1 / 149

What’s New in Fireware XTM v11.4

What’s New in Fireware XTM v11.4. New Features in Fireware XTM v11.4. New! Application Control Intrusion Prevention System enhancements Authentication enhancements Support for multiple Active Directory domains Unique identification of each client session on Terminal Server / Citrix server

kara
Download Presentation

What’s New in Fireware XTM v11.4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s New in Fireware XTM v11.4

  2. New Features in Fireware XTM v11.4 • New! Application Control • Intrusion Prevention System enhancements • Authentication enhancements • Support for multiple Active Directory domains • Unique identification of each client session on Terminal Server / Citrix server • Support for LDAP over SSL (LDAPS) • Support for IEEE 802.1X (Extensible Authentication Protocol) • Improved interaction between Manual Authentication and SSO • Centralized Management enhancements • New SNAT actions WatchGuard Training

  3. New Features in Fireware XTM v11.4 • Wireless Security enhancements (rogue access point detection) • Wireless network bridge enhancements • Logging and Log Server enhancements • Reporting and Report Server enhancements • Support for A/P FireCluster in Drop-in mode • New Global TCP timeout setting • Diagnostics and Health Monitoring with USB Diagnostics • Improved Support for proxy configuration in the Web UI • Enhancements to Quick Setup Wizard WatchGuard Training

  4. Fireware XTM v11.4 — Device Compatibility • Fireware XTM v11.4 is compatible with all XTM device models • XTM 2 Series • XTM 5 Series • XTM 8 Series • XTM 1050 • Fireware XTM v11.4 is not compatible with Firebox X e-Series device models WatchGuard Training

  5. New! Application Control

  6. Application Control — Overview • Overall Design • You can now allow or deny access to hundreds of applications • Social Network Apps, IM/P2P, Games, Streaming Media, Business Apps, etc. • Application Control is an action applied to firewall policies • All firewall policy types are supported • Packet Filters and Proxy policies, Mobile VPN, and Branch Office VPN • Hierarchical relationship of categories, applications, behaviors • Category • Application • Behavior • Design Controls • Application identification takes a maximum of 7 packets • Policy-based NAT executes on first packet • Policy-based routing executes on first packet WatchGuard Training

  7. Application Control — Use Cases • Use cases by application/behavior • By application — Block Skype for all • By application behavior — Block MSN file transfer for all • Use cases by IP address/user/group • User or group — Block P2P for Marketing • Host or network — Block BitTorrent for 10.0.0.0/24 • Combinations of IP address/user/group and applications/behaviors • Use policy schedules to allow different applications at different times • All standard policy features are available: Scheduling, QoS, Traffic Management, NAT, etc. WatchGuard Training

  8. Application Control — Signatures • Automated updates • Two signature sets: XTM2 and XTM5/8/10 • More applications are available for XTM 5/8/10 Series than for XTM 2 Series • One file is downloaded for both Application Control and IPS • Metadata is extracted from the file when downloaded • Signatures are abstracted for Application Control • Applications are mapped to signatures • Mapping is not 1-1 • Example:Application Skype is mapped to four underlying signatures: • CHAT Skype login on TCP -1 • CHAT Skype login on TCP -3 • CHAT Skype login on TCP -2 • CHAT Skype login on SSL -1 • Management software shows the abstraction: • Skype WatchGuard Training

  9. Application Control — Behaviors • Seven possible behaviors: • Authority — Login • Access — Known command to access server or peer • Communicate — Communication with server or peer (chat) • Connect — Unknown command (P2P connect to peer) • Game — Games • Media — Audio and Video • Transfer — File Transfer • Not all applications exhibit all behaviors WatchGuard Training

  10. Application Control – Configuration Overview • You can now block traffic flows based on the application in use • Signature-based; ability to identify hundreds of applications • Application Control is a Subscription Service • Specify Application Control actions per policy WatchGuard Training

  11. Add an Application Control Action • Use the Subscription Services menu in Policy Manager to add and edit Application Control actions, and configure signature update settings • Configure the Global Application Control action to use in policies, or create new Application Control actions Signature update settings WatchGuard Training

  12. Add an Application Control Action • Add a new action • Select the applications to control • Select Allow or Drop for each application you select • Drop — Blocks applications • Allow — Allows applications WatchGuard Training

  13. Find an Application • Use the Search text box to quickly find an application by name • Select a Category to see the applications in that category WatchGuard Training

  14. Application Control — Configuration • The Application Control action specifies what to do when an application does not match the configured applications: • Use the Global action • Allow the connection • Drop the connection WatchGuard Training

  15. Application Control — The Global Action • When a traffic flow does not match another Application Control action, you can use the Global action as a fall-through • By default the Global action has no applications to identify • You can edit the Global action to add applications to identify • Global action has its own fall-through • Allow the connection • Drop the connection • Or, apply the Global action to any of your policies WatchGuard Training

  16. Application Control — Policy Configuration • New Enable Application Control drop-down list and action selector on the Policy tab • IPS and Proxy Actions also moved to Policy tab • Lets you configure Application Control policy-by-policy • Not necessary to use proxies for this WatchGuard Training

  17. Application Control — Security Portal Web Page • Application Control web page: • http://www.watchguard.com/SecurityPortal/AppDB.aspx • Read descriptions of all Applications and Behaviors • Applications • Behaviors • Explanation WatchGuard Training

  18. Application Control Web Page — Search for an Application WatchGuard Training

  19. Application Control Web Page — Search for an Application WatchGuard Training

  20. Application Control — Decision Tree Start Traffic goes through a policy that has Application Control enabled Did the inspection engine identify an application listed in the user-defined action? Is this a user-defined Application Control action or the Global action? User-defined action No: “Application not matched” rule is “Use Global” Global action No: “Application not matched” rule is Allow/Drop Did the inspection engine identify an application listed in the Global action? Yes No Yes Is the “Application not matched” rule set to Allowor Drop? Drop connection Is the rule for this application Allow or Drop? Drop Drop Allow Allow connection Allow WatchGuard Training

  21. Application Control — Logs • Traffic logs contain application identification information • Enable logging in the policy to monitor application usage • The XTM device always identifies and logs denied traffic due to an Application Control action • Information about applications that are not blocked is sent to the log file only if logging is enabled in the policy that has Application Control enabled • Only one FWAllow or FWDeny message per connection • Application and category are added to traffic log Sample log message: Application identified app_name="Facebook Web IM" app_cat_name="Web IM" app_id="15" app_cat_id="15" app_beh_id="2" app_beh_name="communicate" WatchGuard Training

  22. Application Control — Reports • Application Control • Application Usage Summary • Blocked Application Summary • Client Reports • Top Clients by Application Usage • Top Clients by Blocked Applications • Top Clients by Blocked Categories WatchGuard Training

  23. Application Control — Reports • Application Usage WatchGuard Training

  24. Application Control — Reports • Blocked Applications WatchGuard Training

  25. Application Control — Reports • Top Clients WatchGuard Training

  26. Application Control — Upgrade • Application Blocker, as it is known in Fireware XTM v11.3.x and previous versions, is not available after you upgrade to v11.4 • New Application Control is a Subscription Service • Comes with UTM Bundle but can be purchased separately • If a customer does not purchase Application Control, Application Control is not available (and Application Blocker is not available in v11.4) • Customers must synchronize feature keys • If the customer has the UTM Bundle, the new feature key includes Application Control WatchGuard Training

  27. Intrusion Prevention System Enhancements

  28. Intrusion Prevention Enhancements — Overview • Intrusion Prevention is now a global setting • Actions for different threat levels are set globally • Applies equally to any policy that has IPS enabled • You can enable IPS per-policy • No longer configured only in Proxy Actions • Apply Intrusion Prevention to packet filter or proxy policies • Simpler configuration • Only five threat levels instead of 100 WatchGuard Training

  29. Intrusion Prevention Enhancements — Configuration • Configure in Policy Manager:Subscription Services > Intrusion Prevention • Actions to take: • Allow — Allows the connection • Drop — Denies the specific request and drops the connection. Does not send a response to the sender. The XTM device sends only a TCP reset packet to the client. • Block — Denies the request.Drops the connectionAdds the site to the auto-blocked list for the configured duration. WatchGuard Training

  30. Intrusion Prevention Enhancements — Disable Per Policy • Intrusion Prevention dialog box Policies tab: • Lists all firewall policies and whether IPS is disabled for each one • Lets you enable IPS per policy • Policy Propertiesdialog box, enable IPS for asingle policy on the Policy tab WatchGuard Training

  31. Intrusion Prevention Service — Conversion from v11.3.x • If IPS is not enabled in the pre-v11.4 configuration file, Global IPS is not enabled in the converted v11.4 configuration file • If IPS is enabled in a policy in the pre-v11.4 configuration file, Global IPS is enabled in the v11.4 configuration file • If a proxy policy from the pre-v11.4 configuration file has IPS enabled, that policy will have IPS enabled in the converted configuration file • All other policies have IPS disabled in the v11.4 configuration file • Threat levels set to default • Allow for Information (lowest threat) level (do not log) • Drop for all higher threat levels (and log) • IPS signature exceptions are removed WatchGuard Training

  32. IPS — Security Portal Web Page • IPS web page: http://www.watchguard.com/SecurityPortal/ThreatDB.aspx • Read descriptions of all IPS signatures • Hyperlinks to reference sources (where available) • mitre.org CVE web page • NIST web page • Securityfocus.com (Bugtraq) web page • Secunia Advisory page • Snort page WatchGuard Training

  33. IPS Web Page — Search by Rule ID or Name WatchGuard Training

  34. IPS Web Page — CVE, Secunia, Bugtraq, Snort, and Other References WatchGuard Training

  35. IPS — More Information in the Web UI • Fireware XTM Web UI also has information on signatures • Subscription Services > IPS > Signatures tab:Double-click a signature to get information WatchGuard Training

  36. IPS — More Information in the Web UI WatchGuard Training

  37. IPS — Look Up Signature Information in FSM • To go to the SecurityPortal web site, right-click an entry in Traffic Monitor that indicates an IPS signature was triggered WatchGuard Training

  38. Authentication Enhancements

  39. Authentication Enhancements:Multiple Active Directory Domains

  40. Multiple Active Directory Domains — Overview • You can now specify multiple Active Directory domains • Filter your policies by user or group specific to each domain • Specify the domain to use for Mobile VPN authentication • Click Add to add an Active Directory domain WatchGuard Training

  41. Add Active Directory Domains • Specify the DNS name or IP address for the authentication server • Specify the port • Specify whether to use LDAPS WatchGuard Training

  42. Add Users from Active Directory Domains • Select the authentication server when you add the user or group WatchGuard Training

  43. Manual Authentication • Select the domain to use when you authenticate to the authentication portal over port 4100 WatchGuard Training

  44. Conversion from pre-v11.4 Configuration • Conversion looks at the Search Base of the existing Active Directory settings • Converted configuration has an Active Directory object named for the dc= portions of the Search Base • Example: • Search Base for Active Directory in pre-v11.4 configuration is:ou=corporate users and groups,dc=toronto,dc=company,dc=net • Active Directory domain in v11.4 is named toronto.company.net WatchGuard Training

  45. Authentication Enhancements:LDAP over SSL

  46. LDAP over SSL for Active Directory, LDAP • Standard LDAPS port is 636 • For Active Directory Global Catalog queries, SSL port is 3269 • Validate the server certificate to prevent man-in-the-middle attacks WatchGuard Training

  47. LDAP over SSL for Active Directory, LDAP • Validate the server certificate to prevent man-in-the-middle attacks • To validate the server certificate: • Import the CA certificate from the CA that issued the AD/LDAP server’s SSL certificate • Use FSM to import the CA certificate • Use purpose IPSec, Web Server, Other • When you add the AD or LDAP server to Policy Manager, make sure to indicate the address (IP address or DNS name) correctly to match the server’s certificate • To validate the certificate, Fireware XTM checks if the configured server address (IP address or DNS name) matches one of these items in the server’s certificate: • Common Name in Subject field • DNS Name in Subject Alternative Name field • IP Address in Subject Alternative Name field • If no match, then certificate validation fails WatchGuard Training

  48. Authentication Enhancements:Multiple Active Directory Domains For Single Sign-On

  49. Multiple Active Directory Domains for Single Sign-On • Requires a new SSO Agent install • After the new SSO Agent is installed, use the new SSO Configuration Tool to add Active Directory servers for the agent to query • SSO Configuration Tool executable is installed by default in this directory: \Program Files\WatchGuard\WatchGuard Authentication Gateway • SSO Configuration Tool enables the SSO admin to add users to perform SSO functions • In a multi-domain SSO environment, you must install the SSO Client software on all client computers that can use SSO • In single-domain SSO, SSO Client software is still optional • SSO Client software is highly recommended in single-domain environments for accuracy of SSO information WatchGuard Training

  50. SSO Agent User Interface • Two default accounts: • admin / readwrite • status / readonly • Configuration tools WatchGuard Training

More Related