What’s New in Fireware XTM v11.4 - PowerPoint PPT Presentation

What’s New in Fireware XTM v11.4

• New! Application Control
• Intrusion Prevention System enhancements
• Authentication enhancements
• Support for multiple Active Directory domains
• Unique identification of each client session on Terminal Server / Citrix server
• Support for LDAP over SSL (LDAPS)
• Support for IEEE 802.1X (Extensible Authentication Protocol)
• Improved interaction between Manual Authentication and SSO
• Centralized Management enhancements
• New SNAT actions

WatchGuard Training

• Wireless Security enhancements (rogue access point detection)
• Wireless network bridge enhancements
• Logging and Log Server enhancements
• Reporting and Report Server enhancements
• Support for A/P FireCluster in Drop-in mode
• New Global TCP timeout setting
• Diagnostics and Health Monitoring with USB Diagnostics
• Improved Support for proxy configuration in the Web UI
• Enhancements to Quick Setup Wizard

WatchGuard Training

• Fireware XTM v11.4 is compatible with all XTM device models
• XTM 2 Series
• XTM 5 Series
• XTM 8 Series
• XTM 1050
• Fireware XTM v11.4 is not compatible with Firebox X e-Series device models

WatchGuard Training

• Overall Design
• You can now allow or deny access to hundreds of applications
• Social Network Apps, IM/P2P, Games, Streaming Media, Business Apps, etc.
• Application Control is an action applied to firewall policies
• All firewall policy types are supported
• Packet Filters and Proxy policies, Mobile VPN, and Branch Office VPN
• Hierarchical relationship of categories, applications, behaviors
• Category
• Application
• Behavior
• Design Controls
• Application identification takes a maximum of 7 packets
• Policy-based NAT executes on first packet
• Policy-based routing executes on first packet

WatchGuard Training

• Use cases by application/behavior
• By application — Block Skype for all
• By application behavior — Block MSN file transfer for all
• Use cases by IP address/user/group
• User or group — Block P2P for Marketing
• Host or network — Block BitTorrent for 10.0.0.0/24
• Combinations of IP address/user/group and applications/behaviors
• Use policy schedules to allow different applications at different times
• All standard policy features are available: Scheduling, QoS, Traffic Management, NAT, etc.

WatchGuard Training

• Automated updates
• Two signature sets: XTM2 and XTM5/8/10
• More applications are available for XTM 5/8/10 Series than for XTM 2 Series
• One file is downloaded for both Application Control and IPS
• Metadata is extracted from the file when downloaded
• Signatures are abstracted for Application Control
• Applications are mapped to signatures
• Mapping is not 1-1
• Example:Application Skype is mapped to four underlying signatures:
• CHAT Skype login on TCP -1
• CHAT Skype login on TCP -3
• CHAT Skype login on TCP -2
• CHAT Skype login on SSL -1
• Management software shows the abstraction:
• Skype

WatchGuard Training

• Seven possible behaviors:
• Authority — Login
• Access — Known command to access server or peer
• Communicate — Communication with server or peer (chat)
• Connect — Unknown command (P2P connect to peer)
• Game — Games
• Media — Audio and Video
• Transfer — File Transfer
• Not all applications exhibit all behaviors

WatchGuard Training

• You can now block traffic flows based on the application in use
• Signature-based; ability to identify hundreds of applications
• Application Control is a Subscription Service
• Specify Application Control actions per policy

WatchGuard Training

• Use the Subscription Services menu in Policy Manager to add and edit Application Control actions, and configure signature update settings
• Configure the Global Application Control action to use in policies, or create new Application Control actions

Signature update settings

WatchGuard Training

• Add a new action
• Select the applications to control
• Select Allow or Drop for each application you select
• Drop — Blocks applications
• Allow — Allows applications

WatchGuard Training

• Use the Search text box to quickly find an application by name
• Select a Category to see the applications in that category

WatchGuard Training

• The Application Control action specifies what to do when an application does not match the configured applications:
• Use the Global action
• Allow the connection
• Drop the connection

WatchGuard Training

• When a traffic flow does not match another Application Control action, you can use the Global action as a fall-through
• By default the Global action has no applications to identify
• You can edit the Global action to add applications to identify
• Global action has its own fall-through
• Allow the connection
• Drop the connection
• Or, apply the Global action to any of your policies

WatchGuard Training

• New Enable Application Control drop-down list and action selector on the Policy tab
• IPS and Proxy Actions also moved to Policy tab
• Lets you configure Application Control policy-by-policy
• Not necessary to use proxies for this

WatchGuard Training

• Application Control web page:
• http://www.watchguard.com/SecurityPortal/AppDB.aspx
• Read descriptions of all Applications and Behaviors
• Applications
• Behaviors
• Explanation

WatchGuard Training

WatchGuard Training

WatchGuard Training

Start

Traffic goes through a policy that has Application Control enabled

Did the inspection engine identify an application listed in the user-defined action?

Is this a user-defined Application Control action or the Global action?

User-defined action

No: “Application not matched” rule is “Use Global”

Global action

No: “Application not matched” rule is Allow/Drop

Did the inspection engine identify an application listed in the Global action?

Yes

No

Yes

Is the “Application not matched” rule set to Allowor Drop?

Drop connection

Is the rule for this application Allow or Drop?

Drop

Drop

Allow

Allow connection

Allow

WatchGuard Training

• Traffic logs contain application identification information
• Enable logging in the policy to monitor application usage
• The XTM device always identifies and logs denied traffic due to an Application Control action
• Information about applications that are not blocked is sent to the log file only if logging is enabled in the policy that has Application Control enabled
• Only one FWAllow or FWDeny message per connection
• Application and category are added to traffic log

Sample log message:

Application identified app_name="Facebook Web IM" app_cat_name="Web IM" app_id="15" app_cat_id="15" app_beh_id="2" app_beh_name="communicate"

WatchGuard Training

• Application Control
• Application Usage Summary
• Blocked Application Summary
• Client Reports
• Top Clients by Application Usage
• Top Clients by Blocked Applications
• Top Clients by Blocked Categories

WatchGuard Training

• Application Usage

WatchGuard Training

• Blocked Applications

WatchGuard Training

• Top Clients

WatchGuard Training

• Application Blocker, as it is known in Fireware XTM v11.3.x and previous versions, is not available after you upgrade to v11.4
• New Application Control is a Subscription Service
• Comes with UTM Bundle but can be purchased separately
• If a customer does not purchase Application Control, Application Control is not available (and Application Blocker is not available in v11.4)
• Customers must synchronize feature keys
• If the customer has the UTM Bundle, the new feature key includes Application Control

WatchGuard Training

• Intrusion Prevention is now a global setting
• Actions for different threat levels are set globally
• Applies equally to any policy that has IPS enabled
• You can enable IPS per-policy
• No longer configured only in Proxy Actions
• Apply Intrusion Prevention to packet filter or proxy policies
• Simpler configuration
• Only five threat levels instead of 100

WatchGuard Training

• Configure in Policy Manager:Subscription Services > Intrusion Prevention
• Actions to take:
• Allow — Allows the connection
• Drop — Denies the specific request and drops the connection. Does not send a response to the sender. The XTM device sends only a TCP reset packet to the client.
• Block — Denies the request.Drops the connectionAdds the site to the auto-blocked list for the configured duration.

WatchGuard Training

• Intrusion Prevention dialog box Policies tab:
• Lists all firewall policies and whether IPS is disabled for each one
• Lets you enable IPS per policy
• Policy Propertiesdialog box, enable IPS for asingle policy on the Policy tab

WatchGuard Training

• If IPS is not enabled in the pre-v11.4 configuration file, Global IPS is not enabled in the converted v11.4 configuration file
• If IPS is enabled in a policy in the pre-v11.4 configuration file, Global IPS is enabled in the v11.4 configuration file
• If a proxy policy from the pre-v11.4 configuration file has IPS enabled, that policy will have IPS enabled in the converted configuration file
• All other policies have IPS disabled in the v11.4 configuration file
• Threat levels set to default
• Allow for Information (lowest threat) level (do not log)
• Drop for all higher threat levels (and log)
• IPS signature exceptions are removed

WatchGuard Training

• IPS web page: http://www.watchguard.com/SecurityPortal/ThreatDB.aspx
• Read descriptions of all IPS signatures
• Hyperlinks to reference sources (where available)
• mitre.org CVE web page
• NIST web page
• Securityfocus.com (Bugtraq) web page
• Secunia Advisory page
• Snort page

WatchGuard Training

WatchGuard Training

WatchGuard Training

• Fireware XTM Web UI also has information on signatures
• Subscription Services > IPS > Signatures tab:Double-click a signature to get information

WatchGuard Training

WatchGuard Training

• To go to the SecurityPortal web site, right-click an entry in Traffic Monitor that indicates an IPS signature was triggered

WatchGuard Training

• You can now specify multiple Active Directory domains
• Filter your policies by user or group specific to each domain
• Specify the domain to use for Mobile VPN authentication
• Click Add to add an Active Directory domain

WatchGuard Training

• Specify the DNS name or IP address for the authentication server
• Specify the port
• Specify whether to use LDAPS

WatchGuard Training

• Select the authentication server when you add the user or group

WatchGuard Training

• Select the domain to use when you authenticate to the authentication portal over port 4100

WatchGuard Training

• Conversion looks at the Search Base of the existing Active Directory settings
• Converted configuration has an Active Directory object named for the dc= portions of the Search Base
• Example:
• Search Base for Active Directory in pre-v11.4 configuration is:ou=corporate users and groups,dc=toronto,dc=company,dc=net
• Active Directory domain in v11.4 is named toronto.company.net

WatchGuard Training

• Standard LDAPS port is 636
• For Active Directory Global Catalog queries, SSL port is 3269
• Validate the server certificate to prevent man-in-the-middle attacks

WatchGuard Training

• Validate the server certificate to prevent man-in-the-middle attacks
• To validate the server certificate:
• Import the CA certificate from the CA that issued the AD/LDAP server’s SSL certificate
• Use FSM to import the CA certificate
• Use purpose IPSec, Web Server, Other
• When you add the AD or LDAP server to Policy Manager, make sure to indicate the address (IP address or DNS name) correctly to match the server’s certificate
• To validate the certificate, Fireware XTM checks if the configured server address (IP address or DNS name) matches one of these items in the server’s certificate:
• Common Name in Subject field
• DNS Name in Subject Alternative Name field
• IP Address in Subject Alternative Name field
• If no match, then certificate validation fails

WatchGuard Training

• Requires a new SSO Agent install
• After the new SSO Agent is installed, use the new SSO Configuration Tool to add Active Directory servers for the agent to query
• SSO Configuration Tool executable is installed by default in this directory: \Program Files\WatchGuard\WatchGuard Authentication Gateway
• SSO Configuration Tool enables the SSO admin to add users to perform SSO functions
• In a multi-domain SSO environment, you must install the SSO Client software on all client computers that can use SSO
• In single-domain SSO, SSO Client software is still optional
• SSO Client software is highly recommended in single-domain environments for accuracy of SSO information

WatchGuard Training

• Two default accounts:
• admin / readwrite
• status / readonly
• Configuration tools

WatchGuard Training

• Edit > Add Domain
• Instant error-checking
• You cannot add the domain if the information is wrong

WatchGuard Training

• You can add users with read-only or read-write privileges
• There is only one admin user
• Root Admin user can add/edit users and give a user the permission to add or remove domain information

WatchGuard Training

• In versions prior to 11.4, when SSO was enabled, and you went to the authentication portal on port 4100, the message You have been successfully authenticated appeared immediately.
• This happened whether or not you were already authenticated by SSO.
• To manually authenticate, users first had to log off the authentication portal
• These scenarios did not work well with SSO enabled:
• Guest computer that cannot use SSO (for example, a Windows computer that does not belong to the domain)
• Computer is a Mac or runs Linux and cannot use SSO
• SSO authenticated user wants to raise permissions by manually authenticating

WatchGuard Training

• New in v11.4:
• Users no longer see the message You have been successfully authenticated, when they go to the manual authentication portal on port 4100 and SSO is enabled
• Works as users expect in v11.4
• Manual authentication (port 4100) takes precedence over SSO
• If user is already authenticated with SSO, the user can go to the manual authentication portal and authenticate as a different user

WatchGuard Training

• Lets you ensure that users connect to legitimate, authorized wireless networks
• Instead of credential-stealing imposter access points
• The Enterprise part of WPA-Enterprise and WPA2-Enterprise
• Support for XTM 2 Series wireless device as:
• 802.1X Authenticator
• Authentication Server
• Supported on Access Point 1 (AP1), AP2, and Guest Wireless AP

WatchGuard Training

• 802.1X has three main components:
• Supplicant
• The endpoint that wants access to the LAN
• More precisely, the software on the endpoint computer that handles the authentication attempt
• Authenticator
• The gatekeeper that allows or denies layer 2 access to the LAN
• Typically a wireless access point — XTM 2 Series wireless device
• Also can be an Ethernet switch (possible wired support post-v11.4)
• Authentication Server
• The server that validates the endpoint’s credentials
• Typically a RADIUS server
• Alternatively, you can use the XTM 2 Series device as the Authentication Server instead of a RADIUS server

WatchGuard Training

• Authentication Server can be the XTM device or a RADIUS server
• XTM device is always the Authenticator when you enable 802.1X on an access point
• When XTM device is the Authentication Server, these EAP (Extensible Authentication Protocol) methods are supported:
• EAP-TLS
• EAP-PEAP
• EAP-TTLS
• When RADIUS is the Authentication Server, any EAP method is supported
• XTM device is only the Authenticator in this case
• It only passes:
• EAP messages between itself and the end user (EAP Over LAN or EAPOL)
• RADIUS messages between itself and the Authentication Server

WatchGuard Training

• EAP (Extensible Authentication Protocol) is an IETF standard framework for building authentication methods (EAP methods)
• EAP for wireless networks allows secure exchange of unique Pairwise Master Keys for each wireless client
• More secure than static pre-shared keys or passphrases
• There are many different EAP methods: EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-PSK, EAP-IKEv2, EAP-FAST, etc.
• IEEE 802.1X is built on EAP
• It is a standard for passing EAP messages over a LAN
• EAP messages are encapsulated in layer 2 frames
• EAP over LAN (or EAPOL) messages can use 802.11 (wireless) or 802.3 (Ethernet) or FDDI (fiber) frames
• Operates at Layer 2 of OSI model (link layer)
• Port-based network access control lets you require user authentication before wireless client is allowed on the WLAN network
• Port means an abstract connection point between the LAN and a computer

WatchGuard Training

• Four main steps in 802.1X protocol operation:
• Initialization
• Authenticator detects a new Supplicant
• Authenticator enables a port (abstracted connection point)
• Port is set to Unauthorized state
• Only 802.1X traffic is allowed
• Any other traffic (such as DHCP or HTTP) is disallowed
• Initiation
• Authenticator sends EAP-Request Identity frames to Supplicant, to a special layer 2 address that the Supplicant listens on
• Supplicant responds with EAP-Response Identity frame that includes some identifying information (User ID or certificate)
• Authenticator encapsulates Response Identity in a RADIUS Access-Request message
• Authenticator forwards a RADIUS message to Authentication Server

WatchGuard Training

• Negotiation
• Authentication Server sends RADIUS Access-Challenge message to Authenticator
• Access-Challenge message includes EAP Request message, indicating an EAP Method for the Supplicant to use
• Authenticator encapsulates EAP Request message in an EAPOL frame and sends to the Supplicant
• The Supplicant can start the requested EAP Method
• Or, the Supplicant can reply with NAK and respond with EAP Methods it supports
• The Supplicant and the Authentication Server must agree on the EAP Method or EAP fails
• Authentication
• The Authenticator translates the EAP Requests and Responses and relays them between the Supplicant and the Authentication Server
• Successful authentication is indicated by a RADIUS Access-Accept message
• The port is set to Authorized and normal traffic is allowed
• Unsuccessful authentication is indicated by a RADIUS Access-Deny message
• The port remains in the Unauthorized state

WatchGuard Training

• EAP-TLS (Transport Layer Security)
• The original EAP standard, very secure
• Native support on all platforms
• The only method that requires both client certificates and certificate for Authenticator (XTM device)
• Users authenticated to network and network authenticated to users with digital certificates
• Not often deployed because of client certificate requirement
• Must use third-party certificates when an XTM device is the Authentication Server
• Import certificates with FSM:
• CA certificate from CA that issued Authentication Server certificate
• CA certificate from CA that issued client certificates (likely the same CA certificate as above)
• Authentication Server certificate

WatchGuard Training

• EAP-PEAP (Protected EAP)
• Requires certificate only for the Authentication Server (XTM device)
• Can use default certificate signed by the XTM device
• Client certificates optional
• Verification of the Authentication Server’s certificate by the Supplicant is optional but highly recommended
• Without verification, it is easy to introduce a fake access point to capture MS-CHAPv2 handshakes
• EAP-PEAP with MS-CHAPv2 as the inner EAP method is the second most widely supported EAP method (after EAP-TLS)
• Built-in support on Windows XP and later, and most recent Apple and Cisco releases
• A TLS tunnel is set up between Supplicant and Authenticator to securely pass the inner authentication EAP method
• Only MS-CHAPv2 is supported in the v11.4 release, but specification allows other legacy protocols such as MS-CHAPv1, CHAP, and PAP

WatchGuard Training

• EAP-TTLS (Tunneled TLS)
• Requires certificate only for Authentication Server (XTM device)
• Can use default certificate signed by XTM device
• Client certificates optional
• Verification of the Authentication Server’s certificate by the Supplicant is optional but highly recommended
• Without verification, it is easy to introduce a fake access point to capture MS-CHAPv2 handshakes
• EAP-TTLS has wide support across many platforms, but no native support on Windows
• Requires add-on supplicant software, such as Intel ProSet Wireless, SecureW2, etc.
• A TLS tunnel is set up between the Supplicant and the Authenticator to securely pass an inner authentication EAP method
• Only MS-CHAPv2 is supported in v11.4 release, but the specification allows other legacy protocols such as MS-CHAPv1, CHAP, and PAP

WatchGuard Training

• Select WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise
• Select Firebox-DB or RADIUS
• If you select RADIUS, all other EAP options are not available – negotiated between Supplicant and RADIUS server
• Select EAP-TLS, EAP-PEAP, or EAP-TTLS
• Only MSCHAP-v2 is supported for inner EAP method with PEAP and TTLS
• Select certificate to use for Authenticator

WatchGuard Training

• Two new certificates are generated on 2 Series Wireless devices:
• One for the Authentication Server function
• One CA — Import the CA certificate to client computers to verify the server certificate

WatchGuard Training

• Terminal Services Agent software installed on your Terminal Server or Citrix server
• Monitors traffic flows from Terminal Server or Citrix server clients
• Agent software consists of:
• TO Agent
• Receives the session ID from the XTM device after a user authenticates to the XTM device
• Reports to the XTM device which client a traffic flow belongs to
• TO Driver
• Connects to Windows Sockets to monitor which Terminal Server /Citrix server client generates each traffic flow
• TO Set Tool
• Gives the TO Agent the IP address of the XTM device
• Specifies for the TO Agent which traffic destinations to not monitor (reduces overhead for traffic you know will not go through an Ethernet interface on the XTM device)
• TO stands for Traffic Owner

WatchGuard Training

• You must install the TO Agent software on your Terminal Server or Citrix server
• TO Agent identifies which traffic flow belongs to each user
• Users must authenticate to the XTM device after they log in to the Terminal Server/Citrix server
• Users authenticate to https://<xtm.device.ip.address>:4100
• Specify the IP addresses of the Terminal Servers/Citrix servers in Policy Manager
• Setup > Authentication > Authentication Settings > Terminal Services tab
• Support for up to 32 Terminal Servers
• TCP ports 8118 and 9898 must be open from the XTM device to the Terminal Server/Citrix server
• Ports 8118, 9898, 8337, and 12345 must be allowed through the Windows Firewall (or other local firewall) on the Terminal Server/Citrix server

WatchGuard Training

• Install WatchGuard software on your Terminal Server or Citrix server
• TO_Agent.exe
• Configure settings on the Terminal Server or Citrix server
• TO Set Tool
• Configure settings on the XTM device
• Specify the IP addresses of Terminal Server/Citrix server computers in Policy Manager
• Maximum 32 Terminal Servers/Citrix servers
• Make sure the correct ports are open between the XTM device and Terminal Server or Citrix server
• Force Terminal Server or Citrix server client users to authenticate to the XTM device
• https://<xtm.device.ip.address>:4100

WatchGuard Training

• Simple installer with no installation options
• Install as a user with admin rights
• Installation requires a reboot of your Terminal Server/Citrix server
• Installs the Set Tool application
• Also installs the TO Driver
• TO Driver uses Windows Sockets (WinSock) to connect to traffic flows generated by clients
• No UI for driver

WatchGuard Training

• Configure the Terminal Server/Citrix server settings with the TO Set Tool
• Specify the IP address of your XTM device
• Specify the destination of traffic that the TO Agent can ignore
• Reduces the workload of the TO Agent for traffic that does not go through the XTM device

WatchGuard Training

• Configure settings on the XTM device
• Specify the IP addresses of Terminal Server/Citrix server computers in Policy Manager
• Maximum of 32Terminal Servers/Citrix servers

WatchGuard Training

• XTM Device connects to the TO Agent over these ports:
• TCP port 8118
• This port is used to transfer NOTIFY and QUERY messages
• Must be open from the XTM device to the Terminal Server/Citrix server
• TCP port 9898
• This port is used to transfer information about manual authentication and authentication logoff events
• Must be open from the XTM device to the Terminal Server/Citrix server
• TCP port 8337
• TO Driver sends traffic owner information to TO Agent over this port
• Does not need to be open between XTM device and Terminal Server/Citrix server, but cannot be blocked by Windows Firewall or another local firewall
• TCP port 12345
• TO Set Tool connects to TO Agent over this port to communicate settings information
• Does not need to be open between XTM device and Terminal Server/Citrix server, but cannot be blocked by Windows Firewall or other local firewall

WatchGuard Training

• Enable auto-redirect to force users to authenticate
• Make sure there is no firewall policy that allows outgoing traffic from the IP address of the Terminal Server/Citrix server
• Any-Trusted and Any-Optional should not be include in the Firewall Policies From list
• No other alias that includes the IP address of the Terminal Server/Citrix server in the From list
• Firewall policy that allows outgoing traffic from Terminal Server/Citrix server client users must include their user or group names in the From list
• Traffic is allowed from the user only after the user authenticates
• Enable the Auto redirect user to authentication page for authentication setting
• Policy Manager > Setup > Authentication > Authentication Settings

WatchGuard Training

• Management Server now supports configuration history/rollback for fully managed devices and templates
• Devices are no longer “subscribed” to templates
• Template “subscription” concept replaced by single template application action
• New 11.4 Template on Management Server
• Administrators can control how template settings are applied to a device configuration file
• Support for SNAT added to template configuration
• Template history displayed similarly to configuration history
• SNAT configuration added to template policies

WatchGuard Training

• Devices managed by a Management Server in Fully Managed Mode can roll back to previous configurations
• Configure the rollback settings on the new Management Server Configuration History tab
• Specify the maximum number of saved revisions or maximum amount of disk space to use

WatchGuard Training

• From the Configuration History tab:
• View — Review the previous configuration in Policy Manager
• Revert — Roll back the device to the selected configuration file and move that configuration file to the top of the Revision History list as the most recent revision

WatchGuard Training

• Managed VPN attributes are stored on the Management Server, not in the individual device configuration files in the Configuration History
• If a device is reverted to a previous configuration, the managed tunnel settings are removed and then updated on the reverted configuration after it is applied to the device

WatchGuard Training

• Templates are updated in v11.4 to support changes to Application Blocking and IPS behavior, and to support new features
• When the Management Server is upgraded to v11.4, devices subscribed to a template have the subscription link removed, because the subscription feature is removed from v11.4
• When a device configuration file is upgraded to v11.4, the v11.4 Policy Manager allows policies in a managed device configuration file for a device subscribed to a v11.3 template to be named locally with the “T_” prefix
• You can now apply templates to devices with manually ordered policies
• You can configure Inheritance Settings, which determine whether or not template properties override local configuration settings
• You can now add a policy to a template that defines an incoming connection
• The new object to allow this is an SNAT action (Static NAT)

WatchGuard Training

• Removing the subscription concept means that more properties can be configured within the template, such as spamBlocker settings
• Instead of subscribing to a template, a one time application of the template to selected devices is used in v11.4
• Templates must be applied to devices with compatible versions of Fireware XTM
• You can apply templates to a single device, or multiple devices in a folder, using drag-and-drop
• The first time you apply a template to multiple devices, you select a check box for each device
• After the first application of the template, the next time you apply it, you can see which devices you applied this template to the last time
• Saves the work of selecting the check boxes again

WatchGuard Training

Inheritance settings

Revision history

List of templates

Most recent application of this template

WatchGuard Training

• You select which properties in the template can be inherited from the template and which cannot be inherited
• In Policy Manager for the Device Configuration Template, select View > Inheritance Settings

Template status bar indicates version

WatchGuard Training

• If you do not select Allow Override for an object in the template, and the device configuration file includes an object with the same name, the template object replaces the object in the device configuration file when the template is applied
• If an object with the same name does not exist in the device configuration file, the object in the template is added to the device configuration file when the template is applied to the device

WatchGuard Training

• You can now add a policy to a template that defines an incoming connection
• SNAT (Static NAT) in v11.4 is configured in a new Policy Manager menu: Setup > Actions > SNAT
• You can use SNAT actions in policies in your template

WatchGuard Training

• External IP Address in the Static NAT must be Any-External
• This applies correctly to all managed devices, regardless of the IP address actually assigned to the device’s external interface
• Internal IP Addressin theStatic NAT should be a place-holder IP address
• No IP address can be correct for all environments
• After you apply the template to a device, edit the device’s configuration and change the Internal IP Address in the SNAT action to be the IP address of that device’s internal host

WatchGuard Training

• See the revision history of each template

WatchGuard Training

• See when a template was applied, and to which devices

WatchGuard Training

• Static NAT is now an action you apply to a policy
• Applies to stand-alone (not managed) devices as well as to templates for managed devices
• Lets you reuse an SNAT object in policies
• Only one SNAT action per policy
• One SNAT action can contain multiple Static NAT mappings

WatchGuard Training

• Multiple Static NAT members in a policy become one SNAT Action with multiple mappings

WatchGuard Training

• All members of the SNAT Action must be of the same type:
• Static NAT
• Server Load Balancing

WatchGuard Training

• Feature specific for Payment Card Industry (PCI) — Branch Office Compliance
• Ability to detect Rogue Access Points within the operational area
• Select the checkbox at the bottom of the Wireless Configuration dialog box in Policy Manager

WatchGuard Training

• Manually add Trusted Access Points to the device.
• Can be configured to send notification when a rogue access point is detected.

WatchGuard Training

• XTM 2 Series device can be configured exclusively for rogue Access Point scanning
• Always scan is usually selected
• Can be configured to complete scheduled scanning when the device is also used either as a Wireless Client on External or as an Access Point

WatchGuard Training

• Impacts network traffic
• Connections still get through but access is slower
• Sends an alarm log message when a rogue access point is discovered

WatchGuard Training

• Device used as an access point cannot run a continuous scan
• Connections to the access point are interrupted when the radio is used for scanning
• Sends an alarm and log message when a rogue access point is discovered

WatchGuard Training

• Use Firebox System Manager (FSM) to run an on-demand scan for rogue access points
• Click Scan Now to start a scan
• Requires the administrator passphrase to run a scan
• Can run an on-demand scan even if the device is not enabled to scan rogue access points

WatchGuard Training

• Option on the Summary Log to choose whether to send a log message and/or an alert message for rogue access point (AP) detection activities, which include:
• Scan initiated
• Scan completed
• Rogue APs found
• No rogue APs found
• Trusted APs found
• No trusted APs found
• Detailed log messages and alerts for each rogue and trusted access point found
• Log messages are available in real-time in FSM

WatchGuard Training

• A new WatchGuard Report includes data about when scans are initiated/completed and shows results of the scans
• This is very important for PCI-DSS compliance.
• Notification sends an email and/or SNMP trap when a scan results in a Rogue AP Found

WatchGuard Training

WatchGuard Training

• In v11.4, you can enable a wireless bridge to a set of bridged physical interfaces

WatchGuard Training

• Increased performance and scalability
• Improved log insertion performance with bulk copy
• Much faster insertion of log messages
• Log messages from devices are inserted in bulk, or several at a time
• Free-string search in LogViewer only searches the message field in a log message
• Eliminates the RAW table, which reduces the size of the Log Server database
• Log messages from devices are inserted one at a time
• Contains the majority of the XML log message as a string in one column
• Traditionally used to provide LogViewer with a combined view of all logs over a given time range
• Consumes the same amount of disk space as the log-type specific tables
• Eliminating the RAW table frees up roughly 50% of the disk space requirements used by the Log Server database

WatchGuard Training

• The ability to purge Diagnostic log messages from devices
• Diagnostic log messages are now stored in a separate table from other log messages
• Diagnostic log messages consume large amounts of disk space
• Can remove Diagnostics log messages that have a level of Debug or higher
• Can be performed with the Log Server API or in the Log Server Server Settings

WatchGuard Training

• The Log Server API purge_diagnostics:
• No input argument
• Result: {status: success, reason: } under the following condition — If there are no Diagnostic log messages in the database, the tables containing Diagnostic log messages are dropped successfully
• Result: {status: fail, reason: reason description} — If there are errors which result in a purging failure, the return status shows fail and the reason describes the failure reason
• Log message in the log file notifies you when the purge is executed and completed:
• Log Level: INFO — BEGIN purge diagnostics
• When starting to call purge_diagnostics
• Log Level: INFO — Purging diagnostics: success
• Log Level: ERROR — Purging diagnostics: fail, reason:…….
• Log Level: DEBUG — Purging diagnostics: SQL statement
• Used for only development and debug purposes
• Log Level: INFO — END purge diagnostics

WatchGuard Training

• Changes in the way the Report Server delivers XML content to the Report Manager improve how rapidly certain reports are generated and displayed to the user
• The following reports are affected by these changes:
• Denied Packets Detail
• URL Detail Reports
• Web Audit Reports
• WebBlocker Reports

WatchGuard Training

• Changes to the Report Server Report Generation tab:
• Groups function is removed — It is not necessary to add a group to define scheduled reports
• New Report Schedules menu lets administrators create and manage more flexible schedules for recurring or one-time generation of reports

WatchGuard Training

• Options in report scheduling are more flexible
• Reports can be configured to be run once or on a recurring schedule

WatchGuard Training

• Scheduled reports can be automatically generated to view without WatchGuard software, such as Report Manager or Reporting Web UI

WatchGuard Training

• Part of a schedule’s configuration can include notification settings for users that a report is now available

WatchGuard Training

• If Archived Reports are enabled in v11.3, a Daily recurring schedule is automatically created by the Report Server for all devices when you upgrade to v11.4
• If weekly report generation is enabled in v11.3, a Weekly recurring schedule is automatically created
• If Archived Reports and Groups are enabled in v11.3, for each of the groups a Daily and/or Weekly schedule is created with the formatted report output option enabled

WatchGuard Training

• After you upgrade to v11.4, Drop-in mode can be configured when FireCluster is enabled
• After you upgrade a Drop-in configuration to v11.4, the FireCluster configuration menu is not disabled.
• Only Active/Passive is supported when the device is in Drop-in mode
• v11.4 does not support FireCluster Active/Active mode in Drop-in
• v11.4 does not support FireCluster in Bridged mode

WatchGuard Training

• You can now select Drop-in Mode in existing Active/Standby clusters

WatchGuard Training

• You can now configure FireCluster while in Drop-in mode

v11.3.x

v11.4

WatchGuard Training

• New global setting in Policy Manager in Setup > Global Settings
• Sets the amount of time a TCP session can remain idle
• Policy-based override available on the Properties tab of a policy
• Select the Specify Custom Idle Timeoutcheck box to override the global timeout setting
• New default setting is 3600 seconds (1 hour)
• Pre-v11.4 global TCP timeout default is 43205 seconds (12 hours 5 seconds)
• Could not be modified globally, except by editing the raw XML file
• Had to use policy-based override
• Shorter timeout frees up resources faster

WatchGuard Training

• Set globally in Policy Manager:Setup > Global Settings

Override global timeout on the Properties tab of a policy

WatchGuard Training

• Allows the device to store a support snapshot file (support.tgz ) to a folder (wgdiag) of an inserted USB drive at a regular interval
• The device automatically saves the snapshot file as soon as the USB drive is inserted
• When a drive is detected, if the wgdiag folder exists, it is deleted together with the contents, and the folder is re-created
• To preserve the folder and its contents, you must rename it before you insert the USB drive to the device
• By default, only one support snapshot is saved on the USB drive
• You can use the Command Line Interface to enable the device to save multiple support snapshots periodically while the device is in operation, if the USB drive is left inserted in the device
• Snapshot file names include a sequence number (support1.tgz, support2.tgz).
• Not available when a device is started in Safe Mode

WatchGuard Training

• Two functions:
• When a USB drive is inserted, a support snapshot file is always created and saved to the \wgdiag directory on the USB drive. This is intended for diagnostic use and cannot be disabled.
• If you use the CLI to enable the device to save multiple support snapshots, you can leave the USB drive in the device to capture data over time. When you enable this feature, the default setting is to save a support snapshot every 30 minutes. A maximum of 48 snapshots can be stored.
• Files that are automatically written to the USB drive are encrypted with the XTM device’s status (read-only) passphrase

WatchGuard Training

• In a FireCluster environment, a USB drive inserted in a cluster member only captures the snapshot of that particular device

WatchGuard Training

• The command to enable is: usb diagnostic enable <interval in seconds>
• The command to disable is: no usb diagnostic enable
• Log in to the CLI with the admin account to get access to these commands

WatchGuard Training

• Fireware XTM Web UI now supports configuration of Proxy Action settings
• Makes the user experience in Policy Manager and Web UI appear similar and compatible

WatchGuard Training

• Select Firewall > Proxy Actions
• Includes a list of predefined proxy actions that you can clone, but cannot edit or remove
• You can select only one proxy action at a time

WatchGuard Training

• To clone a selected proxy action, click Clone.The Proxy Action Configuration page appears.
• The cloned proxy action has a default name, based on the name of the cloned proxy action.
• If you clone FTP-Client, the default name is FTP-Client.1.
• You can change the default name to a new, unique name.

WatchGuard Training

• Edit button for a user-defined proxy action opens the Proxy Action Configuration page
• You can edit all proxy action settings except the proxy action name

WatchGuard Training

• Edit button on a predefined proxy action opens the Proxy Action Configuration page. If you edit the settings, you can save it as a cloned action with a new name.

WatchGuard Training

• Remove button is enabled only if a user-defined proxy action is selected
• User-defined proxy actions can only be removed if not used by a policy

WatchGuard Training

• The content of the page varies depending on the type of proxy action
• Proxy action settings for Subscription Services are not exposed in the Proxy Action Configuration page
• Configure proxy action settings for Subscription Services in the Subscription Services pages of the Web UI

WatchGuard Training

• v11.4 Web UI uses a Detailed View so the rule sets configured in Policy Manager and Web UI are now fully interoperable

WatchGuard Training

• Users can modify the Enabled, Action, Name, Alarm, and Log settings
• All settings can be modified with the Edit button, which opens a new dialog box
• Modify a single entry with the Edit, Delete, Move Up, and Move Down buttons
• Update multiple entries with the Edit button to change the Enabled, Action, Alarm, and Log settings

WatchGuard Training

• Select Subscription Services > Application Control

WatchGuard Training

• Can also be specified on the Firewall > Firewall Policies > Policy Configuration page

WatchGuard Training

• Select a proxy action from the new Proxy Action drop-down. The Change button (v11.3.x and earlier) has been removed.
• Settings, Content, and Application Blocker tabs are removed.
• Configure proxy action settings on the Proxy Action Configuration page.

V11.3.x and Earlier

v11.4

WatchGuard Training

• Alarm can be selected for each Threat Level
• IPS is enabled for every policy, if applicable

WatchGuard Training

• Separate alarm checkboxes on the Virus Outbreak Detection tab for virus detection and scan errors are now configurable

WatchGuard Training

• Registration function is available for devices that are not yet activated
• Register your device from within the Setup Wizard
• Provide LiveSecurity login credentials
• Give the device a friendly name
• Account creation at the WatchGuard web site is also available for those new to WatchGuard
• Create a new LiveSecurity account if you do not yet have one
• Trade-up Program is also available during the activation process for older WatchGuard devices and even for eligible competitor’s products

WatchGuard Training

• Online Activation is now available in the latter steps of the Setup Wizard
• To register and download a feature key, supply your LiveSecurity user name and password, and add a friendly name for your device

WatchGuard Training