what’s new in fireware xtm v11.8.1

What’s New in What’s New in Fireware XTM v11.8.1Fireware XTM v11.8.1

WatchGuard Training

What’s New in XTM 11.8.1What’s New in XTM 11.8.1

Networking Enhancements• Secondary networks for VLANs [40123]

• Support for static NAT and server load balancing for traffic through an Optional interface [39793]

• PPPoE client IP address enforcement [73382]

• DHCP Force Renew support on external interfaces [61383]

• Sierra Wireless 320U 3G/4G modem support [74572]

• Bridge XTM wireless Access Points to the same network [76381] XTMv Enhancements• XTMv on ESXi now supports active/passive FireCluster [72105]

WatchGuard AP Device Management Enhancements• New AP status of Discovered in the Gateway Wireless Controller

[77081]

• Ability to upgrade an AP device from the Gateway Wireless Controller [73497]

• Automatic AP device firmware upgrades are now staggered [77738]WatchGuard Training 22

What’s New in XTM 11.8.1What’s New in XTM 11.8.1

Authentication Enhancements• Customize the Authentication Portal page [42587]

• Case-sensitivity disabled for Firebox-DB user names [61132] HTTPS-Proxy Enhancements• Allow only SSL compliant traffic through the HTTPS-proxy [76197]

WebBlocker Enhancements• Improved WebBlocker local override page [66930]

Management Server Enhancements• Management Server Clustering [41220]

• Compare versions of configuration files & force users to comment on changes to configuration files and templates [77204]

Monitoring & Reporting Enhancements• Download a diagnostic log file from the Web UI [77638]

• New Web Traffic Summary report [76985]

WatchGuard Training 33

Networking EnhancementsNetworking Enhancements


Secondary Networks for VLANsSecondary Networks for VLANs

You can now configure a secondary network for a VLAN interface. • Configure these settings on the Secondary tab in the VLAN

configuration.

• Supported for Trusted, Optional, and External VLAN interfaces.

• Secondary IP addresses are often used for Static NAT on external interfaces or network migration and router consolidation on trusted or optional interfaces.


SNAT from Optional to TrustedSNAT from Optional to Trusted

In a Static NAT action or Server Load Balancing NAT action, you can now select an External or Optional interface.

This enables you to do static NAT or server load balancing for traffic from the optional network to the trusted network.


PPPoE Client IP Address EnforcementPPPoE Client IP Address Enforcement


PPPoE advanced settings include an option to enforce the client static IP address.

When this option is selected:• The XTM device sends the

configured PPPoE client IP address to the PPPoE server.

• The XTM device uses the configured client IP address, even if another IP address is obtained from the server.

PPPoE client address enforcement is useful for clients of ISPs that provide multiple static IP addresses. This new option is useful if the ISP does not respond with the address included in the client request.

DHCP Force RenewDHCP Force Renew


When you configure the external interface as a DHCP client, you can optionally enable the XTM device to respond to DHCP Force Renew messages. • The FORCERENEW message

requests the DHCP client to renew it's leased IP address sooner than it ordinarily would.

• You can optionally specify a shared key that must match the key in the FORCERENEW request.

Additional 3G/4G Modem SupportAdditional 3G/4G Modem Support

Sierra Wireless 320U 3G/4G USB modem is now supported for modem failover.

To see a complete list of supported modems, see this Knowledge Base article: http://customers.watchguard.com/articles/Article/Supported-3G-4G-USB-devices


http://customers.watchguard.com/articles/Article/Supported-3G-4G-USB-devices



Bridge XTM Wireless Access Points to the Same Bridge XTM Wireless Access Points to the Same InterfaceInterface On an XTM wireless device, you can now bridge Wireless Access

Point 1 and Wireless Access Point 2 to the same XTM device interface.


XTMv EnhancementsXTMv Enhancements


FireCluster on XTMvFireCluster on XTMv

You can configure two XTMv devices as an active/passive FireCluster on VMware vSphere ESXi

vSwitch configuration requirements:• The vSwitch connected to an

external interface must accept MAC address changes.

• The vSwitch connected to theFireCluster management interface must have promiscuous mode enabled.


AP Device Management EnhancementsAP Device Management Enhancements


Staggered AP Device Firmware Automatic UpgradesStaggered AP Device Firmware Automatic Upgrades


Automatic upgrades of AP device firmware are now staggered.• If automatic upgrade is

enabled in the Gateway Wireless Controller settings, the automatic upgrade of AP devices does not occur simultaneously.

• If there are multiple paired AP devices, the AP device firmware upgrades occur one at a time for each AP device, five minutes apart.

Update AP Device Firmware for a Single AP DeviceUpdate AP Device Firmware for a Single AP Device

You can now upgrade the firmware on a single AP device from the Gateway Wireless Controller tab in Firebox System Manager.• You can see the version

of AP firmware availableon the XTM device.

• You can see the versionof AP firmware currentlyinstalled on each APdevice.

• Click Upgrade to upgradethe AP firmware to theavailable version.

In Fireware XTM Web UI,this option is available inthe Gateway Wireless Controller Dashboard.


New AP Device Status — New AP Device Status — DiscoveredDiscovered

The Gateway Wireless Controller now shows a status of Discovered for a paired AP device that is connected, but it not yet Online.• After an AP device

restarts, the statusis Discovered when the XTM device has successfully communicated to an AP device, butthe AP device isnot yet online.


Authentication EnhancementsAuthentication Enhancements


Customize the Authentication PortalCustomize the Authentication Portal


You can now configure the look and feel of the Authentication Portal page from Fireware XTM Web UI and Policy Manager.• Add custom logo

• Add custom welcome message or disclaimer

• Specify the page title

• Select custom colors

• Select custom fonts

Disable Case-Sensitivity for Firebox-DB User NamesDisable Case-Sensitivity for Firebox-DB User Names


For users created for Firebox Authentication (to the Firebox-DB Authentication Server), you can now disable case-sensitivity for user names

Users can type their user names with any capitalization and still authenticate

HTTPS-Proxy EnhancementsHTTPS-Proxy Enhancements


HTTPS-Proxy — Allow only SSL Compliant TrafficHTTPS-Proxy — Allow only SSL Compliant Traffic


By default, when you enable the HTTPS proxy, it allows SSL traffic matching any SSL version.

When this new option is selected, the HTTPS proxy allows only traffic that matches one of these SSL versions:• SSL_V2=0x200

• SSL_V3=0x300

• TLS_V1=0x301

• TLS_V11=0x302

• TLS_V12=0x303 This new option can be useful if you

want to deny traffic that is not HTTP over SSL.

This option is not necessary or available when deep packet inspection is enabled in your HTTPS proxy configuration.

WebBlocker EnhancementsWebBlocker Enhancements


WebBlocker Local Override PageWebBlocker Local Override Page

The Local Override authentication form that users see in the web browser when access to a web page is denied by WebBlocker has been formatted to match the deny message.


Management Server EnhancementsManagement Server Enhancements


Management Server ClusteringManagement Server Clustering

Create clusters of WatchGuard Management Servers for failover and redundancy

Uses the native Microsoft Failover Cluster service support for high availability

Configure each WatchGuard Management Server independently and then use the command line to complete the setup of the servers in a failover cluster


New Configuration Management SettingsNew Configuration Management Settings


In WatchGuard Server Center > Management Server, the setting to force users to make a comment before saving changes to a device or configuration template has been moved to a new Configuration Management tab.

In the Comment Template list, optionally type the instructions to appear in the Comments dialog box, which users see when they save the configuration file or a configuration template to the Management Server.

Compare Configuration File VersionsCompare Configuration File Versions


In WSM, for a device configuration file, run a Difference Report to see the changes between versions of the configuration in the Configuration History.

The Difference Report includes all changes made to the configuration.

Monitoring & Reporting EnhancementsMonitoring & Reporting Enhancements


Download Diagnostic Log File from the Web UIDownload Diagnostic Log File from the Web UI


Fireware XTM Web UI now supports download of a diagnostic log file (support.tgz)

Enable diagnostic logging and download the support.tgz file1. Select System >

Configuration File.2. Click Download the

Support Logs. Review the file for

diagnostic, packet trace information about your XTM device

Web Traffic Summary ReportWeb Traffic Summary Report

The Web Traffic Summary report has been added to WatchGuard System Manager Log and Report Manager. This report (already available with Dimension) offers a high-level view of:• Top web sites visited by clients, in a bar chart

• Top web categories visited by clients, in a pie chart


Thank You!Thank You!


what’s new in fireware xtm v11.8.1

Documents

client static ip address

pppoe server

xtm device

configured client ip

dhcp client

optional network

optional interfaces

client request