the MAC address of the user hotspot session to

log off, and the shared secret configured in the hotspot settings on your XTM device.

• Each logoff URL sent to the XTM device can log off only one session at a time.


Device FeedbackDevice Feedback

The XTM device can now send device feedback to WatchGuard.• Device feedback includes

information about how yourdevice is used, but does not include information aboutyour company, or company data.

• The device feedback option is enabled by default.

You can enable or disable device feedback in the Global Settings in your XTM device configuration files and device configuration templates, or in the Web Setup and Quick Setup wizards.


Thank You!Thank You!


what’s new in fireware xtm v11.7.3

Documents

xtmv vm

xtmv editions

xtmv device editions

hyperv limitations

hyperv environment

xtmv virtual machine

hyperv rolehyperv server

hypervfor hyperv