-
Fireware v11.11.1 Release Notes
Supported Devices Firebox T10, T30, T50, M200, M300, M400,
M440,M500, M4600, M5600XTM 3, 5, 8, 800, 1500, and 2500 SeriesXTM
25, XTM 26, XTM 1050, XTM 2050XTMv, WatchGuard AP
Release Date: 11 July 2016
Fireware OS Build 507199
WatchGuard SystemManager Build 505414
WatchGuard APDevice Firmware For AP 100, 102, 200: Build 1.2.9.7
(499343)For AP 300: Build 2.0.0.2 (499475)
IntroductionWatchGuard is pleased to announce the release of
Fireware v11.11.1 andWatchGuard SystemManagerv11.11.1. This
maintenance release includes many bug fixes and some small feature
enhancements, including:
l New default ciphers for managed security templates (drag and
drop VPN)l Application Control statistics are now available from
FirewareWebUI and Firebox SystemManagerl Updates to default HTTP
Proxy Actions to allow all HTTPRequest and Response headers
For more information on the bug fixes and enhancements in this
release, see the Enhancements and ResolvedIssues section. For more
detailed information about the feature enhancements and
functionality changesincluded in Fireware v11.11.1, see the product
documentation or review What's New in Fireware v11.11.1.
Important Information about Firebox CertificatesSHA-1 is being
deprecated by many popular web browsers, andWatchGuard recommends
that you now useSHA-256 certificates. Because of this, we have
upgraded our default Firebox certificates. Starting withFireware
v11.10.4, all newly generated default Firebox certificates use a
2048-bit key length. In addition, newlygenerated default Proxy
Server and Proxy Authority certificates use SHA-256 for their
signature hashalgorithm. Starting with Fireware v11.10.5, all newly
generated default Firebox certificates use SHA-256 fortheir
signature hash algorithm. New CSRs created from the Firebox also
use SHA-256 for their signature hashalgorithm.
Default certificates are not automatically upgraded after you
install Fireware v11.10.5 or later releases.
To regenerate any default Firebox certificates, delete the
certificate and reboot the Firebox. If you want toregenerate
default certificates without a reboot, you can use the CLIcommands
described in the next section.Before you regenerate the Proxy
Server or Proxy Authority certification, there are some important
things toknow.
http://www.watchguard.com/help/docs/fireware/11/en-US/whats-new_Fireware_v11-11-1.pptx
-
The Proxy Server certificate is used for inbound HTTPS with
content inspection and SMTP with TLSinspection. The Proxy Authority
certificate is used for outbound HTTPS with content inspection. The
twocertificates are linked because the default Proxy Server
certificate is signed by the default Proxy Authoritycertificate. If
you use the CLI to regenerate these certificates, after you
upgrade, youmust redistribute the newProxy Authority certificate to
your clients or users will receive web browser warnings when they
browseHTTPS sites, if content inspection is enabled.
Also, if you use a third-party Proxy Server or Proxy Authority
certificate:
l The CLI commandwill not work unless you first delete either
the Proxy Server or Proxy Authoritycertificate. The CLI commandwill
regenerate both the Proxy Server and Proxy Authority
defaultcertificates.
l If you originally used a third-party tool to create the CSR,
you can simply re-import your existing third-party certificate and
private key.
l If you originally created your CSR from the Firebox, youmust
create a new CSR to be signed, and thenimport a new third-party
certificate.
CLICommands to Regenerate Default Firebox CertificatesTo
regenerate any default Firebox certificates, delete the certificate
and reboot the Firebox. If you want toregenerate default
certificates without a reboot, you can use these CLIcommands:
l To upgrade the default Proxy Authority and Proxy Server
certificates for use with HTTPS contentinspection, you can use the
CLI command: upgrade certificate proxy
l To upgrade the Firebox web server certificate, use the CLI
command: upgrade certificate webl To upgrade the SSLVPN
certificate, use the CLI command: upgrade certificate sslvpnl To
upgrade the 802.1x certificate, use the CLI command: upgrade
certificate 8021x
Formore information about the CLI, see the Command Line
Interface Reference.
Important Information about Firebox Certificates
2 WatchGuard Technologies, Inc.
http://www.watchguard.com/help/docs/fireware/11/en-US/CLI/index.html
-
Before You Begin
Release Notes 3
Before You BeginBefore you install this release, make sure that
you have:
l A supportedWatchGuard Firebox or XTM device. This device can
be aWatchGuard Firebox T10, T30,T50, XTM 2Series (models 25 and 26
only), 3 Series, 5 Series, 8 Series, 800 Series, XTM 1050, XTM1500
Series, XTM 2050 device, XTM 2500 Series, Firebox M200, M300, M400,
M500, M440, M4600,M5600, or XTMv (any edition).
l The required hardware and software components as shown below.
If you useWatchGuard SystemManager (WSM), make sure yourWSM version
is equal to or higher than the version of Fireware OSinstalled on
your Firebox or XTM device and the version of WSM installed on your
Management Server.
l Feature key for your Firebox or XTM device If you upgrade your
device from an earlier version ofFireware OS, you can use your
existing feature key. If you do not have a feature key for your
device, youcan log in to theWatchGuard website to download it.
Note that you can install and useWatchGuard SystemManager
v11.11.x and all WSM server components withdevices running earlier
versions of Fireware v11. In this case, we recommend that you use
the productdocumentation that matches your Fireware OS version.
If you have a new Firebox or XTM physical device, make sure you
use the instructions in theQuick Start Guidethat shipped with your
device. If this is a new XTMv installation, make sure you carefully
review theXTMvSetupGuide for important installation and setup
instructions. We also recommend that you review theHardware Guide
for your Firebox or XTM devicemodel. TheHardware Guide contains
useful information aboutyour device interfaces, as well as
information on resetting your device to factory default settings,
if necessary.
Product documentation for all WatchGuard products is available
on theWatchGuard web site
atwww.watchguard.com/help/documentation.
http://www.watchguard.com/help/docs/fireware/11/en-US/XTMv_Setup_Guide_v11_11.pdfhttp://www.watchguard.com/help/docs/fireware/11/en-US/XTMv_Setup_Guide_v11_11.pdfhttp://www.watchguard.com/wgrd-help/documentation/hardware-guideshttp://www.watchguard.com/help/documentation
-
LocalizationThis release includes localizedmanagement user
interfaces (WSM application suite andWebUI) current as ofFireware
v11.10.2. UI changes introduced since v11.10.2may remain in
English. Supported languages are:
l French (France)l Japanesel Spanish (Latin American)
Note that most data input must still bemade using standard ASCII
characters. You can use non-ASCIIcharacters in some areas of the
UI, including:
l Proxy deny messagel Wireless hotspot title, terms and
conditions, andmessagel WatchGuard Server Center users, groups, and
role names
Any data returned from the device operating system (e.g. log
data) is displayed in English only. Additionally, allitems in
theWebUI System Status menu and any software components provided by
third-party companiesremain in English.
Fireware Web UITheWebUI will launch in the language you have set
in your web browser by default.
WatchGuard System ManagerWhen you install WSM, you can choose
what language packs you want to install. The language displayed
inWSMwill match the language you select in your Microsoft Windows
environment. For example, if you useWindows 7 and want to useWSM in
Japanese, go to Control Panel > Regions and Languages and
selectJapanese on the Keyboards and Languages tab as your Display
Language.
Dimension, WebCenter, Quarantine Web UI, and Wireless
HotspotThese web pages automatically display in whatever language
preference you have set in your web browser.
Localization
4 WatchGuard Technologies, Inc.
-
Fireware andWSM v11.11.1 Operating System Compatibility
Release Notes 5
Fireware and WSM v11.11.1 Operating System CompatibilityLast
revised: 29 June 2016
WSM/FirewareComponent
MicrosoftWindows7,8,8.1,10
(32-bit&64-bit)
MicrosoftWindowsServer2008&2008R2
MicrosoftWindowsServer2012
&2012R2(64-bit)
MacOSX
v10.9,v10.10,v10.11
Android4.x&5.x
iOSv7, v8,& v9
WatchGuard System Manager
WatchGuard Servers
For information onWatchGuardDimension, see the Dimension
ReleaseNotes.
Single Sign-On Agent(Includes Event Log Monitor)
Single Sign-On Client
Single Sign-On ExchangeMonitor1
Terminal Services Agent2
Mobile VPN with IPSec 3 3
Mobile VPN with SSL
Notes about Microsoft Windows support:l ForMicrosoft Windows
Server 2008, we support both 32-bit and 64-bit support. ForWindows
Server2008 R2, we support 64-bit only.
l Windows 8.x support does not includeWindows RT.l Windows
Exchange Server 2013 is supported if you install Windows Sever 2012
or 2012 R2 and .Netframework 3.5.
The following browsers are supported for both
FirewareWebUIandWebCenter (Javascript required):l IE 9 and laterl
Microsoft Edgel Firefox v22 and laterl Safari 6 and laterl Safari
iOS 6 and laterl Chrome v29 and later
https://www.watchguard.com/support/release-notes/Index.aspxhttps://www.watchguard.com/support/release-notes/Index.aspx
-
1Microsoft Exchange Server 2007, 2010, and 2013 are
supported.2Terminal Services support with manual or Single Sign-On
authentication operates in aMicrosoft TerminalServices or Citrix
XenApp 4.5, 5.0, 6.0, 6.5 and 7.6 environment.3Native (Cisco) IPSec
client andOpenVPN are supported for Mac OS and iOS. For Mac OS X
10.8 -10.10, wealso support theWatchGuard IPSec Mobile VPN Client
for Mac, powered by NCP.
Authentication SupportThis table gives you a quick view of the
types of authentication servers supported by key features of
Fireware.Using an authentication server gives you the ability to
configure user and group-based firewall and VPN policiesin your
Firebox or XTMdevice configuration. With each type of third-party
authentication server supported, youcan specify a backup server IP
address for failover.
Fully supported by WatchGuard Not yet supported, but tested with
success by WatchGuardcustomers
Fireware andWSM v11.11.1 Operating System Compatibility
6 WatchGuard Technologies, Inc.
-
Fireware andWSM v11.11.1 Operating System Compatibility
Release Notes 7
ActiveDirectory1 LDAP
RADIUS2
SecurID2
Firebox(Firebox-DB)
LocalAuthentication
Mobile VPN with IPSec/Shrew Soft 3
Mobile VPNwith IPSec/WatchGuardclient(NCP)
Mobile VPN with IPSec for iOS andMac OSX native VPN client
Mobile VPNwith IPSec for Android devices
Mobile VPN with SSL forWindows 4 4
Mobile VPN with SSL for Mac
Mobile VPNwith SSLfor iOS and Androiddevices
Mobile VPNwith L2TP 6
Mobile VPN with PPTP N/A
Built-in AuthenticationWeb Page on Port4100
Single Sign-On Support (with or without clientsoftware)
Terminal Services Manual Authentication
Terminal Services Authentication with SingleSign-On
5
Citrix Manual Authentication
Citrix Manual Authentication with Single Sign-On
5
-
1. Active Directory support includes both single domain and
multi-domain support, unless otherwise noted.2. RADIUS and SecurID
support includes support for both one-time passphrases and
challenge/response
authentication integrated with RADIUS. In many cases, SecurID
can also be used with other RADIUSimplementations, including
Vasco.
3. The Shrew Soft client does not support two-factor
authentication.4. Fireware supports RADIUS Filter ID 11 for group
authentication.5. Both single and multiple domain Active Directory
configurations are supported. For information about the
supported Operating System compatibility for the WatchGuard TO
Agent and SSOAgent, see the currentFireware and WSM Operating
System Compatibility table.
6. Active Directory authentication methods are supported only
through a RADIUSserver.
System RequirementsIf you have WatchGuard SystemManager client
software onlyinstalled
If you install WatchGuard SystemManager and WatchGuard
Serversoftware
Minimum CPU Intel Core or Xeon
2GHz
Intel Core or Xeon
2GHz
MinimumMemory 1GB 2GB
Minimum AvailableDisk Space
250MB 1GB
MinimumRecommendedScreen Resolution
1024x768 1024x768
XTMv System RequirementsWith support for installation in both a
VMware and a Hyper-V environment, aWatchGuard XTMv virtualmachine
can run on a VMware ESXi 5.0, 5.1, 5.5, or 6.0 host, or onWindows
Server 2008 R2, Windows Server2012, Hyper-V Server 2008 R2, or
Hyper-V Server 2012.
The hardware requirements for XTMv are the same as for the
hypervisor environment it runs in.
Each XTMv virtual machine requires 3 GB of disk space.
Recommended Resource Allocation Settings
Small Office Medium Office Large Office Datacenter
Virtual CPUs 1 2 4 8 or more
Memory 1GB 2GB 4GB 4GB ormore
Fireware andWSM v11.11.1 Operating System Compatibility
8 WatchGuard Technologies, Inc.
-
Downloading Software
Release Notes 9
Downloading SoftwareYou can download software from theWatchGuard
Software Downloads Center.
There are several software files available for download with
this release. See the descriptions below so youknow what software
packages you will need for your upgrade.
WatchGuard System ManagerWith this software package you can
install WSM and theWatchGuard Server Center software:
WSM11_11_1.exeUse this file to install WSM v11.11.1 or to
upgradeWatchGuard SystemManagerfrom v11.x toWSM v11.11.1.
Fireware OSSelect the correct Fireware OS image for your Firebox
or XTM device. Use the .exe file if you want to install orupgrade
theOS usingWSM. Use the .zip file if you want to install or upgrade
theOS using the FirewareWebUI. Use the .ova or .vhd file to deploy
a new XTMv device.
http://software.watchguard.com/
-
If you have Select from these Fireware OS packages
Firebox M5600
Firebox_OS_M4600_M5600_11_11_1.exefirebox_M4600_M5600_11_11_1.zip
Firebox M4600
Firebox_OS_M4600_M5600_11_11_1.exefirebox_M4600_M5600_11_11_1.zip
XTM 2500 Series
XTM_OS_XTM800_1500_2500_11_11_1.exextm_xtm800_1500_2500_11_11_1.zip
XTM 2050 XTM_OS_XTM2050_11_11_1.exextm_xtm2050_11_11_1.zip
XTM 1500 Series
XTM_OS_XTM800_1500_2500_11_11_1.exextm_xtm800_1500_2500_11_11_1.zip
XTM 1050 XTM_OS_XTM1050_11_11_1.exextm_xtm1050_11_11_1.zip
XTM 800 Series
XTM_OS_XTM800_1500_2500_11_11_1.exextm_xtm800_1500_2500_11_11_1.zip
XTM 8Series XTM_OS_XTM8_11_11_1.exextm_xtm8_11_11_1.zip
Firebox M500 Series
Firebox_OS_M400_M500_11_11_1.exefirebox_M400_M500_11_11_1.zip
XTM 5Series XTM_OS_XTM5_11_11_1.exextm_xtm5_11_11_1.zip
Firebox M440
Firebox_OS_M440_11_11_1.exefirebox_M440_11_11_1.zip
Firebox M400 Series
Firebox_OS_M400_M500_11_11_1.exefirebox_M400_M500_11_11_1.zip
Firebox M300
Firebox_OS_M200_M300_11_11_1.exefirebox_M200_M300_11_11_1.zip
Firebox M200
Firebox_OS_M200_M300_11_11_1.exefirebox_M200_M300_11_11_1.zip
XTM 330 XTM_OS_XTM330_11_11_1.exextm_xtm330_11_11_1.zip
XTM 33 XTM_OS_XTM3_11_11_1.exextm_xtm3_11_11_1.zip
XTM 2SeriesModels 25, 26
XTM_OS_XTM2A6_11_11_1.exextm_xtm2a6_11_11_1.zip
Firebox T30
Firebox_OS_T30_T50_11_11_1.exefirebox_T30_T50_11_11_1.zip
Firebox T50
Firebox_OS_T30_T50_11_11_1.exefirebox_T30_T50_11_11_1.zip
Downloading Software
10 WatchGuard Technologies, Inc.
-
Downloading Software
Release Notes 11
If you have Select from these Fireware OS packages
Firebox T10
Firebox_OS_T10_11_11_1.exefirebox_T10_11_1_11.zip
XTMvAll editions for VMware
xtmv_11_11_1.ovaxtmv_11_11_1.exextmv_11_11_1.zip
XTMvAll editions for Hyper-V
xtmv_11_11_1_vhd.zipxtmv_11_11_1.exextmv_11_11_1.zip
Single Sign-On SoftwareThese files are available for Single
Sign-On.There are no updates for the Fireware v11.11.1 release.
l WG-Authentication-Gateway_11_11.exe (SSOAgent software -
required for Single Sign-On andincludes optional Event LogMonitor
for clientless SSO)
l WG-Authentication-Client_11_11.msi (SSOClient software
forWindows)l WG-SSOCLIENT-MAC_11_10.dmg (SSOClient software for Mac
OS X)l SSOExchangeMonitor_x86_11_11.exe (ExchangeMonitor for 32-bit
operating systems)l SSOExchangeMonitor_x64_11_11.exe
(ExchangeMonitor for 64-bit operating systems)
For information about how to install and set up Single Sign-On,
see the product documentation.
Terminal Services Authentication Softwarel
TO_AGENT_SETUP_11_11.exe (This installer includes both 32-bit and
64-bit file support.)
Mobile VPN with SSL Client for Windows and MacThere are two
files available for download if you useMobile VPN with SSL.
TheWindows client has beenupdated with this release.
l WG-MVPN-SSL_11_11_1.exe (Client software forWindows)l
WG-MVPN-SSL_11_11.dmg (Client software for Mac)
Mobile VPNwith IPSec client for Windows and MacThere are several
available files to download. TheWatchGuard IPSec Mobile VPN Windows
clients have beenupdated with this release.
Shrew Soft Client
l Shrew Soft Client 2.2.2 for Windows - No client license
required.
WatchGuard IPSec Mobile VPN Clients
l WatchGuard IPSec Mobile VPNClient for Windows (32-bit),
powered by NCP - There is alicense required for this premium
client, with a 30-day free trial available with download.
l WatchGuard IPSec Mobile VPNClient for Windows (64-bit),
powered by NCP - There is alicense required for this premium
client, with a 30-day free trial available with download.
l WatchGuard IPSec Mobile VPNClient for Mac OS X, powered by NCP
- There is a licenserequired for this premium client, with a 30-day
free trial available with download.
WatchGuard Mobile VPN License Server
-
l WatchGuard Mobile VPN License Server (MVLS) v2.0, powered by
NCP- Click here for moreinformation about MVLS.
Downloading Software
12 WatchGuard Technologies, Inc.
http://www.watchguard.com/mobilevpn-activation/
-
Upgrade to Fireware v11.11.1
Release Notes 13
Upgrade to Fireware v11.11.1
Before you upgrade to Fireware v11.11.x, your Firebox must be
running:- Fireware XTM v11.7.5- Fireware XTM v11.8.4- Fireware XTM
v11.9 or higher
If you try to upgrade from Policy Manager and your Firebox is
running an unsupported version,the upgrade is prevented.
If you try to schedule anOSupdate of managed devices through
aManagement Server, theupgrade is also prevented.
If you use the FirewareWebUI to upgrade your device, you see a
warning, but it is possible tocontinue so youmust make sure your
Firebox is running v11.7.5, v11.8.4, or v11.9.x, orv11.10.x before
you upgrade to Fireware v11.11.x or your Firebox will be reset to a
defaultstate.
Before you upgrade from Fireware v11.x to Fireware v11.11.1,
download and save the Fireware OS file thatmatches the Firebox you
want to upgrade. You can use Policy Manager or theWebUI to complete
the upgradeprocedure. We strongly recommend that you back up your
Firebox configuration and yourWatchGuardManagement Server
configuration before you upgrade. It is not possible to downgrade
without these backupfiles.
If you useWatchGuard SystemManager (WSM), make sure yourWSM
version is equal to or higher than theversion of Fireware OS
installed on your Firebox and the version of WSM installed on your
Management Server.Also, make sure to upgradeWSM before you upgrade
the version of Fireware OS on your Firebox.
If you want to upgrade an XTM 2Series, 3 Series, or 5 Series
device, we recommend that youreboot your Firebox before you
upgrade. This clears your devicememory and can prevent manyproblems
commonly associated with upgrades in those devices.
-
Upgrade Notes for XTMvFor Fireware v11.11 and higher, the XTMv
device is a 64-bit virtual machine. You cannot upgrade an
XTMvdevice from Fireware v11.10.x or lower to Fireware v11.11 or
higher. Instead, youmust use the OVA file todeploy a new 64-bit
Fireware v11.11.x XTMv VM, and then use Policy Manager to move the
existingconfiguration from the 32-bit XTMv VM to the 64-bit XTMv
VM. For more information about how tomove theconfiguration, see
Fireware Help. For more information about how to deploy a new XTMv
VM, see the latestWatchGuard XTMvSetup Guide available on the
product documentation page
athttp://www.watchguard.com/wgrd-help/documentation/xtm. When your
XTMv instance has been updated tov11.11 or higher, you can then use
the usual upgrade procedure, as detailed below.
WatchGuard updated the certificate used to sign the .ova files
with the release of Firewarev11.11. When you deploy the OVF
template, a certificate error may appear in the OVF
templatedetails. This error occurs when the host machine is missing
an intermediate certificate fromSymantic (Symantec Class 3 SHA256
Code Signing CA), and theWindows CryptoAPI wasunable to download
it. To resolve this error, you can download and install the
certificate fromSymantec at:
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2170.
Back up your WatchGuard ServersIt is not usually necessary to
uninstall your previous v11.x server or client software when you
upgrade toWSMv11.11.1. You can install the v11.11.1 server and
client software on top of your existing installation to
upgradeyourWatchGuard software components. We do, however, strongly
recommend that you back up yourWatchGuard Servers (for example:
WatchGuard Log Server, WatchGuard Report Server) to a safe
locationbefore you upgrade. You will need these backup files if you
ever want to downgrade.
To back up your Management Server configuration, from the
computer where you installed theManagementServer:
1. FromWatchGuard Server Center, select Backup/Restore
Management Server.The WatchGuard Server Center Backup/Restore
Wizard starts.
2. Click Next.The Select an action screen appears.
3. Select Back up settings.4. Click Next.
The Specify a backup file screen appears.5. Click Browse to
select a location for the backup file. Make sure you save the
configuration file to a
location you can access later to restore the configuration.6.
Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete
screen appears.7. Click Finish to exit the wizard.
Upgrade to Fireware v11.11.1
14 WatchGuard Technologies, Inc.
http://www.watchguard.com/wgrd-help/documentation/xtmhttps://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2170https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2170http://www.watchguard.com/help/docs/fireware/11/en-US/index.html#en-US/logging/ls_configure_database-maintenance_tab_wsm.html?TocPath=Logging
and Reporting|Set Up Your Log
Server|_____2http://www.watchguard.com/help/docs/fireware/11/en-US/index.html#en-US/reports/rs_backup-restore-ls-db_wsm.html?TocPath=Logging
and Reporting|_____12
-
Upgrade to Fireware v11.11.1
Release Notes 15
Upgrade to Fireware v11.11.x fromWeb UIIf your Firebox is
running Fireware v11.10 or later, you can upgrade the Fireware OS
on your Fireboxautomatically from theSystem > Upgrade OS page.
If your Firebox is running v11.9.x or earlier, use thesesteps to
upgrade:
1. Go toSystem > Backup Image or use the USB Backup feature
to back up your current device image.2. On your management
computer, launch the OS software file you downloaded from
theWatchGuard
Software Downloads page.If you use theWindows-based installer on
a computer with aWindows 64-bit operating system, thisinstallation
extracts an upgrade file called [product series]_[product
code].sysa-dl l to the defaultlocation of C:\Program
Files(x86)\Common
files\WatchGuard\resources\FirewareXTM\11.11.1\[model]or
[model][product_code].On a computer with aWindows 32-bit operating
system, the path is: C:\Program
Files\CommonFiles\WatchGuard\resources\Fireware\11.11.1
3. Connect to your Firebox with theWebUI and select System >
Upgrade OS.4. Browse to the location of the [product
series]_[product code].sysa-dl from Step 2 and click Upgrade.
Upgrade to Fireware v11.11.x fromWSM/Policy Manager1. Select
File > Backup or use the USB Backup feature to back up your
current device image.2. On amanagement computer running aWindows
64-bit operating system, launch the OS executable file
you downloaded from theWatchGuard Portal. This installation
extracts an upgrade file called [Firebox orxtm series]_[product
code].sysa-dl to the default location of C:\Program
Files(x86)\Commonfiles\WatchGuard\resources\Fireware\11.11.1\[model]
or [model][product_code].On a computer with aWindows 32-bit
operating system, the path is: C:\Program
Files\CommonFiles\WatchGuard\resources\Fireware\11.11.1
3. Install and openWatchGuard SystemManager v11.11.1. Connect to
your Firebox and launch PolicyManager.
4. From Policy Manager, select File > Upgrade. When prompted,
browse to and select the [productseries]_[product code].sysa-dl
file from Step 2.
-
Update APDevicesWith the release of Fireware v11.11 we are
releasing new APfirmware for all AP devices. The process toupdate
to new APfirmware has changed. Please review this section carefully
for important information aboutupdating AP devices.
Update your AP100, AP102, and AP200 DevicesFireware v11.11
includes new AP firmware v1.2.9.7 for AP100/102 and AP200 devices.
If you have enabledautomatic AP device firmware updates in Gateway
Wireless Controller AND you upgrade from Firewarev11.10.4 or
v11.10.5 to Fireware v11.11, your AP devices are automatically
updated betweenmidnight and4:00am local time.
If you upgrade from Fireware v11.10.3 or lower to Fireware
v11.11 (without first upgrading to Fireware v11.10.4or v11.10.5),
there is an additional step youmust take tomake sure AP v1.2.9.7 is
applied to your APdevices.When you upgrade to Fireware v11.11 with
FirewareWebUIor Policy Manager, youmust do the upgradeprocess
twice. From theWebUI:
1. Connect to your Firebox and select System > Upgrade OS.2.
Browse to the location of your Fireware v11.11 upgrade file and
click Upgrade.3. When the upgrade is complete, repeat Step 2.
If you reset your Firebox to factory-default settings, the
APfirmware is removed from the Firebox. To reinstallthe APfirmware
on the Firebox youmust reinstall Fireware v11.11 on the Firebox or
download the AP firmwarev1.2.9.7 Component Package from the
Software Downloads Center and use FirewareWebUI or PolicyManager to
install it.
You cannot install the AP firmware on a Firebox that uses
Fireware v11.4.x or lower. If you tryto install the APComponent
Package on a Firebox that uses Fireware v11.4.x or lower,
thepackage appears to install successfully, but the AP firmware is
not installed and logmessagesshow that the packet installation was
aborted.
Update your AP300 DevicesFireware v11.11 includes AP firmware
v2.0.0.2. If you have enabled automatic AP device firmware updates
inGateway Wireless Controller AND you upgrade from Fireware
v11.10.4 or v11.10.5 to Fireware v11.11, yourAP devices will be
automatically updated betweenmidnight and 4:00am local time.
If you upgrade from Fireware v11.10.3 or lower to Fireware
v11.11 (without first upgrading to Fireware v11.10.4or v11.10.5),
there is an additional step youmust take tomake sure AP v2.0.0.2 is
applied to your APdevices.When you upgrade to Fireware v11.11 with
FirewareWebUIor Policy Manager, youmust do the upgradeprocess
twice. From theWebUI:
1. Connect to your Firebox and select System > Upgrade OS.2.
Browse to the location of your Fireware v11.11 upgrade file and
click Upgrade.3. When the upgrade is complete, repeat Step 2.
If you reset your Firebox to factory-default settings, the
APfirmware is removed from the Firebox. To reinstallthe APfirmware,
use one of these twomethods:
Update APDevices
16 WatchGuard Technologies, Inc.
-
Upgrade your FireCluster to Fireware v11.11.x
Release Notes 17
Reinstall Fireware v11.11 on your Firebox
1. Connect to your Firebox and select System > Upgrade OS.2.
Browse to the location of your Fireware v11.11 upgrade file and
click Upgrade.
Download the AP firmware package from the Software Downloads
Center and install it on the Firebox
1. Download and extract the AP firmware package. The component
package file extension is wgpkg-dl.2. From FirewareWebUI, select
System > Upgrade OS.3. Select Use an upgrade file.4. Browse to
the location of the wgpkg-dl file and click Upgrade.
Upgrade your FireCluster to Fireware v11.11.x
Before you upgrade to Fireware v11.11 or higher, your Firebox
must be running:- Fireware XTM v11.7.5- Fireware XTM v11.8.4-
Fireware XTM v11.9 or higher
If you try to upgrade from Policy Manager and your Firebox is
running an unsupported version,the upgrade is prevented.
If you try to schedule anOSupdate of managed devices through
aManagement Server, theupgrade is also prevented.
If you use the FirewareWebUI to upgrade your device, you see a
warning, but it is possible tocontinue so youmust make sure your
Firebox is running v11.7.5, v11.8.4, or v11.9.x beforeyou upgrade
to Fireware v11.11.x or your Firebox will be reset to a default
state.
To upgrade a FireCluster from Firewarev11.3.x to Fireware
v11.9.x or higher, youmustperform amanual upgrade. For manual
upgrade steps, see this Knowledge Base article.
You can upgrade Fireware OS for a FireCluster from Policy
Manager or FirewareWebUI. To upgrade aFireCluster from Fireware
v11.10.x or lower, we recommend you use Policy Manager.
As part of the upgrade process, each cluster member reboots and
rejoins the cluster. Because the clustercannot do load balancing
while a cluster member reboot is in progress, we recommend you
upgrade anactive/active cluster at a time when the network traffic
is lightest.
For information on how to upgrade your FireCluster, see this
Help topic.
http://watchguardsupport.force.com/publicKB?type=KBArticle&SFDCID=kA2A00000000Fk4KAE&lang=en_UShttp://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/ha/cluster_upgrade_sw_wsm.html#
-
DowngradeInstructions
Downgrade from WSM v11.11.1 to WSM v11.xIf you want to revert
from v11.11.1 to an earlier version of WSM, youmust uninstall WSM
v11.11.1. When youuninstall, chooseYeswhen the uninstaller asks if
you want to delete server configuration and data files. Afterthe
server configuration and data files are deleted, youmust restore
the data and server configuration files youbacked up before you
upgraded toWSM v11.11.1.
Next, install the same version of WSM that you used before you
upgraded toWSM v11.11.1. The installershould detect your existing
server configuration and try to restart your servers from the
Finish dialog box. If youuse aWatchGuardManagement Server,
useWatchGuard Server Center to restore the backupManagementServer
configuration you created before you first upgraded toWSM v11.11.1.
Verify that all WatchGuardservers are running.
Downgrade from Fireware v11.11.1 to Fireware v11.x
If you use the FirewareWebUI or CLIto downgrade from
Firewarev11.11.1 to an earlierversion, the downgrade process resets
the network and security settings on your device totheir
factory-default settings. The downgrade process does not change the
devicepassphrases and does not remove the feature keys and
certificates.
If you want to downgrade from Fireware v11.11.1 to an earlier
version of Fireware, the recommendedmethod isto use a backup image
that you created before the upgrade to Firewarev11.11.1. With a
backup image, you caneither:
l Restore the full backup image you created when you upgraded to
Fireware v11.11.1 to complete thedowngrade; or
l Use the USB backup file you created before the upgrade as your
auto-restore image, and then boot intorecovery mode with the USB
drive plugged in to your device. This is not an option for XTMv
users.
See the Fireware Help for more information about these downgrade
procedures, and information about how todowngrade if you do not
have a backup image.
DowngradeInstructions
18 WatchGuard Technologies, Inc.
http://www.watchguard.com/help/docs/fireware/11/en-US/index.html#en-US/installation/version_downgrade_xtm_c.html
-
DowngradeInstructions
Release Notes 19
Downgrade RestrictionsSee this Knowledge Base article for a list
of downgrade restrictions.
When you downgrade the Fireware OS on your Firebox or XTM
device, the firmware on anypaired APdevices is not automatically
downgraded. We recommend that you reset the APdevice to its
factory-default settings tomake sure that it can bemanaged by the
older version ofFireware OS.
http://watchguardsupport.force.com/publicKB?type=KBArticle&SFDCID=kA2F0000000QC8oKAG&lang=en_US
-
Enhancements and Resolved Issues in Fireware v11.11.1
Generall The lighttpd service has been upgraded to resolve
security advisory CVE-2013-4559. [91194]l TheWatchGuard
Authentication and SSLVPN Portals have been updated to validate the
configuredredirect URL after successful user authentication to
prevent XSS and open redirect vulnerabilities.[90972,90973]
l A problem is resolved that caused the error message
"Internal_Error: Unable to set config" to appearwhen you saved a
configuration to the Firebox from Policy Manager. [88214]
l An issue that caused Firebox M400 andM500 appliances to
incorrectly report copper SFP+ modules asfiber SFP+ modules has
been resolved. [90669]
l Policy Manager and Firebox SystemManager no longer crash on
ESXi Windows 7 andWindows 2008R2 virtual machines when tooltips
appear. [89422]
l The LiveSecurity menu option has been removed from both
FirewareWebUIand Policy Manager.WatchGuard no longer maintains the
RSSfeed through the UI. [90594]
l The libarchive library included in Fireware OS has been
updated to version 3.2.1 to address CVE-2016-4300 and several
memory allocation issues. [91519]
Proxies and Security Subscriptionsl You can now see Application
Control statistics in FirewareWebUI and Firebox SystemManager.
[88291]l Botnet site exceptions no longer include IPv6 options.
[90036]l This release includes updated HTTP Request and Response
header rules in the predefined HTTP andExplicit Proxy actions. In
previous versions of Fireware OS, the default HTTP proxy action
would onlyallow a limited list of HTTP headers in HTTP Request and
HTTP Responsemessages. [89006]
l The If Matched actionmenu now appears in the Simple View of
theMail From and Rcpt To sections ofan SMTP Proxy action.
[87909]
l The FTP Proxy now sends an error response back to the client
when the action is Block, Drop, orDeny. [89425]
l You are now correctly redirected to the original website after
you type your password for aWebBlockeroverride through the Explicit
Proxy. [90450]
l Tomaintain the best security standards, as of Fireware OS
v11.11.1, you can no longer select SSLv2 inthe HTTPS and SMTP
proxies when you enable content inspection. [90193]
l The Traffic Management Action type is now displayed as All
policies, Per Policy, or Per IP Addressinstead of 1, 2, or 3.
[91109]
l This release resolves a crash in the SIP proxy. [89697]l
Several proxy crashes caused by an invalid SIPdebug logmessage have
been resolved. [91136]l An issue that caused SIPreply messages from
an internal SIPserver or PBX to loop back to itself whena
SIPconnection was initiated through an inbound SIP-ALG from an
external host has been resolved.[80740]
l The Alarm Function forWebBlocker allowed traffic now works
correctly. [90661]l TheWebBlockerWebsense categories no longer
crash when you use the English version of PolicyManager installed
on a computer running the French version of Windows. [86177]
l You can now correctly access the QuarantineWebUI from a
notification email with non-UTF8formatting from a non-English
browser. [91271]
Enhancements and Resolved Issues in Fireware v11.11.1
20 WatchGuard Technologies, Inc.
-
Enhancements and Resolved Issues in Fireware v11.11.1
Release Notes 21
l TheQuarantine Server Client now launches correctly when you
connect to the localhost IPaddress ofthe Quarantine Server.
[89950]
l Message delivery failures from theQuarantine Server no longer
display as raw HTML. [89704, 90396]l Legacy Office documents are no
longer identified as application/CDFV2-corrupt content type.
[87983]
Web UIl You can see negotiated link speed information
andmulti-WAN status on the System Status > Interfacespage.
[85619, 77031]
l TheWebUIFront Panel now loads correctly for Fireboxes
configured with PPPoE. [91241]
Networkingl Traffic Management andQoS can now be applied to a
Bridged SSLVPN configuration. [88950]l DynDNS now works correctly
on an External interfaced configured as a VLAN. [87256]l The
DynDNSupdate process now correctly continues to try updates after
an error message is receivedfrom the DynDNSserver. [89573]
l DynDNSupdates are now correctly initiated when the IPaddress
of a PPPoE interface changes.[89735]
l A problem has been resolved that caused connections to the
Firebox to fail after a reboot when aBOVPN Virtual Interface with
spaces in its namewas used for policy-based routing. [90375]
l Huawei E8372modem failover support has been improved for
Firebox T30/T50 appliances. [91018]l Modem failover now works
correctly with Dlink DWM-221modems. [90955]l Multi-WAN
configuration settings are no longer cleared after renaming
External interfaces in PolicyManager. [87864]
l This release resolves an issue that caused the Firebox would
always apply DNAT to traffic from anOptional interface. [83047]
Authenticationl This release resolves amemory leak related to a
heavy Terminal Services authentication login/logoutactivity.
[90946]
VPNl TheMobile VPN with SSL client, when installed onWindows
7OS, now remembers the default FireboxWeb Server Certificate past
the initial connection. [89873]
l A problem that caused the iked process to crash whenMobile
VPNwith IPSec is configured has beenresolved. [90869]
Management Serverl Users with Device Administrator credentials
can now select to see the passphrases configured formanaged
devices. [89405]
l The Phase 1 & Phase 2 Ciphers for managed Security
Templates have been updated to use the SHA1-AES256-DH5 and
SHA2-AES256-DH5 encryption algorithms. [86030]
Monitoring and Reportingl Firebox SystemManager Diagnostic Tasks
no longer crash when you use the -O option for traceroute.
[90932]
-
WatchGuard AP Devices and Gateway Wireless Controllerl In Policy
Manager, you can now view the status of rogue AP device detection
on theGateway WirelessController SSID list page. [90369]
l You can now enable rogue access point detection for the
Gateway Wireless Controller in the CLI.[90334]
l You can now view the device name and IP address for Gateway
Wireless Controller wireless clients inthe CLI. [88856]
l Gateway Wireless Controller discovery broadcast IP address
titles now match in Policy Manager andFirewareWebUI. [90870]
l Validation for the Fast Handover RSSI Threshold field is
improved. [88690]
Enhancements and Resolved Issues in Fireware v11.11.1
22 WatchGuard Technologies, Inc.
-
Known Issues and Limitations
Release Notes 23
Known Issues and LimitationsKnown issues for Fireware v11.11.1
and its management applications, including workarounds where
available,can be found on the Technical Search > Knowledge Base
tab. To see known issues for a specific release, fromtheProduct
& Version filters you can expand the Fireware version list and
select the check box for v11.11.1.
Using the CLIThe Fireware CLI (Command Line Interface) is fully
supported for v11.x releases. For information on how tostart and
use the CLI, see theCommand Line ReferenceGuide. You can download
the latest CLI guide fromthe documentation web site at
http://www.watchguard.com/wgrd-help/documentation/xtm.
Technical AssistanceFor technical assistance, contact WatchGuard
Technical Support by telephone or log in to theWatchGuardPortal on
theWeb at http://www.watchguard.com/support. When you contact
Technical Support, youmustsupply your registered Product Serial
Number or Partner ID.
Phone Number
U.S. End Users 877.232.3531
International End Users +1 206.613.0456
AuthorizedWatchGuard Resellers 206.521.8375
http://watchguardsupport.force.com/SupportSearch#t=KB&sort=relevancy&f:@objecttype=[KBKnownIssues]http://www.watchguard.com/wgrd-help/documentation/xtmhttp://www.watchguard.com/support
-
Technical Assistance
Release Notes 24
Fireware v11.11.1 Release NotesIntroductionImportant Information
about Firebox CertificatesCLI Commands to Regenerate Default
Firebox Certificates
Before You BeginLocalizationFireware Web UIWatchGuard System
ManagerDimension, WebCenter, Quarantine Web UI, and Wireless
Hotspot
Fireware and WSM v11.11.1 Operating System
CompatibilityAuthentication SupportSystem RequirementsXTMv System
RequirementsRecommended Resource Allocation Settings
Downloading SoftwareWatchGuard System ManagerFireware OSSingle
Sign-On SoftwareTerminal Services Authentication SoftwareMobile VPN
with SSL Client for Windows and MacMobile VPN with IPSec client for
Windows and Mac
Upgrade to Fireware v11.11.1Upgrade Notes for XTMvBack up your
WatchGuard ServersUpgrade to Fireware v11.11.x from Web UIUpgrade
to Fireware v11.11.x from WSM/Policy Manager
Update AP DevicesUpdate your AP100, AP102, and AP200
DevicesUpdate your AP300 Devices
Upgrade your FireCluster to Fireware v11.11.xDowngrade
InstructionsDowngrade from WSM v11.11.1 to WSM v11.xDowngrade from
Fireware v11.11.1 to Fireware v11.xDowngrade Restrictions
Enhancements and Resolved Issues in Fireware
v11.11.1GeneralProxies and Security SubscriptionsWeb
UINetworkingAuthenticationVPNManagement ServerMonitoring and
ReportingWatchGuard AP Devices and Gateway Wireless Controller
Known Issues and LimitationsUsing the CLITechnical
Assistance