what s new in fireware xtm v11 4 1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What’s New in Fireware XTM v11.4.1 PowerPoint Presentation
Download Presentation
What’s New in Fireware XTM v11.4.1

Loading in 2 Seconds...

play fullscreen
1 / 39

What’s New in Fireware XTM v11.4.1 - PowerPoint PPT Presentation


  • 489 Views
  • Uploaded on

What’s New in Fireware XTM v11.4.1. New Features in Fireware XTM v11.4.1. Configuration Files Automatically save a time-stamped backup copy of the configuration file each time you save to a file. Policies Edit SNAT objects from the Policy Manager Policy Properties dialog box.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'What’s New in Fireware XTM v11.4.1' - katy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
new features in fireware xtm v11 4 1
New Features in Fireware XTM v11.4.1
  • Configuration Files
    • Automatically save a time-stamped backup copy of the configuration file each time you save to a file.
  • Policies
    • Edit SNAT objects from the Policy Manager Policy Properties dialog box.
    • Safe Search enforcement added to the HTTP-Client proxy action.
  • SNMP
    • Additional enterprise MIB support for SNMP.
  • Authentication
    • Prompt to select the default LDAPS port when LDAPS is enabled.
    • Specify which authentication server appears first in the Authentication Portal.
    • Select the users that can connect to the SSO Agent with Telnet.
    • Enable port 4116 on Windows firewall when the SSO Client is installed.

WatchGuard Training

new features in fireware xtm v11 4 13
New Features in Fireware XTM v11.4.1
  • Branch Office VPN
    • New gateway endpoint setting to specify whether the device attempts to resolve the domain name in the remote gateway ID.
  • Mobile VPN
    • Mobile VPN with IPSec — support for the Shrew Soft VPN client
    • Mobile VPN with SSL — support for multiple authentication users and groups
  • Application Control
    • Clone an Application Control action in the Web UI.
    • Configure an action for an application category.
    • Apply an Application Control action to several policies at one time.
  • Intrusion Prevention Service (IPS)
    • Enable or disable IPS for several policies at one time

WatchGuard Training

new features in fireware xtm v11 4 14
New Features in Fireware XTM v11.4.1
  • Logging and Reporting
    • New policy to open the ports for LogViewer & Report Manager when they are behind a firewall external to your Log Server and Report Server.
  • Firebox System Manager
    • Hide warnings for expired trial periods when a valid license for the feature exists.
    • New Summary section on the FSM Authentication List tab.
  • Centralized Management
    • New Management Groups streamline template management for devices.
  • Fireware XTM Web UI
    • Release or renew a DHCP lease for an external VLAN in the Web UI.

WatchGuard Training

automatically create a configuration file backup
Automatically Create a Configuration File Backup
  • You can configure Policy Manager to automatically save a backup copy of the configuration file each time you save to a file.
    • To enable this option, select File > Save > Always create a backup.
    • The check mark indicates the automatic backup copy feature is enabled.
    • Each time you save the configuration to a file, Policy Manager saves a second copy of the configuration in the same location, with the date and timestamp added to the file name.
    • For example, if you save a configuration file named HQ-XTM1050 on March 30, 2011 at 11:30 AM, Policy Manager saves two files:

HQ-XTM1050.xml

HQ-XTM1050_2011-3-15_11-30-00.xml

WatchGuard Training

edit snat action from policy properties dialog box
Edit SNAT Action from Policy Properties Dialog Box
  • You can now edit an SNAT action from the Policy Properties dialog box in Policy Manager.
  • Any changes to the SNAT action apply to all policies that use this action.

WatchGuard Training

enforce safe search
Enforce Safe Search
  • Safe Search enforcement has been added to the HTTP-Client proxy action for v11.4.1.
  • In web browser search engines, Safe Search enables users to specify what level of potentially inappropriate content can be returned in search results.
  • Safe Search levels vary between search engines. Typical settings are Off, Moderate, and Strict.
  • When you enable Safe Search in the HTTP-Client proxy action, the strictest level of Safe Search rules are enforced regardless of the settings configured in the client search engine settings.

WatchGuard Training

enforce safe search10
Enforce Safe Search
  • In Policy Manager, in the HTTP-Client Proxy Action Configuration dialog box, select HTTP Request > General Settings and select the Enforce Safe Search check box.
  • In Fireware XTM Web UI, select Firewall > Proxy Actions select the HTTP-Client proxy action. On the HTTP Request > General Settings page, select the Enforce safe search for major search engines such as Google, Bing, Yahoo and YouTube check box.

WatchGuard Training

additional mib support for snmp
Additional MIB Support for SNMP
  • Additional enterprise MIBs are now supported for SNMP.
  • The complete list of enterprise MIBs includes:
    • UCD-SNMP-MIB
    • WATCHGUARD-CLIENT-MIB
    • WATCHGUARD-INFO-SYSTEM-MIB
    • WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
    • WATCHGUARD-IPSEC-SA-MON-MIB-EXT
    • WATCHGUARD-IPSEC-TUNNEL-MIB
    • WATCHGUARD-POLICY-MIB
    • WATCHGUARD-PRODUCTS-MIB
    • WATCHGUARD-SMI
    • WATCHGUARD-SYSTEM-CONFIG-MIB
    • WATCHGUARD-SYSTEM-STATISTICS-MIB

WatchGuard Training

default port for ldaps
Default Port for LDAPS
  • When you enable LDAPS for your Active Directory or LDAP server, if you do not select the default port for LDAPS, you are prompted to change the port to the default port for LDAPS.

WatchGuard Training

change the default authentication server
Change the Default Authentication Server
  • Specify which of your configured authentication servers appears first in the Authentication Portal authentication server Domain list.

WatchGuard Training

sso agent sso client enhancements
SSO Agent & SSO Client Enhancements
  • SSO Agent Telnet Security
    • Telnet connections to the SSO Agent are now limited to those users who are specified in the SSO Agent Configuration Tool users list.
    • Users must have read/write access to make configuration changes over a telnet connection.
  • SSO Client Port 4116 Open on Windows Firewall
    • To allow traffic to the SSO Client, when the SSO Client is installed, port 4116 is automatically enabled on the Windows firewall of the computer where you install the SSO Client.

WatchGuard Training

branch office vpn enhancements
Branch Office VPN Enhancements
  • New gateway endpoint setting specifies whether the device attempts to resolve the domain name in the Remote Gateway ID.
  • Select this if the remote gateway uses dynamic DNS to maintain a mapping between a dynamic IP address and a domain name.

WatchGuard Training

changes to mobile vpn with ipsec
Changes to Mobile VPN with IPSec
  • As of April 20th, WatchGuard will no longer distribute the WatchGuard Mobile VPN with IPSec client on the Software Downloads Center.
  • Technical Support will continue to support the existing client
  • With Fireware XTM v11.4.1, we have added support for the Shrew Soft VPN Client
    • Supported on Windows only
    • Download the Shrew Soft VPN Client from the Shrew Soft web site
    • See the product documentation for a list of differences between the WatchGuard IPSec client and the Shrew Soft VPN client

WatchGuard Training

mobile vpn with ipsec shrew soft vpn client
Mobile VPN with IPSec — Shrew Soft VPN Client
  • WatchGuard supports the use of the Shrew Soft VPN client for Windows as a Mobile VPN with IPSec client.
    • Profile for the Shrew Soft VPN client has a .vpn extension.
      • .vpn file is not encrypted and cannot be set to read-only
    • Policy Manager generates the .vpn file when it generates the .wgx and .ini files
    • In the Web UI you can choose to generate a Shrew Soft VPN (.vpn) or WatchGuard Mobile VPN (.ini) configuration file.
    • In the CLI, use the newexport muvpnclient-typeoption to export a .vpn file.

WatchGuard Training

mobile vpn with ipsec shrew soft vpn client21
Mobile VPN with IPSec — Shrew Soft VPN Client
  • Download and install the Shrew Soft VPN client from http://www.shrew.net/download
    • Use Shrew Soft VPN Access Manager to configure and connect.
      • Select File > Import to import the generated .vpn profile.
      • Select the imported profile, and click Connect.
    • Use Shrew Soft VPN Traceto troubleshoot your connection.

WatchGuard Training

shrew soft vpn client limitations
Shrew Soft VPN Client Limitations
  • The Shrew Soft VPN client does not support some Mobile VPN with IPSec configuration settings and features:
    • IKE keep-alive is not supported.
    • Configuration of multiple VPN gateways for multi-WAN failover is not supported.
    • Line management configuration settings Connection mode and Inactivity timeout are not supported.
    • The Dead Peer Detection (DPD) Traffic idle timeout and Max retries configuration settings do not apply to the Shrew Soft VPN client. If DPD is enabled, Shrew Soft VPN supports DPD with a traffic idle timeout value of 15 seconds.
    • RADIUS 2-factor authentication is not supported.
    • The Shrew Soft VPN client does not support a read-only profile.
    • The Shrew Soft VPN client does not store the user name and password. Users must type the user name and password each time they connect.

WatchGuard Training

mobile vpn with ssl add users and groups
Mobile VPN with SSL — Add Users and Groups
  • Mobile VPN with SSL now supports multiple users and groups.
    • The default SSLVPN-Users group is required only when you select Firebox-DB.
    • When you add users and groups, the Allow-SSLVPN-Users policy shows the group SSLVPN-Users, withthe authentication type in parentheses. This refers to all users and groups in the Mobile VPN with SSL configuration.

WatchGuard Training

application control
Application Control
  • You can clone an Application Control action in the Web UI.
  • You can apply an Application Control action to several policies at one time.
    • Select one or more policies.
    • Select the action to apply.

WatchGuard Training

application control26
Application Control
  • You can configure an action (Drop or Allow) for an application category.
    • If new application signatures are added to the category, the configured category action automatically applies to the new applications.
    • Application-specific actions take precedence over category actions.

WatchGuard Training

intrusion prevention service
Intrusion Prevention Service
  • You can enable or disable IPS for several policies at one time.
    • Select one or more policies.
    • Select the action to apply.

WatchGuard Training

open logviewer report manager ports
Open LogViewer & Report Manager Ports
  • The new WG-LogViewer-ReportMgr packet filter policy opens the ports that enable you to use LogViewer and Report Manager through an XTM device.
  • Opens TCP ports 4121 (LogViewer) and 4122 (Report Manager).
  • Enables remote access from your LogViewer or Report Manager to your Log Server or Report Server.

WatchGuard Training

hide expired service warnings in fsm
Hide Expired Service Warnings In FSM
  • Firebox System Manager has a new option to hide warnings for expired Subscription Services.
  • Select View > Hide Expired Service Warnings.Or, right-click anywhere on the Front Panel tab and select Hide Expired Service Warnings.
  • To show the expired service warnings again, select View > Hide Expired Service Warnings.

WatchGuard Training

management groups for template management
Management Groups for Template Management
  • WSM Management Groups streamline template management for devices.
  • When you upgrade your Management Server to v11.4.1, a Management Group is automatically created for each of your v11.0–v11.3.x and v11.4 templates.*

* Management Groups are not automatically created for Firebox X Edge v10.x devices that were subscribed to a template.

WatchGuard Training

management groups for template management34
Management Groups for Template Management
  • Devices that were subscribed to a template in v11.0–v11.3.x, and v11.4 devices that had a template applied to them, are automatically added to the Management Group folder with the same name as the template they were associated with.

WatchGuard Training

management groups for template management35
Management Groups for Template Management
  • When you create a new template, you can create a corresponding Management Group and add devices that will use that template. This makes it easy to apply updated templates to the devices that use each template.
  • You can add one or more devices to a Management Group and add each device to one or more Management Groups.
  • Each Management Group page shows all the devices included in the group.

WatchGuard Training

management groups for template management36
Management Groups for Template Management
  • The Device page includes a Management Groups section, which shows the groups the device is a member of.
  • When you make changes to a template, you can apply the template to one or more of the devices in the Management Group for that template.
  • To apply a template to a Management Group, drag the template to the Management Group folder. The Apply Template wizard launches. You can select to apply the template to one or more devices in the folder.

WatchGuard Training

renew or release a dhcp lease
Renew or Release a DHCP Lease
  • Fireware XTM Web UI includes a new option to release or renew a DHCP lease for an external VLAN.
    • Select System Status > Interfaces.
    • Select an external interface with DHCP enabled and click DHCP Release or DHCP Renew.

WatchGuard Training