What’s New in Fireware XTM What’s New in Fireware XTM v11.8 v11.8 WatchGuard Training
Jan 24, 2016
What’s New in Fireware XTM What’s New in Fireware XTM v11.8v11.8
WatchGuard Training
What’s New in XTM 11.8What’s New in XTM 11.8
Proxies and Services• DLP (Data Loss Prevention)
• YouTube for Schools WatchGuard AP Enhancements Authentication• Indirect LDAP Query Support
• SSO with the new Exchange Monitor
• SSO Port Tester Enhanced Support for IPv6 Updated Web UI• FireWatch
• Front Panel
WatchGuard Training 22
VPN• Branch Office VPN
Virtual Interface
• Management Tunnel over SSL
• SHA2 Support
• Mobile VPN with SSL VPN client password control
Other• Multiple PPPoE
sessions per interface
• Global setting to clear connections that use an SNAT action you modify.
XTM Data Loss PreventionXTM Data Loss Prevention
WatchGuard Training
What is DLP?What is DLP?
A service that prevents costly data breaches by scanning and detecting the transfer of sensitive information over email, web, and FTP.
DLP detects information in categories such as:• Financial Data (Bank routing numbers)
• HIPAA (PHI, patient forms)
• PII (Personally Identifiable Information) Drivers’ licenses Ethnicity terms National ID/insurance Email addresses Postal addresses
WatchGuard Training 44
DLP — How it WorksDLP — How it Works
DLP scans proxied SMTP, FTP, and HTTP connections.• HTTPS can be scanned if deep inspection is enabled in the
HTTPS proxy action. DLP uses Sophos libraries for two purposes:
• Text Extraction Extracts plain text from over 30 file formats, including PDF, HTML,
Microsoft Word, Excel, Visio, and Project.
• Content Analysis Detects over 200 different patterns, known as content control rules
WatchGuard Training 55
DLP — How it WorksDLP — How it Works
The same process handles AV scanning and DLP scanning.• When a proxy sends a scan request, it can be for AV, DLP, or
both.
• Each scan request includes a list of content control rules to use.
• AV scan result actions take precedence over DLP.
WatchGuard Training 66
DLP — Content Control RulesDLP — Content Control Rules
Content control rules match a pattern multiple times.
The quantity for each rule is a measure of the weighted number of matches the rule must find to identify content as a DLP violation. • Because the DLP rules use multiple expressions to find matching text, and
use weights to adjust the rule sensitivity, the quantity shown does not always correspond exactly to the number of text matches required to trigger the rule.
• To see DLP rules and quantities go to http://www.watchguard.com/SecurityPortal.
WatchGuard Training 77
Rule Name QuantityPostal addresses [Global] 100Postal addresses [USA] 100Email addresses [Global] 100Ethnicity terms [UK] 10Ethnicity terms [USA] 10Ethnicity terms [Canada] 10Social security numbers [USA] 10Passport details [Global] 5Telephone numbers [USA] 100Credit or debit card numbers with qualifying terms [Global] 10Credit or debit card numbers [Global] 10Personal health card number, Ontario [Canada] 1
DLP – Support by ModelDLP – Support by Model
This table shows you signature set and text extraction available for each model.
WatchGuard Training 88
Model Rule Set Text ExtractionXTM 25/26XTM 3 Series
Standard (140 rules) No
XTM 5 Series Standard (140 rules) 30 file types
XTM 8 SeriesXTM 1520/1525XTM 1050/2050XTM 2520XTMv
Enterprise (210 rules) 30 file types
DLP — Scanning and PerformanceDLP — Scanning and Performance
Available DLP rule sets vary by device• XTM 2, XTM 3, and XTM 5 Series (Standard)
• XTMv, XTM 8 Series and higher (Enterprise) Just as with AV, DLP scanning consumes resources Performance impact can vary by configuration• Performance varies by number and type of selected rules
• Avoid selecting unnecessary rules
WatchGuard Training 99
DLP — Configuration WorkflowDLP — Configuration Workflow
Update feature key Enable Data Loss Prevention Add a DLP Sensor using the
wizard• Apply sensor to proxy policies
• Select content control rules
• Select actions to take when content is detected in email and
non-email traffic.
WatchGuard Training 1010
DLP - Configuration WorkflowDLP - Configuration Workflow
Edit Sensors• Enable/disable rules
• Configure sensor actions by source and destination
• Configure sensor settings Set actions for items that
cannot be scanned due to:– Size exceeds scan limit– Scan error– File is password protected
Set the file scan limit
WatchGuard Training 1111
DLP — Built-In SensorsDLP — Built-In Sensors
DLP includes two built-in sensors
• HIPAA Audit Sensor Detects content related
to compliance with HIPAA security standards
• PCI Audit Sensor Detects content related
to compliance with PCI security standards
WatchGuard Training 1212
YouTube for SchoolsYouTube for Schools
WatchGuard Training
YouTube for Schools — OverviewYouTube for Schools — Overview
YouTube Education Filter• Schools need YouTube, but want to be able to control access to
specific content
• YouTube created to support EDU-only content, instead of having schools deny YouTube overall
How it works• School administrator obtains ID from YouTube
They must log in using their school’s Google account. https://www.youtube.com/schools
• X-YouTube-Edu-Filter header added to HTTP requests HTTPS with DPI
WatchGuard Training 1414
YouTube for Schools — ConfigurationYouTube for Schools — Configuration
Enable YouTube for Schoolsin the HTTP Proxy Action
Type the School ID
WatchGuard Training 1515
YouTube for Schools — ExampleYouTube for Schools — Example
HTTP request• Original request headers
GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1 Host: www.youtube.com
• New request headers GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1 X-YouTube-Edu-Filter: P4SHoKOOZOJDQU8PRSCXtA Host: www.youtube.com
By handling this on the XTM device, the school does not need to deal with configuration of various machines, including BYOD
WatchGuard Training 1616
AP EnhancementsAP Enhancements
WatchGuard Training
AP Enhancements — OverviewAP Enhancements — Overview
Select radio channel (72135)
Set maximum data rate Management VLAN tagging (71403)
“Updating” Status (72628)
New firmware
WatchGuard Training 1818
AP Enhancements — Radio SettingsAP Enhancements — Radio Settings
WatchGuard Training 1919
Preferred Channel • Update the list of
available AP channels.
• Select the preferred channel.
Rate• Set the maximum speed
at which wireless clients can send data.
AP Enhancements — Management VLAN AP Enhancements — Management VLAN TaggingTagging Enable management
VLAN tagging, and select amanagement VLAN ID.• After the AP device is
paired, management connections use the selected VLAN.
• An unpaired AP device cannot accept management connections on the VLAN.
WatchGuard Training 2020
““Updating” StatusUpdating” Status
New AP status in the Firebox System Manager Gateway Wireless Controller tab.• When you save an access point configuration to the
XTM device, the XTM device immediately sends the update to the affected AP devices. While the update is in progress, the AP device status changes to Updating.
• The update process can take up to a minute to complete.
• During this time wireless services might be interrupted on the AP device.
WatchGuard Training 2121
AP Firmware UpdateAP Firmware Update
The XTM OS update includes updated firmware for WatchGuard AP devices, to enable the new AP features.
Make sure that automatic updates are enabled in the Gateway Wireless Controller settings so the XTM device updates all paired AP devices.
If you don’t want to enable automatic updates, you can manually upgrade each AP device.• Download the AP device firmware
from the Software Downloads site.
• Connect to the web UI on the AP device to upgrade the firmware.
WatchGuard Training 2222
LDAP AuthenticationLDAP AuthenticationUsing Indirect QueriesUsing Indirect Queries
WatchGuard Training
LDAP — BackgroundLDAP — Background
LDAP Authentication using the “memberOf” group string, or other user attributes, queries the Directory Service for the user object, and identifies group membership based on this attribute of the user. This is considered a direct query.
Some LDAP services, like Novell, use other attributes of the user object to identify group membership. Others, such as OpenLDAP, do not have such an attribute at all unless you enable a “memberOf overlay”. This requires detailed knowledge of the LDAP service being used, or extending the schema.
An alternative to this is an indirect query, where the user is identified, and the entire directory is searched looking at attributes of all groups to find where the user is a member.
WatchGuard Training 2424
LDAP — How it WorksLDAP — How it Works
We’ve added support for indirect queries using Object Classes defined in these two RFCs:• RFC2256 — A summary of the X.500 User Schema for use with LDAPv3
defines Object Class “groupOfNames”. Users are identified in the “member” attribute of each group object.
• RFC2307 — An approach for using LDAP as a Network Information Service defines Object Classes “posixGroup” and “posixAccount”. The “gidNumber” attribute identifies each group object, and the “memberUid” attribute of each group identifies the users that are members of the group.
There are no visible UI changes to add support for indirect queries in Fireware XTM v11.8.• Triggered by the entry in the “Group String” attribute
WatchGuard Training 2525
LDAP — Using RFC2256 “groupOfNames”LDAP — Using RFC2256 “groupOfNames”
Object Class “groupOfNames” is used to manage groups. Users are identified using the “member” attribute of each group object.
Configure “member” as the Group String for LDAP.
XTM performs two search queries to identify groups:• First search — Identify the DN of this user.
• Second search — Identify all entries of groupOfNames where “member” attribute contains the user DN.
Extract the name, “cn” attribute, of each group returned by server.
WatchGuard Training 2626
LDAP — RFC2256 “groupOfNames” ExampleLDAP — RFC2256 “groupOfNames” Example
Example: User “user2” belongs to group called “market”. A “member” of groupOfNames object “market” includes the DN for
user2.
WatchGuard Training 2727
LDAP — Using RFC2307 “posixGroup”LDAP — Using RFC2307 “posixGroup”
Object class posixAccount and posixGroup are used to manage groups. Groups are identified by gidNumber and users by memberUid.
Configure “memberUid” or “gidNumber” as the group string for LDAP.
WatchGuard Training 2828
LDAP — Using RFC2307 “posixGroup”LDAP — Using RFC2307 “posixGroup”
Fireware XTM uses three search queries to retrieve group information.• First search: Identify DN, “uid”, “gidNumber” of the user.
• Second search: Get all entries of posixGroup from server with the filter “memberUid=<uid>”.
Extract the name, “cn” attriburte, of each group returned by the server.
• Third search: Get one entry of posixGroup from server with the filter “gidNumber=<gid_number>”.
Extract the name, “cn” attribute, of the posix primary group. This third search is required as LDAP servers will not return the posix
primary group, the group that matches the “gidNumber” seen for the user, in the second search.
Combine the groups from the second and third search.
WatchGuard Training 2929
LDAP — Case 3 Solution (continued, XTM Search)LDAP — Case 3 Solution (continued, XTM Search)
Example: User “pos_group1_user1” belongs to group “pos_group1” and “pos_group3”; its uid is “pos_group1_user1”, its gidNumber is 203.
WatchGuard Training 3030
LDAP — Case 3 Solution (continued, XTM Search)LDAP — Case 3 Solution (continued, XTM Search)
memberUid of posixGroup “pos_group1” include user “pos_group1_user1”.
WatchGuard Training 3131
LDAP — Case 3 Solution (continued, XTM Search)LDAP — Case 3 Solution (continued, XTM Search)
“gidNumber” of “pos_group3” is 203.
WatchGuard Training 3232
SSO Authentication Support SSO Authentication Support for Mac OS X for Mac OS X
WatchGuard Training
Enhanced SSO Support — OverviewEnhanced SSO Support — Overview
In Fireware XTM v11.8, Single Sign-On (SSO) support has been enhanced:• SSO now supports Mac OS X (RFE64443)
• SSO now supports iOS and Android
• The SSO Agent can now be used independently with greater accuracy To provide SSO functionality for these new use cases, the SSO
authentication solution includes two new components:• EM (Exchange Monitor)
• SSO Client for Mac OS X
WatchGuard Training 3434
Enhanced SSO Support — OverviewEnhanced SSO Support — Overview
Single Sign-On options, at a glance:
WatchGuard Training 3535
SSO Component Windows Mac OS X iOS Android
SSO Agent
SSO Client(Both a Windows and Mac OS X Client are available)
Event Log Monitor
Exchange Monitor
Enhanced SSO Support — Exchange Monitor (EM)Enhanced SSO Support — Exchange Monitor (EM)
EM takes advantage of the close relationship between Microsoft Exchange server and Active Directory server. • For example: An organization uses Microsoft Exchange Server and
Active Directory domain server. Everyday the first thing each employee does is to use their office equipment, including PC, laptop, iPhone, iPad and so on, to deal with emails. Afterwards, they access the internet. Users cannot log in their mailboxes until their domain accounts are authenticated by Exchange Server.
Exchange Monitor (EM)• Does not remove or replace the functionality of existing SSO
components. Instead, it extends SSO support of logon/logoff functionality to Mac OS X, IOS, Android, and Windows OS
• New component in XTM SSO software set
• Must be installed on the same server as Microsoft Exchange
WatchGuard Training 3636
Enhanced SSO Support — Exchange Monitor (EM)Enhanced SSO Support — Exchange Monitor (EM)
What is EM?• EM tightly integrates with Microsoft Exchange
• Works only in the environment in which Microsoft Exchange Server is deployed
• EM is similar to ELM, running as a Windows service process
• EM is responsible for: Monitoring the logon/logoff action for domain accounts Notifying the SSO Agent real-time Responding to the command request( “get user”) sent by the SSO Agent.
WatchGuard Training 3737
Enhanced SSO Support — SSO Client for Mac OS XEnhanced SSO Support — SSO Client for Mac OS X
What is the SSO Client for Mac OS X?• Works in an environment without Microsoft Exchange Server
• Similar to the SSO Client for Windows
• Install the client software on workstations in the domain that run Mac OS X
• Support Mac OS X 10.6+ Supports the use case in which a user logs on from his MacBook
with his Active Directory domain account.
WatchGuard Training 3838
Enhanced SSO Support — Other ChangesEnhanced SSO Support — Other Changes
Different SSO Contacts in UI Different way to get groups New Session check interval• Applies only to Exchange Monitor and OS X/Android/iOS users
WatchGuard Training 3939
Enhanced SSO Support — Agent Contact SettingsEnhanced SSO Support — Agent Contact Settings
In Fireware XTM v11.8, Agent Contacts include:• SSO client
• Event Log Monitor
• Exchange Monitor
WatchGuard Training 4040
Enhanced SSO Support — Group RetrievalEnhanced SSO Support — Group Retrieval
Before XTM v11.8, ELM/SSO clients returned group information to the SSO Agent.
With XTM v11.8, ELM/EM/SSO clients return user/domain/IP address information to the SSO Agent. The SSO Agent queries the AD server to get all groups.
Compatibility• XTM v11.8 SSO Agent works with pre-v11.8 SSO Client/ELM
• XTM v11.8 ELM/SSO Client/EM does NOT work with pre-v11.8 SSO Agent
WatchGuard Training 4141
Enhanced SSO Support — Session Check IntervalEnhanced SSO Support — Session Check Interval
The new Session Check Interval is used for non-Windows clients only. For non-Windows clients, logoff events are detected using Microsoft Exchange internal tables.
For any active client, Exchange Monitor saves the time of last activity.
Exchange Monitor sends logoff event information for any active non-Windows client to the SSO Agent if it cannot detect any activity in the time span specified in the Session Check Interval setting.
The default Session Check Interval is 40 minutes.
WatchGuard Training 4242
Enhanced SSO Support — Session Check IntervalEnhanced SSO Support — Session Check Interval
Why is the default Session Check Interval set to 40 minutes?• On Mac OS X mail clients, the default
setting for Check for New Messages setting is 30 minutes.
• Therefore, the Session Check Interval has to be more than 30 minutes.
In general, we recommend: Session Check Interval =
Max(Check for Message) + 2• Where Max(Check for Message) is
the maximum value of all non-Windows devices running a mail client. 2 minutes is the amount of time that EM requires to detect changes in the IIS log.
4343WatchGuard Training
Enhanced SSO Support — Test SSO PortEnhanced SSO Support — Test SSO Port
To verify that the SSO Agent can contact the Event Log Monitor and the Exchange Monitor, you can use the SSO Port Tester tool.• In the Clientless SSO Settings,
select Test SSO Port.
• In the SSO Port Tester, you can test IP addresses and ports for SSO.
WatchGuard Training 4444
IPv6 SupportIPv6 Support
WatchGuard Training
IPv6 SupportIPv6 Support
XTM v11.7.4 supported:• IPv6 addresses in packet filter
policies
• MAC access control for both IPv6 and IPv4 traffic
• Inspection of IPv6 traffic received and sent by the same interface
• IPv6 addresses in blocked sites and exceptions
• Blocked ports configuration applies to IPv6 traffic
• TCP SYN checking setting applies to IPv6 traffic
WatchGuard Training 4646
XTM v11.8 adds:• Authentication on
https://<IPv6 firebox>:4100 page is now possible
• DHCPv6 options available on interfaces that use IPv6
• IPv6 FireCluster Management addresses
• IPS and Application Control now apply to IPv6 networks
• Default Packet Handling options to block IPSec, IKE, ICMP, SYN, and UDP flood attacks now apply to IPv6 networks
IPv6 Support — AuthenticationIPv6 Support — Authentication
You can now authenticate to an XTM device configured with an IPv6 address (https://<IPv6 firebox>:4100)• Example: https://[2001::254]:4100
WatchGuard Training 4747
IPv6 Support — AuthenticationIPv6 Support — Authentication
With Fireware XTM v11.8, users can now connect from an IPv6 address to the IPv6 address of XTM. But XTM still connects to its configured 3rd party authentication server by its IPv4 address.
Some authentication functions are NOT supported in this release:• Single Sign-On
• Terminal Services
• VPN
• Support FQDN for RADIUS and SecurID
• Automatic redirect of users to the authentication page
WatchGuard Training 4848
IPv6 Support — DHCPv6IPv6 Support — DHCPv6
Use DHCPv6 to request an IPv6 address for an external interface.• Select Enable DHCPv6 Client.
• Enable the Rapid Commit option if you want to use a rapid two-message exchange to get an IPv6 address.
WatchGuard Training 4949
IPv6 Support — DHCPv6IPv6 Support — DHCPv6
Configure a DHCPv6 Server for a trusted or optional interface.
WatchGuard Training 5050
IPv6 Support — DHCPv6IPv6 Support — DHCPv6
When you enable IPv6 for a trusted or optional interface, you can enable the DHCPv6 server on the interface, to assign IPv6 addresses to clients that connect.
Limitations for this release:• DHCPv6 is supported only on physical interfaces.
• DHCPv6 Server is not supported in Drop-in and Bridge mode.
• You cannot configure DHCPv6 for any external interface that uses PPPoE.
WatchGuard Training 5151
IPv6 Support — Flood Attack PreventionIPv6 Support — Flood Attack Prevention
Default Packet Handling flood attack prevention now applies to IPv6 traffic (ICMPv6, UDP, IKE, SYN, IPSec)
WatchGuard Training 5252
IPv6 Support — IPS and Application ControlIPv6 Support — IPS and Application Control
Intrusion Prevention Service and Application Control now apply to IPv6 traffic.
WatchGuard Training 5353
IPv6 Support — FireClusterIPv6 Support — FireCluster
The FireCluster now includes an option to configure an IPv6 management IP address. • This option is available only when
the FireCluster management interface has IPv6 enabled
You can use the IPv6 management address to connect directly to a cluster member for management.
WatchGuard Training 5454
IPv6 Support — FireClusterIPv6 Support — FireCluster
Not Supported• IPv6 cluster interface IP
address
• Failover for features that do not support IPv6, including:
Branch Office VPN Proxy Mobile VPN with IPSec Mobile VPN with SSL Mobile VPN with L2TP Mobile VPN with PPTP Dynamic Routing Multi-WAN
WatchGuard Training 5555
Supported• Active/Active
• Active/Passive
• Cluster management interface IP address
Branch Office VPN Virtual Branch Office VPN Virtual InterfaceInterface
WatchGuard Training
Branch Office VPN Virtual Interface Support (BOVPN Branch Office VPN Virtual Interface Support (BOVPN VIF)VIF) To provide more flexibility and capabilities, Fireware XTM now
supports the option to configure a Branch Office VPN as a virtual interface.
Fireware XTM uses GRE (Generic Routing Encapsulation) to create the VPN virtual interface.
When you configure a BOVPN virtual interface, the BOVPN virtual interface is included in the routes table. • You can add static routes for a BOVPN virtual interface
• The BOVPN virtual interface can participate in dynamic routing.
• The XTM device uses the routes table to determine whether to route a packet through the BOVPN virtual interface or through another interface.
Fireware XTM continues to support the existing branch office VPN functionality. You can simultaneously configure both types of branch office VPN.
BOVPN VIF helps customers meet the needs of three particular configuration scenarios, described next.
WatchGuard Training 5757
BOVPN VIF — Metric-based VPN Failover and BOVPN VIF — Metric-based VPN Failover and FailbackFailback Objective:• For two sites that are connected with an MPLS link, enable
traffic to automatically failover and failback to a secondary branch office VPN connection over an IP network.
Configuration Summary:• Configure the external interfaces for the primary
connection between the two sites over the MPLS network
• Configure a BOVPN virtual interface for the secondary link between the two sites.
• Add a BOVPN virtual interface static route, and set a high metric (such as 200) for the route.
How it works:• Because the BOVPN VIF route has a high metric, the XTM device uses
the MPLS route, when it is available. If the MPLS link is not available, the XTM device uses the BOVPN VIF route. When the MPLS route becomes available again, the XTM device automatically fails back to use that route, because it has a lower metric.
WatchGuard Training 5858
BOVPN VIF — Dynamic RoutingBOVPN VIF — Dynamic Routing
WatchGuard Training 5959
Objective: • Enable two sites to dynamically exchange
information about routes to multiple local networks through a VPN tunnel. This avoids the need to manually configure those routes.
Configuration Summary:• Configure a BOVPN VIF, add local and peer IP addresses.
• In the dynamic routing configuration, use the peer IP address from the BOVPN VIF configuration, with a /32 netmask.• OSPF example: network <peer_virtual_ip>/32 area 0.0.0.0
• BGP example: neighbor <peer_virtual_ip> remote-as 65535
• Use dynamic routing commands to configure which local networks each device propagates routes for.
How it Works:• The dynamic routing protocol enables each gateway to
automatically learn the routes to local networks propagated by the peer gateway through the BOVPN virtual interface.
BOVPN VIF — Policy-based BOVPNBOVPN VIF — Policy-based BOVPN
Objective: • At a site with two branch office gateways, send latency-
sensitive traffic, such as VoIP through the tunnel over the network with the lowest latency, and send all other traffic, such as FTP, through the other tunnel route.
Configuration Summary:• Configure two BOVPN virtual interfaces between the
sites. Do not add routes.
• In the SIP policy that handles VoIP traffic, enable policy-based routing to the BOVPN VIF with the lowest latency.
• For all other traffic, define routes (static or dynamic) and use the other BOVPN virtual interface.
How it Works:• The policy determines the source and destination
addresses. Although routes are not defined in the BOVPN virtual interface settings, the SIP policy uses policy-based routing to redirect traffic through the lower-latency tunnel.
WatchGuard Training 6060
BOVPN VIF — ConfigurationBOVPN VIF — Configuration
New BOVPN Virtual Interfaces option, shown here in Policy Manager:
New UI in VPN Settings:
WatchGuard Training 6161
BOVPN VIF — Add a New BOVPN Virtual InterfaceBOVPN VIF — Add a New BOVPN Virtual Interface
Device Name is assigned by the system.
Select “Start Phase1 tunnel…” when no VPN Routes are defined and the BOVPN virtual interface is used with either Policy-Based Routing or Dynamic Routing.
WatchGuard Training 6262
BOVPN VIF — Add a New BOVPN Virtual InterfaceBOVPN VIF — Add a New BOVPN Virtual Interface
Virtual Interface IP addresses are required when used with Dynamic Routing.
Add a static route in the VPN Routes tab of a BOVPN VIF, or select Network > Routes.
A BOVPN VIF is equivalent to one Security Association (SA).
WatchGuard Training 6363
IPv4 Host or Network Routes can be added to the BOVPN.
Or, you can add the route in Network > Routes.
Route Type must be BOVPN Virtual Interface Route.
The correct BOVPN Virtual Interface must be selected for the Route.
Metric can be configured for multi-path routes.
BOVPN VIF — Add Tunnel RoutesBOVPN VIF — Add Tunnel Routes
Using VPN Routes:
Using Network > Routes:
WatchGuard Training 6464
Management Tunnel over SSLManagement Tunnel over SSL
WatchGuard Training
Management Tunnel over SSLManagement Tunnel over SSL
Challenge• An administrator at the corporate headquarters of a distributed
organization wants to centrally manage multiple XTM devices from the corporate trusted network. They do not necessarily have control of the upstream routers and may or may not have a public IP address.
• While Fireware XTM already supported the creation of a special management tunnel for this situation using IPSec, many third party devices allow only ports 80, 443, and 53 by default, and IPSec was not an effective solution.
Solution• Fireware XTM v11.8 adds support for an SSL-based management tunnel
so you can use either IPSec or SSL.
WatchGuard Training 6666
Management Tunnel over SSLManagement Tunnel over SSL
If you use an SSL-based management method, consider:• General limitations of OpenSSL.
• There can be conflicts between the SSL Management Tunnel and the use of Mobile VPN with SSL. You can use both at the same time, but the XTM device must be able to differentiate between the management session and a Mobile VPN with SSL session.
• SSL builds virtual networks between devices, which means routes must be correctly configured.
WatchGuard Training 6767
Management Tunnel over SSL — ConfigurationManagement Tunnel over SSL — Configuration
From the Management Server, configure the Management Tunnel gateway Firebox.• The gateway Firebox must have a static
external IP address.
• In the Management Tunnel Settings, setthe Tunnel Type to:
SSL or IPSec SSL Only IPSec Only
• For an SSL tunnel, you must configure the SSL Server IP Address/Name.
WatchGuard Training 6868
Management Tunnel over SSL — ConfigurationManagement Tunnel over SSL — Configuration
From the Management Server, configure the remote XTM devices.• Each remote XTM device must have a dynamic external IP address.
• In the Management Tunnel Settings, set the Tunnel Type to SSL.
• For an SSL tunnel, you must also specifythese authentication settings:
SSL Tunnel ID — the Device Name of the hub device
SSL Tunnel Password
• The Management Server also updates these authentication settings on the gateway Firebox.
WatchGuard Training 6969
Management Tunnel over SSLManagement Tunnel over SSL
First, the SSL client device contacts the SSL server on port 443. After the tunnel is established, the remote client can successfully
contact the Management Server.• The new interface for this tunnel now available on the SSL client
firewall is called tun_mgmt_0.
• The Source IP will be the assigned virtual IP address.
WatchGuard Training 7070
Management Tunnel over SSLManagement Tunnel over SSL
Authentication process:• For SSL server:
1. A new local user group SSLVPN-Mgmt-Clients is created to ensure the remote SSL users using Mobile VPN client software do not overlap with the centralized management session.
2. In the SSL management tunnel, the Tunnel ID is the equivalent of the mobile VPN client username.
3. You cannot have the same username in both the SSLVPN-Mgmt-Clients group and in the SSLVPN-Users group.
• For SSL client: You only need to specify the Tunnel ID, SSL password, and the management
encryption and certificate details.
WatchGuard Training 7171
SHA2 SupportSHA2 Support
WatchGuard Training
SHA2 SupportSHA2 Support
Fireware XTM v11.8 adds support for SHA2 for branch office VPN, Mobile VPN with IPSec, and Mobile VPN with L2TP.
SHA2 is stronger than either SHA1 or MD5. Fireware XTM supports three variants of SHA2.• SHA2-256 — produces a 265 bit (32 byte) message digest.
• SHA2-384 — produces a 384 bit (48 byte) message digest.
• SHA2-512 — produces a 512 bit (64 byte) message digest SHA2 is supported only on XTM devices with hardware
cryptographic acceleration for SHA2. • SHA2 is not supported on XTM 21, 22, 23, 5 Series, 810, 820, 830,
1050, and 2050 devices.
• SHA2 appears as an option in the configuration only if it is supported on the hardware.
WatchGuard Training 7373
SHA2 SupportSHA2 Support
SHA2 is supported for• Branch Office VPN
• Mobile VPN with IPSec
• Mobile VPN with L2TP
For Mobile VPN with IPSec, SHA2 is supported for VPN connections from:• Shrew Soft VPN client v2.2.1 or higher
• WatchGuard IPSec Mobile VPN client v11.32 or higher.
• SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.
WatchGuard Training 7474
Mobile VPN with SSL Mobile VPN with SSL Password ControlPassword Control
WatchGuard Training
Mobile VPN with SSL Password ControlMobile VPN with SSL Password Control
A new check box in the Mobile VPN with SSL configuration controls whether the Mobile VPN with SSL client remembers the password.
The Remember connection details option is removed from the client.• The client always remembers the
Server and Username.
• The client remembers the Password only if you allow it in the Mobile VPN with SSL configuration.
WatchGuard Training 7676
Updated Web UIUpdated Web UI
WatchGuard Training
Updated Web UIUpdated Web UI
No longer dependent on Adobe Flash Player. Adobe Flex is replaced by HTML and JavaScript.
Mobile Ready — Responsive web interface is designed to provide optimal viewing experience for users on all types of devices such as desktop browsers, tablets and smart phones.
Improved Monitoring Capability — Dashboard and System Status sections now offer functionality similar to Firebox System Manager.
WatchGuard Training 7878
Web UI — Responsive DesignWeb UI — Responsive Design
The new Web UI is responsive to the size of the viewport it is being displayed in.
The layout of the user interface changes depending on the size of the browser window.
The lowest resolution is 320x768 in either portrait or landscape mode.
When a viewport drops below a width of 768 pixels (the width of a landscape phone or portrait mode on a tablet) the left navigation menu moves to the top provide space on the screen for the rest of the content.
WatchGuard Training 7979
Web UI — Responsive Design (continued)Web UI — Responsive Design (continued)
The form elements in pages respond to the width of the viewport.
WatchGuard Training 8080
Example page on a desktop viewport Equivalent page on
a smaller viewport
Web UI — Session ExpirationWeb UI — Session Expiration
If your login session expires (usually this is caused by the session timeout setting being triggered), you are immediately notified by an alert at the top of the screen.
This alert includes a login link to redirect you to the login page. After successful login, the browser displays the page you were on
before session expiration.
WatchGuard Training 8181
Web UI — Success Message and RedirectionWeb UI — Success Message and Redirection
During configuration changes, a successful save displays a success message at the top of the current parent page.
WatchGuard Training 8282
Web UI — Firewall PoliciesWeb UI — Firewall Policies
Actions• You can now clone actions directly from a policy.
• You can edit a non-default action or apply existing actions within the policy.
WatchGuard Training 8383
Web UI — Firewall Policies (continued)Web UI — Firewall Policies (continued)
Actions can now be created within the policy for:• Application Control
• Schedule
• Traffic Management
• Proxy
WatchGuard Training 8484
Web UI — System StatusWeb UI — System Status
Many System Status features have moved into the Dashboards. The table shows where features from the previous Web UI have
moved to in the new Web UI.
WatchGuard Training 8585
Web UI — System Status (continued)Web UI — System Status (continued)
WatchGuard Training 8686
Web UI — System Status CopyWeb UI — System Status Copy
Copy buttons have been removed from the UI. You can now select and copy text in the browser just as you would
on any other web page.
WatchGuard Training 8787
Web UI — Refresh Buttons and TimersWeb UI — Refresh Buttons and Timers
The Refresh button and timer controls have been removed from the System Status pages.
Pages with information that need to be actively refreshed are all in the Dashboard section.
The Dashboard pages all refresh every 30 seconds automatically with the exception of the Traffic Monitor, which refreshes every 5 seconds.
WatchGuard Training 8888
Web UI — Traffic MonitorWeb UI — Traffic Monitor
Refreshes every 5 seconds
WatchGuard Training 8989
Web UI — FireWatchWeb UI — FireWatch
FireWatch is a real-time, interactive report tool, that groups, aggregates, and filters statistics about the traffic through your XTM device in an easy-to-understand form.
FireWatch includes options to pivot, refine, and filter information about your firewall traffic.
WatchGuard Training 9090
Web UI — FireWatchWeb UI — FireWatch
Some of the information you can see at a glance includes:• Top Users
• Top Domains
• Application Usage
• Bandwidth Usage
• Firewall Traffic
• Security Service Activity
• Device State
WatchGuard Training 9191
Secondary PPPoE InterfacesSecondary PPPoE Interfaces
WatchGuard Training
Secondary PPPoE InterfacesSecondary PPPoE Interfaces
Secondary PPPoE interfaces enable a single external interface to support multiple simultaneous PPPoE connections.• Enable PPPoE on an external interface.
• Add up to 25 secondary PPPoE interfaces.
• Associate each secondary with a primary external interface that has PPPoE enabled.
WatchGuard Training 9393
Global Setting to Clear Active ConnectionsGlobal Setting to Clear Active Connections
By default, the XTM device does not clear active connections when you modify a static NAT action.
You can change the globalSNAT setting so that the XTM device clears active connections that use an SNAT action you modify.
WatchGuard Training 9494
Thank You!Thank You!
WatchGuard Training 9595