What’s New in Fireware XTM 11.7 - PowerPoint PPT Presentation

what s new in fireware xtm 11 7 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What’s New in Fireware XTM 11.7 PowerPoint Presentation
Download Presentation
What’s New in Fireware XTM 11.7

play fullscreen
1 / 105
What’s New in Fireware XTM 11.7
250 Views
Download Presentation
yovela
Download Presentation

What’s New in Fireware XTM 11.7

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. What’s New inFireware XTM 11.7

  2. New Features in Fireware XTM v11.7 • Networking • IPv6 • Additional external interfaces • DHCP options • Dynamic NAT — Configurable source IP address • Serial modem failover on XTM 5 Series and XTM 330 • Branch office VPN modem failover • Wireless hotspot external guest authentication • Link aggregation • Mobile VPN • Mobile VPN with L2TP • Mobile VPN apps for Android and iOS • Mobile VPN with SSL client changes WatchGuard Training

  3. New Features in Fireware XTM v11.7 • System • FireCluster • Wireless XTM devices • Hardware health monitoring for failover • Save TCP dump data to a PCAP file — FSM & Web UI • Automatic feature key synchronization • Authentication • Configure authentication login limits per user or group • Policies • Policy tags and filters • Sort policies by column in manual order mode WatchGuard Training

  4. New Features in Fireware XTM v11.7 • Management • Report Server enforces the Maximum database size setting • CA Manager in WatchGuard WebCenter • Updated UI for management of quarantined messages by recipients • 1-to-1 NAT for managed VPN tunnels • Centralized Management for XTM devices behind NAT gateways • Windows 8 and Server 2012 support • Services • Intrusion Prevention Service (IPS) scan modes • IPS and Application Control for HTTPS • WebBlocker with Websense Cloud WatchGuard Training

  5. Networking

  6. IPv6 Functionality • Fireware XTM v11.6.x supported: • IPv6 interface addresses in mixed routing mode • IPv6 management connections to the Web UI or CLI • IPv6 DNS servers • IPv6 static routes • IPv6 diagnostic logging • Fireware XTM v11.7 adds support for: • IPv6 addresses in packet filter policies • MAC access control for both IPv6 and IPv4 traffic • Inspection of IPv6 traffic received and sent by the same interface • IPv6 addresses in blocked sites and exceptions • Blocked ports configuration applies to IPv6 traffic • TCP SYN checking setting applies to IPv6 traffic • All other networking and security features do not yet support IPv6 traffic • WatchGuard IPv6 roadmap: http://www.watchguard.com/ipv6/index.asp WatchGuard Training

  7. IPv6 Refresher • WatchGuard IPv6 — http://www.watchguard.com/ipv6/index.asp • Hype or Reality — Video and PPT • Security Implications — Video and PPT • What to Expect — Video and PPT • IPv6 is manageable • Subnetting IPv4 /8 ~ IPv6 /48 (If you impose a false minimum of a /24 on IPv4) Network Prefix Interface ID 2561:1900:4545:0003:0200:F8FF:FE21:67CF 16-bits 16-bits 10.0.0.254 WatchGuard Training

  8. IPv6 in 11.5.x and 11.6.x • Static configuration of IPv6 addresses and DNS • Router Advertisement for stateless address auto-configuration on Trusted or Optional interfaces • Address auto-configuration on External interfaces • Static routes WatchGuard Training

  9. IPv6 Functionality — Blocked Sites • Blocked Sites list and Blocked Sites Exceptions now support IPv6 addresses • Blocked site and blocked site exception types are: • Host IPv4 • Network IPv4 • Host Range IPv4 • Host IPv6 • Network IPv6 • Host Range IPv6 • Host Name (DNS lookup) • Auto-blocked sites can also include IPv6 addresses WatchGuard Training

  10. IPv6 Functionality — Packet Filter Policies • Packet filter policies now support IPv6 traffic WatchGuard Training

  11. Additional External Interfaces • You can now configure more than four interfaces as external interfaces • Previously, the maximum number of external interfaces was four WatchGuard Training

  12. DHCP Options for VoIP • There are two new settings for DHCP options. Many VoIP phones use these DHCP options to download the boot configuration. • The new settings are: • TFTP Server IP — The IP address of the TFTP server where the DHCP client can download the boot configuration. This corresponds to these DHCP options: • Option 66 (TFTP server name) • Option 150 (TFTP server IP address) • TFTP Boot Filename — The name of the boot file. This corresponds to this DHCP option: • Option 67 (boot file name) • Option 66 and 67 are described in RFC 2132. • Option 150 is used by Cisco IP phones. WatchGuard Training

  13. DHCP Options for VoIP • To configure the DHCP options: • Edit a trusted or optional interface • Select Use DHCP Server • Click DHCP Options • Type the TFTP Server IP andTFTP Boot Filename required by your VoIP phones WatchGuard Training

  14. Network Dynamic NAT — Set Source IP Address • When you configure a new dynamic NAT rule, you can specify the source IP addressto use for traffic that matches that rule. • The XTM device changes the source IP address for packets that match this rule to the source IP address you specify. • The source IP address must be on the same subnet as the primary or secondary IP address of the interface specified as the To location. WatchGuard Training

  15. Network Dynamic NAT — Set Source IP Address • Previously, you could set the source IP address only in the dynamic NAT settings in a policy. • If you do not set the source IP address, or if the source IP address is not on the same subnet as the outgoing interface, dynamic NAT changes the source IP address to the IP address of the interface from which the packet is sent. WatchGuard Training

  16. Serial Modem Failover on XTM 330 and XTM 5 Series • Serial modem failover is supported for XTM 2, 3, and 5 Series devices. • Previously, modem failover was supported for XTM 2 Series and XTM 33 only. • This release adds modem support for XTM 330 and all 5 Series devices. • The Network > Modem option is now available for XTM 2, 3, and 5 Series devices. WatchGuard Training

  17. Branch Office VPN Modem Failover • Branch Office VPN can use a modem for failover if modem failover is enabled for the device. • To configure a VPN gateway for modem failover: • Enable modem failover in Network > Modem. • Configure the local gatewayendpoint to use a domain name ID for tunnel authentication. • Select the Use modem for failover check box. • If the device has multipleexternal interfaces: • You must add a gateway endpoint for each physical external interface. • The local gateway ID for each external interface must be unique. WatchGuard Training

  18. Branch Office VPN Modem Failover • When failover occurs: • If all external interfaces are down, the XTM device starts a serial modem connection between the two sites. • The XTM device initiates a VPN connection over the modem connection. • The XTM device uses the first local gateway ID configured for the external interface as the local gateway ID for the modem connection. • Because the device with modem failover enabled uses an ID for tunnel authentication, the device with the modem must initiate the VPN connection. • This means that you cannot enable modem failover for both gateway endpoints for the same branch office VPN tunnel. WatchGuard Training

  19. Hotspot External Guest Authentication • When you enable a hotspot on the Wireless Guest network, you can now select the Hotspot Type: • Custom Page — This is the hotspot splash screen on the XTM device. It presents the hotspot user with terms and conditions they must agree to before they can use the hotspot. • External Guest Authentication — This new option allows you to redirect new hotspot users to an external web server for user authentication. • The Authentication URL andAuthentication Failure URLvalues are pages on an external web server. • The Shared Secret is usedto validate responses from the web server. WatchGuard Training

  20. Hotspot External Guest Authentication • When you set the hotspot type to External Guest Authentication, you must provide this information : • The Authentication URL on your external web server of a page that does hotspot user authentication or collects other information. • The Authentication Failure URL on your external web server of a page to redirect users to if external guest authentication fails. • A Shared secret that is used to validate the access response from the external web server. • You must configure the external web server to: • Accept an access request from the XTM device. • Authenticate the user (or perform any other function that you want to use as a criteria for hotspot access.) • Provide an access decision to the XTM device. • All communication between the XTM device and the external web server occurs in the form of URL query strings sent through the hotspot client browser. WatchGuard Training

  21. Hotspot External Guest Authentication Interaction workflow: • A wireless hotspot user tries to browse to a web page. • If this is a new hotspot user, the XTM device sends the browser a redirect to the Authentication URL on the external web server.This URL includes a query string that contains the access request. • The browser sends the access request to the external web server. • The external web server sends the Authentication page to the browser • The hotspot user types the requested information and submits the form to the external web server. • The external web server processes the authentication information and sends an HTML page to the browser. • The browser sends the access decision to the XTM device.This URL contains a query string that contains the access decision, a checksum, and a redirect URL. • The XTM device reads the access decision, verifies the checksum, and sends a redirect URL to the hotspot user's browser.Based on the outcome of the external authentication process, the redirect URL can be: • The original URL the user browsed to • A different redirect URL, if specified by the external web server • The authentication failure URL, if authentication failed or access was denied. WatchGuard Training

  22. Link Aggregation • New Network Configuration tab WatchGuard Training

  23. Link Aggregation — Configure Virtual Interface • Select the Link Aggregation (LA) Mode: • Static • The same physical interface is always used for traffic between a given source and destination based on source/destination MAC address and source/destination IP address • Dynamic (802.3ad) • The physical interface used for traffic between any source and destination is selected based on Link Aggregation Control Protocol  • Active-backup • One member interface in the link aggregation group is active at a time, other member interfaces in the link aggregation group become active only if the active interface fails WatchGuard Training

  24. Link Aggregation — Configure Virtual Interface • Select LA interface Type: • Trusted • Optional • External • Bridge • VLAN WatchGuard Training

  25. Link Aggregation — Configure Virtual Interface • Select the Link Speed and Maximum Transmission Unit (MTU) on the Advanced tab • The member physical interfaces of an LA group support the same link speed WatchGuard Training

  26. Link Aggregation — Assign Physical Interfaces WatchGuard Training

  27. Link Aggregation — FSM WatchGuard Training

  28. Link Aggregation — FireCluster • Only Active/Passive is supported WatchGuard Training

  29. Link Aggregation — FireCluster • You can select a LA interface as the FireCluster Management Interface WatchGuard Training

  30. Link Aggregation — FireCluster • Monitored link includes only virtual interface and not member interfaces WatchGuard Training

  31. Link Aggregation — FireCluster • FSM Cluster View WatchGuard Training

  32. Link Aggregation — FireCluster • When you configure Link Aggregation for an existing FireCluster, only Active/Passive mode is supported. • Break the FireCluster. • Configure the Link Aggregation settings — This is important because of the changes in the MAC Address on the LA Virtual Interface. • Rebuild the Active/Passive FireCluster. WatchGuard Training

  33. Mobile VPN

  34. Mobile VPN with L2TP • Supports L2TP connections from VPN clients native to many operating systems such as Windows, Mac OS, Linux, Android, and iOS. • L2TP is a more secure alternative to PPTP. • More robust than PPTP because the data is encapsulated in IPSec • Uses Aggressive Mode to connect remote clients to the firewall (like Mobile VPN with IPSec) • Supported authentication methods: • Firebox-DB local authentication • RADIUS • Mobile VPN with L2TP supports multiple authentication methods (like Mobile VPN with SSL) • Can enable more than one authentication method • If the primary method fails, you can connect with another authentication method (such as Firebox-DB) WatchGuard Training

  35. Mobile VPN with L2TP • Mobile VPN with L2TP appears with the other Mobile VPN options. • Select VPN > Mobile VPN > L2TP. • Select Activate to start the L2TP Setup Wizard. • Select Configure to edit the configuration. WatchGuard Training

  36. Mobile VPN with L2TP • Run the WatchGuard L2TP Setup Wizard to simplify L2TP configuration. • Select the authentication server. WatchGuard Training

  37. Mobile VPN with L2TP • As with Mobile VPN with SSL, you can define your own group in your server, locally, or use the default group, L2TP-Users. • You can specify the allowed resources. • Allow access to all resources • Restrict access to specific IP addresses or subnets WatchGuard Training

  38. Mobile VPN with L2TP • Specify the virtual IP address pool range for the clients. • If you use a subnet within your Trusted or Optional networks, make sure this range is not used in an existing DHCP pool. • Select the pre-shared key or certificate to use for IPSec negotiation. WatchGuard Training

  39. Mobile VPN with L2TP • When you enable Mobile VPN with L2TP, two new policies are created automatically: • WatchGuard L2TP — Enables port UDP1701 for L2TP • Allow L2TP-Users — Enables L2TP group members to connect to firewall resources WatchGuard Training

  40. Mobile VPN with L2TP • To edit the configuration, select VPN > Mobile VPN > L2TP > Configure. WatchGuard Training

  41. Mobile VPN Apps for Android and iOS • WatchGuard Mobile VPN App for Android • Free app available from the Google Play app store • Supported on mobile devices that use Android 4.0.x and 4.1.x • Uses a .wgm Mobile VPN with IPSec configuration profile to configure an IPSec VPN connection in the WatchGuard Mobile VPN app • An IPSec VPN client you can use instead of the native VPN client • Does not support L2TP • WatchGuard Mobile VPN App for iOS • Free app available from the Apple app store • Supported on mobile devices that use iOS 5.x and 6.x • Uses a .wgm configuration profile to configure an IPSec or L2TP VPN connection in the native iOS VPN client • Not a VPN client — Creates an L2TP or IPSec VPN connection in the native iOS VPN client, with the correct settings to connect to the XTM device WatchGuard Training

  42. Generate a .wgm File — Mobile VPN with IPSec • For Mobile VPN with IPSec, the .wgm file is generated (with the .ini, .wgx, and .vpn files) when you select a profile and click Generate. • The file name is <groupname>.wgm • The.wgm file for IPSec can be used withthe WatchGuard Mobile VPN apps for Android and iOS WatchGuard Training

  43. Generate a .wgm File — Mobile VPN with L2TP • Generate an L2TP configuration file to send to mobile users of an iOS device. • Select VPN > Mobile VPN > L2TP > Mobile clients • Type a Profile Name (default is L2TP) • Type the IP address of the external interface to connect to • Type and confirm an encryption password for the .wgm file • The file name is <profile name>.wgm • The .wgm file for L2TP can be usedonly with the Mobile VPN app for iOS. WatchGuard Training

  44. Use a .wgm File to Configure an iOS Device • Send the .wgm file to the iOS users as an email attachment. • Use a secure method to give the encryption password to the users. • For Mobile VPN with IPSec, the encryption password is the tunnel passphrase. • For Mobile VPN with L2TP, the encryption password is the password you set when you generated the configuration profile. • On the iOS device, users must: • Install the free WatchGuard Mobile VPN app from the Apple app store. • Open the email that contains the .wgm file attachment. • Open the .wgm file attachment.The WatchGuard Mobile VPN app launches. • Type the passphrase from the administrator to decrypt the file.The WatchGuard Mobile VPN app imports the configuration and creates an IPSec or L2TP VPN configuration profile in the iOS VPN client. • To start the VPN connection, click the VPN switch in the iOS Settings list. When the connection is established, the VPN icon appears in the status bar. WatchGuard Training

  45. Use a .wgm File to Configure an Android Device • Send the .wgm file to the Android users as an email attachment. • Use a secure method to give the tunnel passphrase to the users. • For Mobile VPN with IPSec, the encryption password is the tunnel passphrase. • On the Android device, users must: • Install the free WatchGuard Mobile VPN app from the Google Play app store. • Open the email that contains the .wgm file attachment. • Open the .wgm file attachment.The WatchGuard Mobile VPN app launches. • Type the passphrase from the administrator to decrypt the file.The WatchGuard Mobile VPN app imports the configuration and creates an IPSec VPN configuration profile in the WatchGuard VPN app. • Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN connection. WatchGuard Training

  46. Mobile VPN with SSL Client • The Remember connection details check box in the Mobile VPN with SSL clients for both Mac and Windows, enables the client to remember the Server, Username, and Password settings. SSL VPN client for Windows SSL VPN client for Mac WatchGuard Training

  47. System

  48. FireCluster on Wireless Devices • FireCluster is now supported on XTM 25-W, 26-W, and 33-W devices. • When wireless is enabled, you can configure FireCluster only in active/passive mode. • When you enable FireCluster for wireless XTM devices, the configuration must meet these requirements: • The XTM device must be configured as a wireless access point. FireCluster is not supported when wireless is enabled as an external interface. • The FireCluster Interface for management IP address cannot be an interface that is bridged to a wireless network. • The FireCluster primary cluster interface and backup cluster interface cannot be interfaces that are bridged to a wireless network. • All other FireCluster requirements and restrictions also apply to wireless devices. WatchGuard Training

  49. FireCluster Failover Based on Health Indexes • Each cluster member has a Weighted Average Index (WAI) that indicates the health of the device. • The Cluster Health section of the Firebox System Manager Status Report shows these health index values for each cluster member: • System Health Index (SHI) — Health of monitored processes. • Hardware Health Index (HHI) — Health status of hardware. • Monitored Ports Health Index (MPHI) — Status of monitored ports. • Weighted Average Index (WAI) — This index is used to compare the overall health of two cluster members. • By default, the WAI for a cluster member is a weighted average of the SHI and MPHI for that device. HHI is not use in the calculation of WAI unless you enable it. • WAI can be a range from 0–100. A WAI of 100 indicates no issues. • The cluster master fails over if the WAI of the cluster master is lower than the WAI of the backup master. WatchGuard Training

  50. Hardware Health Index (HHI) • The Hardware Health Index (HHI) indicates the status of critical hardware components. • If no hardware failures are detected, the HHI value is 100. • If a critical monitored hardware component fails, the HHI value is zero. • The HHI is based on the status of: • CPU and system fan speeds • CPU and system temperatures • System voltages • Cryptographic chip • Power supply (XTM 1050 and XTM 2050) • Hard disk (XTM 2050) WatchGuard Training