what s new in fireware xtm v11 4 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What’s New in Fireware XTM v11.4 PowerPoint Presentation
Download Presentation
What’s New in Fireware XTM v11.4

Loading in 2 Seconds...

play fullscreen
1 / 149

What’s New in Fireware XTM v11.4 - PowerPoint PPT Presentation


  • 753 Views
  • Uploaded on

What’s New in Fireware XTM v11.4. New Features in Fireware XTM v11.4. New! Application Control Intrusion Prevention System enhancements Authentication enhancements Support for multiple Active Directory domains Unique identification of each client session on Terminal Server / Citrix server

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'What’s New in Fireware XTM v11.4' - kara


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
new features in fireware xtm v11 4
New Features in Fireware XTM v11.4
  • New! Application Control
  • Intrusion Prevention System enhancements
  • Authentication enhancements
    • Support for multiple Active Directory domains
    • Unique identification of each client session on Terminal Server / Citrix server
    • Support for LDAP over SSL (LDAPS)
    • Support for IEEE 802.1X (Extensible Authentication Protocol)
    • Improved interaction between Manual Authentication and SSO
  • Centralized Management enhancements
  • New SNAT actions

WatchGuard Training

new features in fireware xtm v11 43
New Features in Fireware XTM v11.4
  • Wireless Security enhancements (rogue access point detection)
  • Wireless network bridge enhancements
  • Logging and Log Server enhancements
  • Reporting and Report Server enhancements
  • Support for A/P FireCluster in Drop-in mode
  • New Global TCP timeout setting
  • Diagnostics and Health Monitoring with USB Diagnostics
  • Improved Support for proxy configuration in the Web UI
  • Enhancements to Quick Setup Wizard

WatchGuard Training

fireware xtm v11 4 device compatibility
Fireware XTM v11.4 — Device Compatibility
  • Fireware XTM v11.4 is compatible with all XTM device models
    • XTM 2 Series
    • XTM 5 Series
    • XTM 8 Series
    • XTM 1050
  • Fireware XTM v11.4 is not compatible with Firebox X e-Series device models

WatchGuard Training

application control overview
Application Control — Overview
  • Overall Design
    • You can now allow or deny access to hundreds of applications
      • Social Network Apps, IM/P2P, Games, Streaming Media, Business Apps, etc.
    • Application Control is an action applied to firewall policies
    • All firewall policy types are supported
      • Packet Filters and Proxy policies, Mobile VPN, and Branch Office VPN
  • Hierarchical relationship of categories, applications, behaviors
    • Category
      • Application
        • Behavior
  • Design Controls
    • Application identification takes a maximum of 7 packets
    • Policy-based NAT executes on first packet
    • Policy-based routing executes on first packet

WatchGuard Training

application control use cases
Application Control — Use Cases
  • Use cases by application/behavior
    • By application — Block Skype for all
    • By application behavior — Block MSN file transfer for all
  • Use cases by IP address/user/group
    • User or group — Block P2P for Marketing
    • Host or network — Block BitTorrent for 10.0.0.0/24
  • Combinations of IP address/user/group and applications/behaviors
  • Use policy schedules to allow different applications at different times
  • All standard policy features are available: Scheduling, QoS, Traffic Management, NAT, etc.

WatchGuard Training

application control signatures
Application Control — Signatures
  • Automated updates
  • Two signature sets: XTM2 and XTM5/8/10
    • More applications are available for XTM 5/8/10 Series than for XTM 2 Series
  • One file is downloaded for both Application Control and IPS
  • Metadata is extracted from the file when downloaded
  • Signatures are abstracted for Application Control
    • Applications are mapped to signatures
    • Mapping is not 1-1
    • Example:Application Skype is mapped to four underlying signatures:
      • CHAT Skype login on TCP -1
      • CHAT Skype login on TCP -3
      • CHAT Skype login on TCP -2
      • CHAT Skype login on SSL -1
    • Management software shows the abstraction:
      • Skype

WatchGuard Training

application control behaviors
Application Control — Behaviors
  • Seven possible behaviors:
    • Authority — Login
    • Access — Known command to access server or peer
    • Communicate — Communication with server or peer (chat)
    • Connect — Unknown command (P2P connect to peer)
    • Game — Games
    • Media — Audio and Video
    • Transfer — File Transfer
  • Not all applications exhibit all behaviors

WatchGuard Training

application control configuration overview
Application Control – Configuration Overview
  • You can now block traffic flows based on the application in use
  • Signature-based; ability to identify hundreds of applications
  • Application Control is a Subscription Service
  • Specify Application Control actions per policy

WatchGuard Training

add an application control action
Add an Application Control Action
  • Use the Subscription Services menu in Policy Manager to add and edit Application Control actions, and configure signature update settings
  • Configure the Global Application Control action to use in policies, or create new Application Control actions

Signature update settings

WatchGuard Training

add an application control action12
Add an Application Control Action
  • Add a new action
  • Select the applications to control
  • Select Allow or Drop for each application you select
  • Drop — Blocks applications
  • Allow — Allows applications

WatchGuard Training

find an application
Find an Application
  • Use the Search text box to quickly find an application by name
  • Select a Category to see the applications in that category

WatchGuard Training

application control configuration
Application Control — Configuration
  • The Application Control action specifies what to do when an application does not match the configured applications:
    • Use the Global action
    • Allow the connection
    • Drop the connection

WatchGuard Training

application control the global action
Application Control — The Global Action
  • When a traffic flow does not match another Application Control action, you can use the Global action as a fall-through
    • By default the Global action has no applications to identify
    • You can edit the Global action to add applications to identify
    • Global action has its own fall-through
      • Allow the connection
      • Drop the connection
  • Or, apply the Global action to any of your policies

WatchGuard Training

application control policy configuration
Application Control — Policy Configuration
  • New Enable Application Control drop-down list and action selector on the Policy tab
    • IPS and Proxy Actions also moved to Policy tab
  • Lets you configure Application Control policy-by-policy
  • Not necessary to use proxies for this

WatchGuard Training

application control security portal web page
Application Control — Security Portal Web Page
  • Application Control web page:
    • http://www.watchguard.com/SecurityPortal/AppDB.aspx
  • Read descriptions of all Applications and Behaviors
    • Applications
    • Behaviors
    • Explanation

WatchGuard Training

application control decision tree
Application Control — Decision Tree

Start

Traffic goes through a policy that has Application Control enabled

Did the inspection engine identify an application listed in the user-defined action?

Is this a user-defined Application Control action or the Global action?

User-defined action

No: “Application not matched” rule is “Use Global”

Global action

No: “Application not matched” rule is Allow/Drop

Did the inspection engine identify an application listed in the Global action?

Yes

No

Yes

Is the “Application not matched” rule set to Allowor Drop?

Drop connection

Is the rule for this application Allow or Drop?

Drop

Drop

Allow

Allow connection

Allow

WatchGuard Training

application control logs
Application Control — Logs
  • Traffic logs contain application identification information
  • Enable logging in the policy to monitor application usage
    • The XTM device always identifies and logs denied traffic due to an Application Control action
    • Information about applications that are not blocked is sent to the log file only if logging is enabled in the policy that has Application Control enabled
  • Only one FWAllow or FWDeny message per connection
  • Application and category are added to traffic log

Sample log message:

Application identified app_name="Facebook Web IM" app_cat_name="Web IM" app_id="15" app_cat_id="15" app_beh_id="2" app_beh_name="communicate"

WatchGuard Training

application control reports
Application Control — Reports
  • Application Control
    • Application Usage Summary
    • Blocked Application Summary
  • Client Reports
    • Top Clients by Application Usage
    • Top Clients by Blocked Applications
    • Top Clients by Blocked Categories

WatchGuard Training

application control reports23
Application Control — Reports
  • Application Usage

WatchGuard Training

application control reports24
Application Control — Reports
  • Blocked Applications

WatchGuard Training

application control reports25
Application Control — Reports
  • Top Clients

WatchGuard Training

application control upgrade
Application Control — Upgrade
  • Application Blocker, as it is known in Fireware XTM v11.3.x and previous versions, is not available after you upgrade to v11.4
  • New Application Control is a Subscription Service
    • Comes with UTM Bundle but can be purchased separately
    • If a customer does not purchase Application Control, Application Control is not available (and Application Blocker is not available in v11.4)
  • Customers must synchronize feature keys
    • If the customer has the UTM Bundle, the new feature key includes Application Control

WatchGuard Training

intrusion prevention enhancements overview
Intrusion Prevention Enhancements — Overview
  • Intrusion Prevention is now a global setting
    • Actions for different threat levels are set globally
    • Applies equally to any policy that has IPS enabled
  • You can enable IPS per-policy
  • No longer configured only in Proxy Actions
    • Apply Intrusion Prevention to packet filter or proxy policies
  • Simpler configuration
    • Only five threat levels instead of 100

WatchGuard Training

intrusion prevention enhancements configuration
Intrusion Prevention Enhancements — Configuration
  • Configure in Policy Manager:Subscription Services > Intrusion Prevention
  • Actions to take:
    • Allow — Allows the connection
    • Drop — Denies the specific request and drops the connection. Does not send a response to the sender. The XTM device sends only a TCP reset packet to the client.
    • Block — Denies the request.Drops the connectionAdds the site to the auto-blocked list for the configured duration.

WatchGuard Training

intrusion prevention enhancements disable per policy
Intrusion Prevention Enhancements — Disable Per Policy
  • Intrusion Prevention dialog box Policies tab:
    • Lists all firewall policies and whether IPS is disabled for each one
    • Lets you enable IPS per policy
  • Policy Propertiesdialog box, enable IPS for asingle policy on the Policy tab

WatchGuard Training

intrusion prevention service conversion from v11 3 x
Intrusion Prevention Service — Conversion from v11.3.x
  • If IPS is not enabled in the pre-v11.4 configuration file, Global IPS is not enabled in the converted v11.4 configuration file
  • If IPS is enabled in a policy in the pre-v11.4 configuration file, Global IPS is enabled in the v11.4 configuration file
    • If a proxy policy from the pre-v11.4 configuration file has IPS enabled, that policy will have IPS enabled in the converted configuration file
    • All other policies have IPS disabled in the v11.4 configuration file
  • Threat levels set to default
    • Allow for Information (lowest threat) level (do not log)
    • Drop for all higher threat levels (and log)
  • IPS signature exceptions are removed

WatchGuard Training

ips security portal web page
IPS — Security Portal Web Page
  • IPS web page: http://www.watchguard.com/SecurityPortal/ThreatDB.aspx
  • Read descriptions of all IPS signatures
  • Hyperlinks to reference sources (where available)
    • mitre.org CVE web page
    • NIST web page
    • Securityfocus.com (Bugtraq) web page
    • Secunia Advisory page
    • Snort page

WatchGuard Training

ips more information in the web ui
IPS — More Information in the Web UI
  • Fireware XTM Web UI also has information on signatures
    • Subscription Services > IPS > Signatures tab:Double-click a signature to get information

WatchGuard Training

ips look up signature information in fsm
IPS — Look Up Signature Information in FSM
  • To go to the SecurityPortal web site, right-click an entry in Traffic Monitor that indicates an IPS signature was triggered

WatchGuard Training

multiple active directory domains overview
Multiple Active Directory Domains — Overview
  • You can now specify multiple Active Directory domains
  • Filter your policies by user or group specific to each domain
  • Specify the domain to use for Mobile VPN authentication
  • Click Add to add an Active Directory domain

WatchGuard Training

add active directory domains
Add Active Directory Domains
  • Specify the DNS name or IP address for the authentication server
  • Specify the port
  • Specify whether to use LDAPS

WatchGuard Training

add users from active directory domains
Add Users from Active Directory Domains
  • Select the authentication server when you add the user or group

WatchGuard Training

manual authentication
Manual Authentication
  • Select the domain to use when you authenticate to the authentication portal over port 4100

WatchGuard Training

conversion from pre v11 4 configuration
Conversion from pre-v11.4 Configuration
  • Conversion looks at the Search Base of the existing Active Directory settings
  • Converted configuration has an Active Directory object named for the dc= portions of the Search Base
  • Example:
    • Search Base for Active Directory in pre-v11.4 configuration is:ou=corporate users and groups,dc=toronto,dc=company,dc=net
    • Active Directory domain in v11.4 is named toronto.company.net

WatchGuard Training

ldap over ssl for active directory ldap
LDAP over SSL for Active Directory, LDAP
  • Standard LDAPS port is 636
  • For Active Directory Global Catalog queries, SSL port is 3269
  • Validate the server certificate to prevent man-in-the-middle attacks

WatchGuard Training

ldap over ssl for active directory ldap47
LDAP over SSL for Active Directory, LDAP
  • Validate the server certificate to prevent man-in-the-middle attacks
  • To validate the server certificate:
    • Import the CA certificate from the CA that issued the AD/LDAP server’s SSL certificate
      • Use FSM to import the CA certificate
      • Use purpose IPSec, Web Server, Other
    • When you add the AD or LDAP server to Policy Manager, make sure to indicate the address (IP address or DNS name) correctly to match the server’s certificate
    • To validate the certificate, Fireware XTM checks if the configured server address (IP address or DNS name) matches one of these items in the server’s certificate:
      • Common Name in Subject field
      • DNS Name in Subject Alternative Name field
      • IP Address in Subject Alternative Name field
    • If no match, then certificate validation fails

WatchGuard Training

multiple active directory domains for single sign on
Multiple Active Directory Domains for Single Sign-On
  • Requires a new SSO Agent install
  • After the new SSO Agent is installed, use the new SSO Configuration Tool to add Active Directory servers for the agent to query
  • SSO Configuration Tool executable is installed by default in this directory: \Program Files\WatchGuard\WatchGuard Authentication Gateway
  • SSO Configuration Tool enables the SSO admin to add users to perform SSO functions
  • In a multi-domain SSO environment, you must install the SSO Client software on all client computers that can use SSO
    • In single-domain SSO, SSO Client software is still optional
    • SSO Client software is highly recommended in single-domain environments for accuracy of SSO information

WatchGuard Training

sso agent user interface
SSO Agent User Interface
  • Two default accounts:
    • admin / readwrite
    • status / readonly
  • Configuration tools

WatchGuard Training

sso agent user interface51
SSO Agent User Interface
  • Edit > Add Domain
    • Instant error-checking
    • You cannot add the domain if the information is wrong

WatchGuard Training

sso agent user interface52
SSO Agent User Interface
  • You can add users with read-only or read-write privileges
  • There is only one admin user
    • Root Admin user can add/edit users and give a user the permission to add or remove domain information

WatchGuard Training

sso and manual authentication working together better
SSO and Manual Authentication — Working Together Better
  • In versions prior to 11.4, when SSO was enabled, and you went to the authentication portal on port 4100, the message You have been successfully authenticated appeared immediately.
  • This happened whether or not you were already authenticated by SSO.
  • To manually authenticate, users first had to log off the authentication portal
  • These scenarios did not work well with SSO enabled:
    • Guest computer that cannot use SSO (for example, a Windows computer that does not belong to the domain)
    • Computer is a Mac or runs Linux and cannot use SSO
    • SSO authenticated user wants to raise permissions by manually authenticating

WatchGuard Training

sso and manual authentication working together better55
SSO and Manual Authentication — Working Together Better
  • New in v11.4:
    • Users no longer see the message You have been successfully authenticated, when they go to the manual authentication portal on port 4100 and SSO is enabled
    • Works as users expect in v11.4
    • Manual authentication (port 4100) takes precedence over SSO
      • If user is already authenticated with SSO, the user can go to the manual authentication portal and authenticate as a different user

WatchGuard Training

802 1x authentication overview
802.1X Authentication — Overview
  • Lets you ensure that users connect to legitimate, authorized wireless networks
    • Instead of credential-stealing imposter access points
  • The Enterprise part of WPA-Enterprise and WPA2-Enterprise
  • Support for XTM 2 Series wireless device as:
    • 802.1X Authenticator
    • Authentication Server
  • Supported on Access Point 1 (AP1), AP2, and Guest Wireless AP

WatchGuard Training

802 1x authentication technology overview
802.1X Authentication — Technology Overview
  • 802.1X has three main components:
    • Supplicant
      • The endpoint that wants access to the LAN
      • More precisely, the software on the endpoint computer that handles the authentication attempt
    • Authenticator
      • The gatekeeper that allows or denies layer 2 access to the LAN
      • Typically a wireless access point — XTM 2 Series wireless device
      • Also can be an Ethernet switch (possible wired support post-v11.4)
    • Authentication Server
      • The server that validates the endpoint’s credentials
      • Typically a RADIUS server
      • Alternatively, you can use the XTM 2 Series device as the Authentication Server instead of a RADIUS server

WatchGuard Training

802 1x authentication technology overview59
802.1X Authentication — Technology Overview
  • Authentication Server can be the XTM device or a RADIUS server
    • XTM device is always the Authenticator when you enable 802.1X on an access point
  • When XTM device is the Authentication Server, these EAP (Extensible Authentication Protocol) methods are supported:
    • EAP-TLS
    • EAP-PEAP
    • EAP-TTLS
  • When RADIUS is the Authentication Server, any EAP method is supported
    • XTM device is only the Authenticator in this case
    • It only passes:
      • EAP messages between itself and the end user (EAP Over LAN or EAPOL)
      • RADIUS messages between itself and the Authentication Server

WatchGuard Training

802 1x authentication technology overview60
802.1X Authentication — Technology Overview
  • EAP (Extensible Authentication Protocol) is an IETF standard framework for building authentication methods (EAP methods)
    • EAP for wireless networks allows secure exchange of unique Pairwise Master Keys for each wireless client
    • More secure than static pre-shared keys or passphrases
    • There are many different EAP methods: EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-PSK, EAP-IKEv2, EAP-FAST, etc.
  • IEEE 802.1X is built on EAP
    • It is a standard for passing EAP messages over a LAN
    • EAP messages are encapsulated in layer 2 frames
    • EAP over LAN (or EAPOL) messages can use 802.11 (wireless) or 802.3 (Ethernet) or FDDI (fiber) frames
    • Operates at Layer 2 of OSI model (link layer)
    • Port-based network access control lets you require user authentication before wireless client is allowed on the WLAN network
      • Port means an abstract connection point between the LAN and a computer

WatchGuard Training

802 1x authentication basic protocol operation
802.1X Authentication — Basic Protocol Operation
  • Four main steps in 802.1X protocol operation:
    • Initialization
      • Authenticator detects a new Supplicant
      • Authenticator enables a port (abstracted connection point)
      • Port is set to Unauthorized state
        • Only 802.1X traffic is allowed
        • Any other traffic (such as DHCP or HTTP) is disallowed
    • Initiation
      • Authenticator sends EAP-Request Identity frames to Supplicant, to a special layer 2 address that the Supplicant listens on
      • Supplicant responds with EAP-Response Identity frame that includes some identifying information (User ID or certificate)
      • Authenticator encapsulates Response Identity in a RADIUS Access-Request message
      • Authenticator forwards a RADIUS message to Authentication Server

WatchGuard Training

802 1x authentication basic protocol operation62
802.1X Authentication — Basic Protocol Operation
  • Negotiation
    • Authentication Server sends RADIUS Access-Challenge message to Authenticator
      • Access-Challenge message includes EAP Request message, indicating an EAP Method for the Supplicant to use
    • Authenticator encapsulates EAP Request message in an EAPOL frame and sends to the Supplicant
      • The Supplicant can start the requested EAP Method
      • Or, the Supplicant can reply with NAK and respond with EAP Methods it supports
      • The Supplicant and the Authentication Server must agree on the EAP Method or EAP fails
  • Authentication
    • The Authenticator translates the EAP Requests and Responses and relays them between the Supplicant and the Authentication Server
    • Successful authentication is indicated by a RADIUS Access-Accept message
      • The port is set to Authorized and normal traffic is allowed
    • Unsuccessful authentication is indicated by a RADIUS Access-Deny message
      • The port remains in the Unauthorized state

WatchGuard Training

802 1x authentication eap tls xtm device as the authentication server
802.1X Authentication — EAP-TLS — XTM Device as the Authentication Server
  • EAP-TLS (Transport Layer Security)
    • The original EAP standard, very secure
    • Native support on all platforms
    • The only method that requires both client certificates and certificate for Authenticator (XTM device)
    • Users authenticated to network and network authenticated to users with digital certificates
    • Not often deployed because of client certificate requirement
    • Must use third-party certificates when an XTM device is the Authentication Server
    • Import certificates with FSM:
      • CA certificate from CA that issued Authentication Server certificate
      • CA certificate from CA that issued client certificates (likely the same CA certificate as above)
      • Authentication Server certificate

WatchGuard Training

802 1x authentication eap peap xtm device as the authentication server
802.1X Authentication — EAP-PEAP — XTM Device as the Authentication Server
  • EAP-PEAP (Protected EAP)
    • Requires certificate only for the Authentication Server (XTM device)
      • Can use default certificate signed by the XTM device
      • Client certificates optional
    • Verification of the Authentication Server’s certificate by the Supplicant is optional but highly recommended
      • Without verification, it is easy to introduce a fake access point to capture MS-CHAPv2 handshakes
    • EAP-PEAP with MS-CHAPv2 as the inner EAP method is the second most widely supported EAP method (after EAP-TLS)
      • Built-in support on Windows XP and later, and most recent Apple and Cisco releases
    • A TLS tunnel is set up between Supplicant and Authenticator to securely pass the inner authentication EAP method
      • Only MS-CHAPv2 is supported in the v11.4 release, but specification allows other legacy protocols such as MS-CHAPv1, CHAP, and PAP

WatchGuard Training

802 1x authentication eap ttls xtm device as authentication server
802.1X Authentication — EAP-TTLS — XTM Device as Authentication Server
  • EAP-TTLS (Tunneled TLS)
    • Requires certificate only for Authentication Server (XTM device)
      • Can use default certificate signed by XTM device
      • Client certificates optional
    • Verification of the Authentication Server’s certificate by the Supplicant is optional but highly recommended
      • Without verification, it is easy to introduce a fake access point to capture MS-CHAPv2 handshakes
    • EAP-TTLS has wide support across many platforms, but no native support on Windows
      • Requires add-on supplicant software, such as Intel ProSet Wireless, SecureW2, etc.
    • A TLS tunnel is set up between the Supplicant and the Authenticator to securely pass an inner authentication EAP method
      • Only MS-CHAPv2 is supported in v11.4 release, but the specification allows other legacy protocols such as MS-CHAPv1, CHAP, and PAP

WatchGuard Training

802 1x authentication policy manager
802.1X Authentication — Policy Manager
  • Select WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise
  • Select Firebox-DB or RADIUS
    • If you select RADIUS, all other EAP options are not available – negotiated between Supplicant and RADIUS server
  • Select EAP-TLS, EAP-PEAP, or EAP-TTLS
  • Only MSCHAP-v2 is supported for inner EAP method with PEAP and TTLS
  • Select certificate to use for Authenticator

WatchGuard Training

802 1x authentication xtm device certificates
802.1X Authentication — XTM Device Certificates
  • Two new certificates are generated on 2 Series Wireless devices:
    • One for the Authentication Server function
    • One CA — Import the CA certificate to client computers to verify the server certificate

WatchGuard Training

terminal server citrix server overview
Terminal Server/Citrix Server — Overview
  • Terminal Services Agent software installed on your Terminal Server or Citrix server
  • Monitors traffic flows from Terminal Server or Citrix server clients
  • Agent software consists of:
    • TO Agent
      • Receives the session ID from the XTM device after a user authenticates to the XTM device
      • Reports to the XTM device which client a traffic flow belongs to
    • TO Driver
      • Connects to Windows Sockets to monitor which Terminal Server /Citrix server client generates each traffic flow
    • TO Set Tool
      • Gives the TO Agent the IP address of the XTM device
      • Specifies for the TO Agent which traffic destinations to not monitor (reduces overhead for traffic you know will not go through an Ethernet interface on the XTM device)
  • TO stands for Traffic Owner

WatchGuard Training

terminal server citrix server requirements
Terminal Server/Citrix Server — Requirements
  • You must install the TO Agent software on your Terminal Server or Citrix server
    • TO Agent identifies which traffic flow belongs to each user
  • Users must authenticate to the XTM device after they log in to the Terminal Server/Citrix server
    • Users authenticate to https://<xtm.device.ip.address>:4100
  • Specify the IP addresses of the Terminal Servers/Citrix servers in Policy Manager
    • Setup > Authentication > Authentication Settings > Terminal Services tab
    • Support for up to 32 Terminal Servers
  • TCP ports 8118 and 9898 must be open from the XTM device to the Terminal Server/Citrix server
  • Ports 8118, 9898, 8337, and 12345 must be allowed through the Windows Firewall (or other local firewall) on the Terminal Server/Citrix server

WatchGuard Training

terminal server citrix server configuration tasks
Terminal Server/Citrix Server — Configuration Tasks
  • Install WatchGuard software on your Terminal Server or Citrix server
    • TO_Agent.exe
  • Configure settings on the Terminal Server or Citrix server
    • TO Set Tool
  • Configure settings on the XTM device
    • Specify the IP addresses of Terminal Server/Citrix server computers in Policy Manager
    • Maximum 32 Terminal Servers/Citrix servers
  • Make sure the correct ports are open between the XTM device and Terminal Server or Citrix server
  • Force Terminal Server or Citrix server client users to authenticate to the XTM device
    • https://<xtm.device.ip.address>:4100

WatchGuard Training

terminal server citrix server install to agent
Terminal Server/Citrix Server — Install TO Agent
  • Simple installer with no installation options
    • Install as a user with admin rights
  • Installation requires a reboot of your Terminal Server/Citrix server
  • Installs the Set Tool application
  • Also installs the TO Driver
    • TO Driver uses Windows Sockets (WinSock) to connect to traffic flows generated by clients
    • No UI for driver

WatchGuard Training

terminal server citrix server configure server
Terminal Server/Citrix Server — Configure Server
  • Configure the Terminal Server/Citrix server settings with the TO Set Tool
    • Specify the IP address of your XTM device
    • Specify the destination of traffic that the TO Agent can ignore
      • Reduces the workload of the TO Agent for traffic that does not go through the XTM device

WatchGuard Training

terminal server citrix server configure the xtm device
Terminal Server/Citrix Server — Configure the XTM Device
  • Configure settings on the XTM device
    • Specify the IP addresses of Terminal Server/Citrix server computers in Policy Manager
    • Maximum of 32Terminal Servers/Citrix servers

WatchGuard Training

terminal server citrix server open ports
Terminal Server/Citrix Server — Open Ports
  • XTM Device connects to the TO Agent over these ports:
    • TCP port 8118
      • This port is used to transfer NOTIFY and QUERY messages
      • Must be open from the XTM device to the Terminal Server/Citrix server
    • TCP port 9898
      • This port is used to transfer information about manual authentication and authentication logoff events
      • Must be open from the XTM device to the Terminal Server/Citrix server
    • TCP port 8337
      • TO Driver sends traffic owner information to TO Agent over this port
      • Does not need to be open between XTM device and Terminal Server/Citrix server, but cannot be blocked by Windows Firewall or another local firewall
    • TCP port 12345
      • TO Set Tool connects to TO Agent over this port to communicate settings information
      • Does not need to be open between XTM device and Terminal Server/Citrix server, but cannot be blocked by Windows Firewall or other local firewall

WatchGuard Training

terminal server citrix server client authentication
Terminal Server/Citrix Server — Client Authentication
  • Enable auto-redirect to force users to authenticate
  • Make sure there is no firewall policy that allows outgoing traffic from the IP address of the Terminal Server/Citrix server
    • Any-Trusted and Any-Optional should not be include in the Firewall Policies From list
    • No other alias that includes the IP address of the Terminal Server/Citrix server in the From list
  • Firewall policy that allows outgoing traffic from Terminal Server/Citrix server client users must include their user or group names in the From list
    • Traffic is allowed from the user only after the user authenticates
  • Enable the Auto redirect user to authentication page for authentication setting
    • Policy Manager > Setup > Authentication > Authentication Settings

WatchGuard Training

changes to centralized management
Changes to Centralized Management
  • Management Server now supports configuration history/rollback for fully managed devices and templates
  • Devices are no longer “subscribed” to templates
    • Template “subscription” concept replaced by single template application action
  • New 11.4 Template on Management Server
    • Administrators can control how template settings are applied to a device configuration file
    • Support for SNAT added to template configuration
    • Template history displayed similarly to configuration history
  • SNAT configuration added to template policies

WatchGuard Training

configuration history and rollback
Configuration History and Rollback
  • Devices managed by a Management Server in Fully Managed Mode can roll back to previous configurations
  • Configure the rollback settings on the new Management Server Configuration History tab
  • Specify the maximum number of saved revisions or maximum amount of disk space to use

WatchGuard Training

configuration history and rollback80
Configuration History and Rollback
  • From the Configuration History tab:
    • View — Review the previous configuration in Policy Manager
    • Revert — Roll back the device to the selected configuration file and move that configuration file to the top of the Revision History list as the most recent revision

WatchGuard Training

effect of rollback on managed vpns
Effect of Rollback on Managed VPNs
  • Managed VPN attributes are stored on the Management Server, not in the individual device configuration files in the Configuration History
  • If a device is reverted to a previous configuration, the managed tunnel settings are removed and then updated on the reverted configuration after it is applied to the device

WatchGuard Training

managed templates template behavior in v11 4
Managed Templates — Template Behavior in v11.4
  • Templates are updated in v11.4 to support changes to Application Blocking and IPS behavior, and to support new features
  • When the Management Server is upgraded to v11.4, devices subscribed to a template have the subscription link removed, because the subscription feature is removed from v11.4
  • When a device configuration file is upgraded to v11.4, the v11.4 Policy Manager allows policies in a managed device configuration file for a device subscribed to a v11.3 template to be named locally with the “T_” prefix
  • You can now apply templates to devices with manually ordered policies
  • You can configure Inheritance Settings, which determine whether or not template properties override local configuration settings
  • You can now add a policy to a template that defines an incoming connection
    • The new object to allow this is an SNAT action (Static NAT)

WatchGuard Training

managed templates subscriptions removed
Managed Templates — Subscriptions Removed
  • Removing the subscription concept means that more properties can be configured within the template, such as spamBlocker settings
  • Instead of subscribing to a template, a one time application of the template to selected devices is used in v11.4
  • Templates must be applied to devices with compatible versions of Fireware XTM
  • You can apply templates to a single device, or multiple devices in a folder, using drag-and-drop
  • The first time you apply a template to multiple devices, you select a check box for each device
  • After the first application of the template, the next time you apply it, you can see which devices you applied this template to the last time
    • Saves the work of selecting the check boxes again

WatchGuard Training

managed templates overview
Managed Templates — Overview

Inheritance settings

Revision history

List of templates

Most recent application of this template

WatchGuard Training

managed templates inheritance settings
Managed Templates — Inheritance Settings
  • You select which properties in the template can be inherited from the template and which cannot be inherited
  • In Policy Manager for the Device Configuration Template, select View > Inheritance Settings

Template status bar indicates version

WatchGuard Training

managed templates inheritance settings87
Managed Templates — Inheritance Settings
  • If you do not select Allow Override for an object in the template, and the device configuration file includes an object with the same name, the template object replaces the object in the device configuration file when the template is applied
    • If an object with the same name does not exist in the device configuration file, the object in the template is added to the device configuration file when the template is applied to the device

WatchGuard Training

managed templates new snat action
Managed Templates — New SNAT Action
  • You can now add a policy to a template that defines an incoming connection
  • SNAT (Static NAT) in v11.4 is configured in a new Policy Manager menu: Setup > Actions > SNAT
  • You can use SNAT actions in policies in your template

WatchGuard Training

managed templates define a new snat action
Managed Templates — Define a New SNAT Action
  • External IP Address in the Static NAT must be Any-External
    • This applies correctly to all managed devices, regardless of the IP address actually assigned to the device’s external interface
  • Internal IP Addressin theStatic NAT should be a place-holder IP address
    • No IP address can be correct for all environments
  • After you apply the template to a device, edit the device’s configuration and change the Internal IP Address in the SNAT action to be the IP address of that device’s internal host

WatchGuard Training

managed templates configuration history
Managed Templates — Configuration History
  • See the revision history of each template

WatchGuard Training

managed templates application history
Managed Templates — Application History
  • See when a template was applied, and to which devices

WatchGuard Training

snat actions
SNAT Actions
  • Static NAT is now an action you apply to a policy
  • Applies to stand-alone (not managed) devices as well as to templates for managed devices
  • Lets you reuse an SNAT object in policies
  • Only one SNAT action per policy
  • One SNAT action can contain multiple Static NAT mappings

WatchGuard Training

snat actions94
SNAT Actions
  • Multiple Static NAT members in a policy become one SNAT Action with multiple mappings

WatchGuard Training

snat actions95
SNAT Actions
  • All members of the SNAT Action must be of the same type:
    • Static NAT
    • Server Load Balancing

WatchGuard Training

rogue access point detection
Rogue Access Point Detection
  • Feature specific for Payment Card Industry (PCI) — Branch Office Compliance
  • Ability to detect Rogue Access Points within the operational area
  • Select the checkbox at the bottom of the Wireless Configuration dialog box in Policy Manager

WatchGuard Training

trusted access points
Trusted Access Points
  • Manually add Trusted Access Points to the device.
  • Can be configured to send notification when a rogue access point is detected.

WatchGuard Training

schedule a rogue access point detection scan
Schedule a Rogue Access Point Detection Scan
  • XTM 2 Series device can be configured exclusively for rogue Access Point scanning
    • Always scan is usually selected
  • Can be configured to complete scheduled scanning when the device is also used either as a Wireless Client on External or as an Access Point

WatchGuard Training

rogue access point detection used with a wireless client as external interface
Rogue Access Point Detection — Used with a Wireless Client as External Interface
  • Impacts network traffic
  • Connections still get through but access is slower
  • Sends an alarm log message when a rogue access point is discovered

WatchGuard Training

rogue access point detection used with wireless as an access point
Rogue Access Point Detection — Used with Wireless as an Access Point
  • Device used as an access point cannot run a continuous scan
  • Connections to the access point are interrupted when the radio is used for scanning
  • Sends an alarm and log message when a rogue access point is discovered

WatchGuard Training

rogue access point detection scan on demand
Rogue Access Point Detection — Scan On-Demand
  • Use Firebox System Manager (FSM) to run an on-demand scan for rogue access points
  • Click Scan Now to start a scan
  • Requires the administrator passphrase to run a scan
  • Can run an on-demand scan even if the device is not enabled to scan rogue access points

WatchGuard Training

logging reporting and notification
Logging, Reporting, and Notification
  • Option on the Summary Log to choose whether to send a log message and/or an alert message for rogue access point (AP) detection activities, which include:
    • Scan initiated
    • Scan completed
    • Rogue APs found
    • No rogue APs found
    • Trusted APs found
    • No trusted APs found
  • Detailed log messages and alerts for each rogue and trusted access point found
  • Log messages are available in real-time in FSM

WatchGuard Training

logging reporting and notification104
Logging, Reporting, and Notification
  • A new WatchGuard Report includes data about when scans are initiated/completed and shows results of the scans
    • This is very important for PCI-DSS compliance.
  • Notification sends an email and/or SNMP trap when a scan results in a Rogue AP Found

WatchGuard Training

wireless bridge enhancements107
Wireless Bridge Enhancements
  • In v11.4, you can enable a wireless bridge to a set of bridged physical interfaces

WatchGuard Training

log server enhancements
Log Server Enhancements
  • Increased performance and scalability
    • Improved log insertion performance with bulk copy
      • Much faster insertion of log messages
      • Log messages from devices are inserted in bulk, or several at a time
      • Free-string search in LogViewer only searches the message field in a log message
    • Eliminates the RAW table, which reduces the size of the Log Server database
      • Log messages from devices are inserted one at a time
      • Contains the majority of the XML log message as a string in one column
      • Traditionally used to provide LogViewer with a combined view of all logs over a given time range
      • Consumes the same amount of disk space as the log-type specific tables
      • Eliminating the RAW table frees up roughly 50% of the disk space requirements used by the Log Server database

WatchGuard Training

log server enhancements110
Log Server Enhancements
  • The ability to purge Diagnostic log messages from devices
    • Diagnostic log messages are now stored in a separate table from other log messages
    • Diagnostic log messages consume large amounts of disk space
    • Can remove Diagnostics log messages that have a level of Debug or higher
    • Can be performed with the Log Server API or in the Log Server Server Settings

WatchGuard Training

log server enhancements wsdl
Log Server Enhancements — WSDL
  • The Log Server API purge_diagnostics:
    • No input argument
    • Result: {status: success, reason: } under the following condition — If there are no Diagnostic log messages in the database, the tables containing Diagnostic log messages are dropped successfully
    • Result: {status: fail, reason: reason description} — If there are errors which result in a purging failure, the return status shows fail and the reason describes the failure reason
  • Log message in the log file notifies you when the purge is executed and completed:
    • Log Level: INFO — BEGIN purge diagnostics
      • When starting to call purge_diagnostics
    • Log Level: INFO — Purging diagnostics: success
    • Log Level: ERROR — Purging diagnostics: fail, reason:…….
    • Log Level: DEBUG — Purging diagnostics: SQL statement
      • Used for only development and debug purposes
    • Log Level: INFO — END purge diagnostics

WatchGuard Training

improved performance for report generation
Improved Performance for Report Generation
  • Changes in the way the Report Server delivers XML content to the Report Manager improve how rapidly certain reports are generated and displayed to the user
  • The following reports are affected by these changes:
    • Denied Packets Detail
    • URL Detail Reports
    • Web Audit Reports
    • WebBlocker Reports

WatchGuard Training

new report generation options
New Report Generation Options
  • Changes to the Report Server Report Generation tab:
    • Groups function is removed — It is not necessary to add a group to define scheduled reports
    • New Report Schedules menu lets administrators create and manage more flexible schedules for recurring or one-time generation of reports

WatchGuard Training

new report generation options115
New Report Generation Options
  • Options in report scheduling are more flexible
  • Reports can be configured to be run once or on a recurring schedule

WatchGuard Training

generate reports for external use
Generate Reports for External Use
  • Scheduled reports can be automatically generated to view without WatchGuard software, such as Report Manager or Reporting Web UI

WatchGuard Training

notify users that reports have been generated
Notify Users that Reports Have Been Generated
  • Part of a schedule’s configuration can include notification settings for users that a report is now available

WatchGuard Training

conversion issues for existing scheduled reports
Conversion Issues for Existing Scheduled Reports
  • If Archived Reports are enabled in v11.3, a Daily recurring schedule is automatically created by the Report Server for all devices when you upgrade to v11.4
  • If weekly report generation is enabled in v11.3, a Weekly recurring schedule is automatically created
  • If Archived Reports and Groups are enabled in v11.3, for each of the groups a Daily and/or Weekly schedule is created with the formatted report output option enabled

WatchGuard Training

drop in mode support for firecluster
Drop-in Mode Support for FireCluster
  • After you upgrade to v11.4, Drop-in mode can be configured when FireCluster is enabled
  • After you upgrade a Drop-in configuration to v11.4, the FireCluster configuration menu is not disabled.
  • Only Active/Passive is supported when the device is in Drop-in mode
    • v11.4 does not support FireCluster Active/Active mode in Drop-in
    • v11.4 does not support FireCluster in Bridged mode

WatchGuard Training

drop in mode support with firecluster
Drop-in Mode Support with FireCluster
  • You can now select Drop-in Mode in existing Active/Standby clusters

WatchGuard Training

drop in mode support with firecluster122
Drop-in Mode Support with FireCluster
  • You can now configure FireCluster while in Drop-in mode

v11.3.x

v11.4

WatchGuard Training

global tcp timeout124
Global TCP Timeout
  • New global setting in Policy Manager in Setup > Global Settings
  • Sets the amount of time a TCP session can remain idle
  • Policy-based override available on the Properties tab of a policy
    • Select the Specify Custom Idle Timeoutcheck box to override the global timeout setting
  • New default setting is 3600 seconds (1 hour)
    • Pre-v11.4 global TCP timeout default is 43205 seconds (12 hours 5 seconds)
    • Could not be modified globally, except by editing the raw XML file
    • Had to use policy-based override
  • Shorter timeout frees up resources faster

WatchGuard Training

global tcp timeout125
Global TCP Timeout
  • Set globally in Policy Manager:Setup > Global Settings

Override global timeout on the Properties tab of a policy

WatchGuard Training

automatic retrieval of support diagnostic file
Automatic Retrieval of Support Diagnostic File
  • Allows the device to store a support snapshot file (support.tgz ) to a folder (wgdiag) of an inserted USB drive at a regular interval
  • The device automatically saves the snapshot file as soon as the USB drive is inserted
  • When a drive is detected, if the wgdiag folder exists, it is deleted together with the contents, and the folder is re-created
  • To preserve the folder and its contents, you must rename it before you insert the USB drive to the device
  • By default, only one support snapshot is saved on the USB drive
  • You can use the Command Line Interface to enable the device to save multiple support snapshots periodically while the device is in operation, if the USB drive is left inserted in the device
    • Snapshot file names include a sequence number (support1.tgz, support2.tgz).
  • Not available when a device is started in Safe Mode

WatchGuard Training

usb drive functions
USB Drive Functions
  • Two functions:
    • When a USB drive is inserted, a support snapshot file is always created and saved to the \wgdiag directory on the USB drive. This is intended for diagnostic use and cannot be disabled.
    • If you use the CLI to enable the device to save multiple support snapshots, you can leave the USB drive in the device to capture data over time. When you enable this feature, the default setting is to save a support snapshot every 30 minutes. A maximum of 48 snapshots can be stored.
  • Files that are automatically written to the USB drive are encrypted with the XTM device’s status (read-only) passphrase

WatchGuard Training

usb diagnostics in a firecluster environment
USB Diagnostics in a FireCluster Environment
  • In a FireCluster environment, a USB drive inserted in a cluster member only captures the snapshot of that particular device

WatchGuard Training

cli command for usb diagnostics
CLI Command for USB Diagnostics
  • The command to enable is: usb diagnostic enable <interval in seconds>
  • The command to disable is: no usb diagnostic enable
  • Log in to the CLI with the admin account to get access to these commands

WatchGuard Training

proxy actions in the web ui
Proxy Actions in the Web UI
  • Fireware XTM Web UI now supports configuration of Proxy Action settings
  • Makes the user experience in Policy Manager and Web UI appear similar and compatible

WatchGuard Training

proxy actions
Proxy Actions
  • Select Firewall > Proxy Actions
  • Includes a list of predefined proxy actions that you can clone, but cannot edit or remove
  • You can select only one proxy action at a time

WatchGuard Training

proxy actions134
Proxy Actions
  • To clone a selected proxy action, click Clone.The Proxy Action Configuration page appears.
  • The cloned proxy action has a default name, based on the name of the cloned proxy action.
    • If you clone FTP-Client, the default name is FTP-Client.1.
    • You can change the default name to a new, unique name.

WatchGuard Training

proxy actions135
Proxy Actions
  • Edit button for a user-defined proxy action opens the Proxy Action Configuration page
  • You can edit all proxy action settings except the proxy action name

WatchGuard Training

proxy actions136
Proxy Actions
  • Edit button on a predefined proxy action opens the Proxy Action Configuration page. If you edit the settings, you can save it as a cloned action with a new name.

WatchGuard Training

proxy actions137
Proxy Actions
  • Remove button is enabled only if a user-defined proxy action is selected
  • User-defined proxy actions can only be removed if not used by a policy

WatchGuard Training

proxy action configuration page
Proxy Action Configuration Page
  • The content of the page varies depending on the type of proxy action
  • Proxy action settings for Subscription Services are not exposed in the Proxy Action Configuration page
    • Configure proxy action settings for Subscription Services in the Subscription Services pages of the Web UI

WatchGuard Training

proxy action rule set ui
Proxy Action Rule Set UI
  • v11.4 Web UI uses a Detailed View so the rule sets configured in Policy Manager and Web UI are now fully interoperable

WatchGuard Training

proxy action rule set ui140
Proxy Action Rule Set UI
  • Users can modify the Enabled, Action, Name, Alarm, and Log settings
  • All settings can be modified with the Edit button, which opens a new dialog box
  • Modify a single entry with the Edit, Delete, Move Up, and Move Down buttons
  • Update multiple entries with the Edit button to change the Enabled, Action, Alarm, and Log settings

WatchGuard Training

application control actions
Application Control Actions
  • Select Subscription Services > Application Control

WatchGuard Training

application control actions142
Application Control Actions
  • Can also be specified on the Firewall > Firewall Policies > Policy Configuration page

WatchGuard Training

mobile vpn with ipsec policy configuration page
Mobile VPN with IPSec Policy Configuration Page
  • Select a proxy action from the new Proxy Action drop-down. The Change button (v11.3.x and earlier) has been removed.
  • Settings, Content, and Application Blocker tabs are removed.
  • Configure proxy action settings on the Proxy Action Configuration page.

V11.3.x and Earlier

v11.4

WatchGuard Training

ips configuration
IPS Configuration
  • Alarm can be selected for each Threat Level
  • IPS is enabled for every policy, if applicable

WatchGuard Training

spamblocker
spamBlocker
  • Separate alarm checkboxes on the Virus Outbreak Detection tab for virus detection and scan errors are now configurable

WatchGuard Training

integrated activation procedure
Integrated Activation Procedure
  • Registration function is available for devices that are not yet activated
    • Register your device from within the Setup Wizard
    • Provide LiveSecurity login credentials
    • Give the device a friendly name
  • Account creation at the WatchGuard web site is also available for those new to WatchGuard
    • Create a new LiveSecurity account if you do not yet have one
  • Trade-up Program is also available during the activation process for older WatchGuard devices and even for eligible competitor’s products

WatchGuard Training

web setup wizard online activation
Web Setup Wizard — Online Activation
  • Online Activation is now available in the latter steps of the Setup Wizard
  • To register and download a feature key, supply your LiveSecurity user name and password, and add a friendly name for your device

WatchGuard Training