What’s New in Fireware XTM v11.8
WatchGuard Training
What’s New in XTM 11.8
 Proxies and Services
•
•
DLP (Data Loss Prevention)
YouTube for Schools
 WatchGuard AP Enhancements
 Authentication
•
•
•
Indirect LDAP Query Support
SSO with the new Exchange Monitor
SSO Port Tester
 Enhanced Support for IPv6
 Updated Web UI
•
•
FireWatch
Front Panel
WatchGuard Training
 VPN
•
•
•
•
Branch Office VPN
Virtual Interface
Management Tunnel
over SSL
SHA2 Support
Mobile VPN with SSL
VPN client password
control
 Other
•
•
Multiple PPPoE
sessions per interface
Global setting to clear
connections that use
an SNAT action you
modify.
2
XTM Data Loss Prevention
WatchGuard Training
What is DLP?
 A service that prevents costly data breaches by
scanning and detecting the transfer of sensitive
information over email, web, and FTP.
 DLP detects information in categories such as:
•
•
•
Financial Data (Bank routing numbers)
HIPAA (PHI, patient forms)
PII (Personally Identifiable Information)





WatchGuard Training
Drivers’ licenses
Ethnicity terms
National ID/insurance
Email addresses
Postal addresses
4
DLP — How it Works
 DLP scans proxied SMTP, FTP, and HTTP connections.
•
HTTPS can be scanned if deep inspection is enabled in the HTTPS
proxy action.
 DLP uses Sophos libraries for two purposes:
• Text Extraction
•
 Extracts plain text from over 30 file formats, including PDF, HTML, Microsoft
Word, Excel, Visio, and Project.
Content Analysis
 Detects over 200 different patterns, known as content control rules
WatchGuard Training
5
DLP — How it Works
 The same process handles AV scanning and DLP scanning.
•
•
•
When a proxy sends a scan request, it can be for AV, DLP, or both.
Each scan request includes a list of content control rules to use.
AV scan result actions take precedence over DLP.
WatchGuard Training
6
DLP — Content Control Rules
 Content control rules match a pattern multiple times.
Rule Name
Postal addresses [Global]
Postal addresses [USA]
Email addresses [Global]
Ethnicity terms [UK]
Ethnicity terms [USA]
Ethnicity terms [Canada]
Social security numbers [USA]
Passport details [Global]
Telephone numbers [USA]
Credit or debit card numbers with qualifying terms [Global]
Credit or debit card numbers [Global]
Personal health card number, Ontario [Canada]
Quantity
100
100
100
10
10
10
10
5
100
10
10
1
 The quantity for each rule is a measure of the weighted number of matches
the rule must find to identify content as a DLP violation.
•
•
Because the DLP rules use multiple expressions to find matching text, and use
weights to adjust the rule sensitivity, the quantity shown does not always
correspond exactly to the number of text matches required to trigger the rule.
To see DLP rules and quantities go to http://www.watchguard.com/SecurityPortal.
WatchGuard Training
7
DLP – Support by Model
 This table shows you signature set and text extraction available for each
model.
Model
Rule Set
Text Extraction
XTM 25/26
XTM 3 Series
Standard (140 rules)
No
XTM 5 Series
Standard (140 rules)
30 file types
XTM 8 Series
XTM 1520/1525
XTM 1050/2050
XTM 2520
XTMv
Enterprise (210 rules)
30 file types
WatchGuard Training
8
DLP — Scanning and Performance
 Available DLP rule sets vary by device
•
•
XTM 2, XTM 3, and XTM 5 Series (Standard)
XTMv, XTM 8 Series and higher (Enterprise)
 Just as with AV, DLP scanning consumes resources
 Performance impact can vary by configuration
•
•
Performance varies by number and type of selected rules
Avoid selecting unnecessary rules
WatchGuard Training
9
DLP — Configuration Workflow
 Update feature key
 Enable Data Loss Prevention
 Add a DLP Sensor using the wizard
•
•
•
Apply sensor to proxy policies
Select content control rules
Select actions to take when
content is detected in email and
non-email traffic.
WatchGuard Training
10
DLP - Configuration Workflow
 Edit Sensors
•
•
•
Enable/disable rules
Configure sensor actions
by source and destination
Configure sensor settings
 Set actions for items that
cannot be scanned due to:
– Size exceeds scan limit
– Scan error
– File is password protected
 Set the file scan limit
WatchGuard Training
11
DLP — Built-In Sensors
 DLP includes two built-in sensors
• HIPAA Audit Sensor
•
 Detects content related
to compliance with
HIPAA security standards
PCI Audit Sensor
 Detects content related
to compliance with PCI
security standards
WatchGuard Training
12
YouTube for Schools
WatchGuard Training
YouTube for Schools — Overview
 YouTube Education Filter
•
•
Schools need YouTube, but want to be able to control access to specific
content
YouTube created to support EDU-only content, instead of having
schools deny YouTube overall
 How it works
•
•
School administrator obtains ID from YouTube
 They must log in using their school’s Google account.
 https://www.youtube.com/schools
X-YouTube-Edu-Filter header added to HTTP requests
 HTTPS with DPI
WatchGuard Training
14
YouTube for Schools — Configuration
 Enable YouTube for Schools
in the HTTP Proxy Action
 Type the School ID
WatchGuard Training
15
YouTube for Schools — Example
 HTTP request
•
•
Original request headers
 GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1
 Host: www.youtube.com
New request headers
 GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1
 X-YouTube-Edu-Filter: P4SHoKOOZOJDQU8PRSCXtA
 Host: www.youtube.com
 By handling this on the XTM device, the school does not need to
deal with configuration of various machines, including BYOD
WatchGuard Training
16
AP Enhancements
WatchGuard Training
AP Enhancements — Overview





Select radio channel (72135)
Set maximum data rate
Management VLAN tagging (71403)
“Updating” Status (72628)
New firmware
WatchGuard Training
18
AP Enhancements — Radio Settings
 Preferred Channel
•
•
Update the list of available
AP channels.
Select the preferred
channel.
 Rate
•
Set the maximum speed at
which wireless clients can
send data.
WatchGuard Training
19
AP Enhancements — Management VLAN Tagging
 Enable management VLAN
tagging, and select a
management VLAN ID.
•
•
After the AP device is paired,
management connections
use the selected VLAN.
An unpaired AP device
cannot accept management
connections on the VLAN.
WatchGuard Training
20
“Updating” Status
 New AP status in the Firebox System Manager Gateway Wireless
Controller tab.
•
•
•
When you save an access point configuration to the XTM device, the
XTM device immediately sends the update to the affected AP devices.
While the update is in progress, the AP device status changes to
Updating.
The update process can take up to a minute to complete.
During this time wireless services might be interrupted on the
AP device.
WatchGuard Training
21
AP Firmware Update
 The XTM OS update includes updated firmware for WatchGuard AP
devices, to enable the new AP features.
 Make sure that automatic
updates are enabled in the
Gateway Wireless Controller
settings so the XTM device
updates all paired AP devices.
 If you don’t want to enable
automatic updates, you can
manually upgrade each AP device.
•
•
Download the AP device firmware
from the Software Downloads site.
Connect to the web UI on the AP
device to upgrade the firmware.
WatchGuard Training
22
LDAP Authentication
Using Indirect Queries
WatchGuard Training
LDAP — Background
 LDAP Authentication using the “memberOf” group string, or other user
attributes, queries the Directory Service for the user object, and identifies
group membership based on this attribute of the user. This is considered a
direct query.
 Some LDAP services, like Novell, use other attributes of the user object to
identify group membership. Others, such as OpenLDAP, do not have such
an attribute at all unless you enable a “memberOf overlay”. This requires
detailed knowledge of the LDAP service being used, or extending the
schema.
 An alternative to this is an indirect query, where the user is identified, and
the entire directory is searched looking at attributes of all groups to find
where the user is a member.
WatchGuard Training
24
LDAP — How it Works
 We’ve added support for indirect queries using Object Classes defined in
these two RFCs:
•
•
RFC2256 — A summary of the X.500 User Schema for use with LDAPv3 defines
Object Class “groupOfNames”. Users are identified in the “member” attribute of
each group object.
RFC2307 — An approach for using LDAP as a Network Information Service
defines Object Classes “posixGroup” and “posixAccount”. The “gidNumber”
attribute identifies each group object, and the “memberUid” attribute of each
group identifies the users that are members of the group.
 There are no visible UI changes to add support for indirect queries in
Fireware XTM v11.8.
•
Triggered by the entry in the “Group String” attribute
WatchGuard Training
25
LDAP — Using RFC2256 “groupOfNames”
 Object Class “groupOfNames” is used to manage groups. Users are
identified using the “member” attribute of each group object.
 Configure “member” as the Group String for LDAP.
 XTM performs two search queries to identify groups:
•
•
First search — Identify the DN of this user.
Second search — Identify all entries of groupOfNames where “member” attribute
contains the user DN.
 Extract the name, “cn” attribute, of each group returned by server.
WatchGuard Training
26
LDAP — RFC2256 “groupOfNames” Example
 Example: User “user2” belongs to group called “market”.
 A “member” of groupOfNames object “market” includes the DN for user2.
WatchGuard Training
27
LDAP — Using RFC2307 “posixGroup”
 Object class posixAccount and posixGroup are used to manage groups.
Groups are identified by gidNumber and users by memberUid.
 Configure “memberUid” or “gidNumber” as the group string for LDAP.
WatchGuard Training
28
LDAP — Using RFC2307 “posixGroup”
 Fireware XTM uses three search queries to retrieve group information.
•
•
•
First search: Identify DN, “uid”, “gidNumber” of the user.
Second search: Get all entries of posixGroup from server with the filter
“memberUid=<uid>”.
 Extract the name, “cn” attriburte, of each group returned by the server.
Third search: Get one entry of posixGroup from server with the filter
“gidNumber=<gid_number>”.
 Extract the name, “cn” attribute, of the posix primary group.
 This third search is required as LDAP servers will not return the posix primary group,
the group that matches the “gidNumber” seen for the user, in the second search.
 Combine the groups from the second and third search.
WatchGuard Training
29
LDAP — Case 3 Solution (continued, XTM Search)
 Example: User “pos_group1_user1” belongs to group “pos_group1” and
“pos_group3”; its uid is “pos_group1_user1”, its gidNumber is 203.
WatchGuard Training
30
LDAP — Case 3 Solution (continued, XTM Search)
 memberUid of posixGroup “pos_group1” include user “pos_group1_user1”.
WatchGuard Training
31
LDAP — Case 3 Solution (continued, XTM Search)
 “gidNumber” of “pos_group3” is 203.
WatchGuard Training
32
SSO Authentication Support
for Mac OS X
WatchGuard Training
Enhanced SSO Support — Overview
 In Fireware XTM v11.8, Single Sign-On (SSO) support has been enhanced:
•
•
•
SSO now supports Mac OS X (RFE64443)
SSO now supports iOS and Android
The SSO Agent can now be used independently with greater accuracy
 To provide SSO functionality for these new use cases, the SSO
authentication solution includes two new components:
•
•
EM (Exchange Monitor)
SSO Client for Mac OS X
WatchGuard Training
34
Enhanced SSO Support — Overview
 Single Sign-On options, at a glance:
SSO Component Windows
SSO Agent

SSO Client
(Both a
Windows and
Mac OS X Client
are available)

Event Log
Monitor

Exchange
Monitor

WatchGuard Training
Mac OS X
iOS
Android




35
Enhanced SSO Support — Exchange Monitor (EM)
 EM takes advantage of the close relationship between Microsoft Exchange
server and Active Directory server.
•
For example: An organization uses Microsoft Exchange Server and Active
Directory domain server. Everyday the first thing each employee does is to use
their office equipment, including PC, laptop, iPhone, iPad and so on, to deal with
emails. Afterwards, they access the internet. Users cannot log in their mailboxes
until their domain accounts are authenticated by Exchange Server.
 Exchange Monitor (EM)
•
•
•
Does not remove or replace the functionality of existing SSO components.
Instead, it extends SSO support of logon/logoff functionality to Mac OS X, IOS,
Android, and Windows OS
New component in XTM SSO software set
Must be installed on the same server as Microsoft Exchange
WatchGuard Training
36
Enhanced SSO Support — Exchange Monitor (EM)
 What is EM?
•
•
•
•
EM tightly integrates with Microsoft Exchange
Works only in the environment in which Microsoft Exchange Server is deployed
EM is similar to ELM, running as a Windows service process
EM is responsible for:
 Monitoring the logon/logoff action for domain accounts
 Notifying the SSO Agent real-time
 Responding to the command request( “get user”) sent by the SSO Agent.
WatchGuard Training
37
Enhanced SSO Support — SSO Client for Mac OS X
 What is the SSO Client for Mac OS X?
•
•
•
•
Works in an environment without Microsoft Exchange Server
Similar to the SSO Client for Windows
Install the client software on workstations in the domain that run Mac OS X
Support Mac OS X 10.6+
 Supports the use case in which a user logs on from his MacBook with his
Active Directory domain account.
WatchGuard Training
38
Enhanced SSO Support — Other Changes
 Different SSO Contacts in UI
 Different way to get groups
 New Session check interval
•
Applies only to Exchange Monitor and OS X/Android/iOS users
WatchGuard Training
39
Enhanced SSO Support — Agent Contact Settings
 In Fireware XTM v11.8, Agent Contacts include:
•
•
•
SSO client
Event Log Monitor
Exchange Monitor
WatchGuard Training
40
Enhanced SSO Support — Group Retrieval
 Before XTM v11.8, ELM/SSO clients returned group information to the SSO
Agent.
 With XTM v11.8, ELM/EM/SSO clients return user/domain/IP address
information to the SSO Agent. The SSO Agent queries the AD server to get
all groups.
 Compatibility
•
•
XTM v11.8 SSO Agent works with pre-v11.8 SSO Client/ELM
XTM v11.8 ELM/SSO Client/EM does NOT work with pre-v11.8 SSO Agent
WatchGuard Training
41
Enhanced SSO Support — Session Check Interval
 The new Session Check Interval is used for non-Windows clients only. For
non-Windows clients, logoff events are detected using Microsoft Exchange
internal tables.
 For any active client, Exchange Monitor saves the time of last activity.
 Exchange Monitor sends logoff event information for any active nonWindows client to the SSO Agent if it cannot detect any activity in the time
span specified in the Session Check Interval setting.
 The default Session Check Interval is 40 minutes.
WatchGuard Training
42
Enhanced SSO Support — Session Check Interval
 Why is the default Session Check
Interval set to 40 minutes?
•
•
On Mac OS X mail clients, the default
setting for Check for New Messages
setting is 30 minutes.
Therefore, the Session Check Interval
has to be more than 30 minutes.
 In general, we recommend:
 Session Check Interval = Max(Check for
Message) + 2
•
Where Max(Check for Message) is the
maximum value of all non-Windows
devices running a mail client. 2 minutes is
the amount of time that EM requires to
detect changes in the IIS log.
WatchGuard Training
43
Enhanced SSO Support — Test SSO Port
 To verify that the SSO Agent can contact the Event Log Monitor and the
Exchange Monitor, you can use the SSO Port Tester tool.
•
•
In the Clientless SSO Settings,
select Test SSO Port.
In the SSO Port Tester, you can
test IP addresses and ports for SSO.
WatchGuard Training
44
IPv6 Support
WatchGuard Training
IPv6 Support
 XTM v11.7.4 supported:
•
•
•
•
•
•
IPv6 addresses in packet filter
policies
MAC access control for both IPv6
and IPv4 traffic
Inspection of IPv6 traffic received
and sent by the same interface
IPv6 addresses in blocked sites
and exceptions
Blocked ports configuration
applies to IPv6 traffic
TCP SYN checking setting applies
to IPv6 traffic
WatchGuard Training
 XTM v11.8 adds:
•
•
•
•
•
Authentication on https://<IPv6
firebox>:4100 page is now
possible
DHCPv6 options available on
interfaces that use IPv6
IPv6 FireCluster Management
addresses
IPS and Application Control now
apply to IPv6 networks
Default Packet Handling options to
block IPSec, IKE, ICMP, SYN, and
UDP flood attacks now apply to
IPv6 networks
46
IPv6 Support — Authentication
 You can now authenticate to an XTM device configured with an IPv6
address (https://<IPv6 firebox>:4100)
•
Example: https://[2001::254]:4100
WatchGuard Training
47
IPv6 Support — Authentication
 With Fireware XTM v11.8, users can now connect from an IPv6 address to
the IPv6 address of XTM. But XTM still connects to its configured 3rd party
authentication server by its IPv4 address.
 Some authentication functions are NOT supported in this release:
•
•
•
•
•
Single Sign-On
Terminal Services
VPN
Support FQDN for RADIUS and SecurID
Automatic redirect of users to the authentication page
WatchGuard Training
48
IPv6 Support — DHCPv6
 Use DHCPv6 to request an IPv6 address for an external interface.
•
•
Select Enable DHCPv6 Client.
Enable the Rapid Commit option if
you want to use a rapid two-message
exchange to get an IPv6 address.
WatchGuard Training
49
IPv6 Support — DHCPv6
 Configure a DHCPv6 Server for
a trusted or optional interface.
WatchGuard Training
50
IPv6 Support — DHCPv6
 When you enable IPv6 for a trusted or optional interface, you can enable
the DHCPv6 server on the interface, to assign IPv6 addresses to clients that
connect.
 Limitations for this release:
•
•
•
DHCPv6 is supported only on physical interfaces.
DHCPv6 Server is not supported in Drop-in and Bridge mode.
You cannot configure DHCPv6 for any external interface that uses PPPoE.
WatchGuard Training
51
IPv6 Support — Flood Attack Prevention
 Default Packet Handling flood attack prevention now applies to IPv6 traffic
(ICMPv6, UDP, IKE, SYN, IPSec)
WatchGuard Training
52
IPv6 Support — IPS and Application Control
 Intrusion Prevention Service and Application Control now apply to IPv6
traffic.
WatchGuard Training
53
IPv6 Support — FireCluster
 The FireCluster now includes an option to configure an IPv6 management
IP address.
•
This option is available only when
the FireCluster management
interface has IPv6 enabled
 You can use the IPv6
management address to
connect directly to a cluster
member for management.
WatchGuard Training
54
IPv6 Support — FireCluster
 Supported
•
•
•
Active/Active
Active/Passive
Cluster management interface
IP address
WatchGuard Training
 Not Supported
•
•
IPv6 cluster interface IP address
Failover for features that do not
support IPv6, including:








Branch Office VPN
Proxy
Mobile VPN with IPSec
Mobile VPN with SSL
Mobile VPN with L2TP
Mobile VPN with PPTP
Dynamic Routing
Multi-WAN
55
Branch Office VPN Virtual Interface
WatchGuard Training
Branch Office VPN Virtual Interface Support (BOVPN VIF)
 To provide more flexibility and capabilities, Fireware XTM now supports the
option to configure a Branch Office VPN as a virtual interface.
 Fireware XTM uses GRE (Generic Routing Encapsulation) to create the
VPN virtual interface.
 When you configure a BOVPN virtual interface, the BOVPN virtual interface
is included in the routes table.
•
•
•
You can add static routes for a BOVPN virtual interface
The BOVPN virtual interface can participate in dynamic routing.
The XTM device uses the routes table to determine whether to route a packet
through the BOVPN virtual interface or through another interface.
 Fireware XTM continues to support the existing branch office VPN
functionality. You can simultaneously configure both types of branch office
VPN.
 BOVPN VIF helps customers meet the needs of three particular
configuration scenarios, described next.
WatchGuard Training
57
BOVPN VIF — Metric-based VPN Failover and Failback
 Objective:
•
For two sites that are connected with an MPLS link, enable
traffic to automatically failover and failback to a secondary
branch office VPN connection over an IP network.
 Configuration Summary:
•
•
•
Configure the external interfaces for the primary
connection between the two sites over the MPLS network
Configure a BOVPN virtual interface for the secondary
link between the two sites.
Add a BOVPN virtual interface static route, and set
a high metric (such as 200) for the route.
 How it works:
•
Because the BOVPN VIF route has a high metric, the XTM device uses the
MPLS route, when it is available. If the MPLS link is not available, the
XTM device uses the BOVPN VIF route. When the MPLS route becomes
available again, the XTM device automatically fails back to use that route,
because it has a lower metric.
WatchGuard Training
58
BOVPN VIF — Dynamic Routing
 Objective:
•
Enable two sites to dynamically exchange
information about routes to multiple local
networks through a VPN tunnel. This avoids
the need to manually configure those routes.
 Configuration Summary:
•
•
•
Configure a BOVPN VIF, add local and peer IP addresses.
In the dynamic routing configuration, use the peer IP address
from the BOVPN VIF configuration, with a /32 netmask.
•
•
OSPF example: network <peer_virtual_ip>/32 area 0.0.0.0
BGP example: neighbor <peer_virtual_ip> remote-as 65535
Use dynamic routing commands to configure which local networks
each device propagates routes for.
 How it Works:
•
The dynamic routing protocol enables each gateway to automatically
learn the routes to local networks propagated by the peer gateway
through the BOVPN virtual interface.
WatchGuard Training
59
BOVPN VIF — Policy-based BOVPN
 Objective:
•
At a site with two branch office gateways, send latencysensitive traffic, such as VoIP through the tunnel over the
network with the lowest latency, and send all other traffic,
such as FTP, through the other tunnel route.
 Configuration Summary:
•
•
•
Configure two BOVPN virtual interfaces between the sites.
Do not add routes.
In the SIP policy that handles VoIP traffic, enable policybased routing to the BOVPN VIF with the lowest latency.
For all other traffic, define routes (static or dynamic) and use
the other BOVPN virtual interface.
 How it Works:
•
The policy determines the source and destination addresses.
Although routes are not defined in the BOVPN virtual
interface settings, the SIP policy uses policy-based routing to
redirect traffic through the lower-latency tunnel.
WatchGuard Training
60
BOVPN VIF — Configuration
 New BOVPN Virtual Interfaces option, shown here in Policy Manager:
 New UI in VPN Settings:
WatchGuard Training
61
BOVPN VIF — Add a New BOVPN Virtual Interface
 Device Name is assigned by
the system.
 Select “Start Phase1
tunnel…” when no VPN
Routes are defined and the
BOVPN virtual interface is
used with either Policy-Based
Routing or Dynamic Routing.
WatchGuard Training
62
BOVPN VIF — Add a New BOVPN Virtual Interface
 Virtual Interface IP
addresses are required
when used with Dynamic
Routing.
 Add a static route in the
VPN Routes tab of a
BOVPN VIF, or select
Network > Routes.
 A BOVPN VIF is equivalent
to one Security Association
(SA).
WatchGuard Training
63
BOVPN VIF — Add Tunnel Routes
 Using VPN Routes:
 Using Network > Routes:
WatchGuard Training
 IPv4 Host or Network
Routes can be added
to the BOVPN.
 Or, you can add the
route in Network >
Routes.
 Route Type must be
BOVPN Virtual
Interface Route.
 The correct BOVPN
Virtual Interface must
be selected for the
Route.
 Metric can be
configured for multipath routes.
64
Management Tunnel over SSL
WatchGuard Training
Management Tunnel over SSL
 Challenge
•
•
An administrator at the corporate headquarters of a distributed organization
wants to centrally manage multiple XTM devices from the corporate trusted
network. They do not necessarily have control of the upstream routers and may
or may not have a public IP address.
While Fireware XTM already supported the creation of a special management
tunnel for this situation using IPSec, many third party devices allow only ports 80,
443, and 53 by default, and IPSec was not an effective solution.
 Solution
•
Fireware XTM v11.8 adds support for an SSL-based management tunnel so you
can use either IPSec or SSL.
WatchGuard Training
66
Management Tunnel over SSL
 If you use an SSL-based management method, consider:
•
•
•
General limitations of OpenSSL.
There can be conflicts between the SSL Management Tunnel and the use of
Mobile VPN with SSL. You can use both at the same time, but the XTM device
must be able to differentiate between the management session and a Mobile
VPN with SSL session.
SSL builds virtual networks between devices, which means routes must be
correctly configured.
WatchGuard Training
67
Management Tunnel over SSL — Configuration
 From the Management Server, configure the Management Tunnel
gateway Firebox.
•
•
•
The gateway Firebox must have a static
external IP address.
In the Management Tunnel Settings, set
the Tunnel Type to:
 SSL or IPSec
 SSL Only
 IPSec Only
For an SSL tunnel, you must configure
the SSL Server IP Address/Name.
WatchGuard Training
68
Management Tunnel over SSL — Configuration
 From the Management Server, configure the remote XTM devices.
•
•
•
•
Each remote XTM device must have a dynamic external IP address.
In the Management Tunnel Settings,
set the Tunnel Type to SSL.
For an SSL tunnel, you must also specify
these authentication settings:
 SSL Tunnel ID — the Device Name of the
hub device
 SSL Tunnel Password
The Management Server also updates
these authentication settings on the
gateway Firebox.
WatchGuard Training
69
Management Tunnel over SSL
 First, the SSL client device contacts the SSL server on port 443.
 After the tunnel is established, the remote client can successfully contact
the Management Server.
•
•
The new interface for this tunnel now available on the SSL client firewall is called
tun_mgmt_0.
The Source IP will be the assigned virtual IP address.
WatchGuard Training
70
Management Tunnel over SSL
 Authentication process:
•
For SSL server:
1.
2.
3.
•
A new local user group SSLVPN-Mgmt-Clients is created to ensure the remote SSL
users using Mobile VPN client software do not overlap with the centralized
management session.
In the SSL management tunnel, the Tunnel ID is the equivalent of the mobile VPN
client username.
You cannot have the same username in both the SSLVPN-Mgmt-Clients group and in
the SSLVPN-Users group.
For SSL client:

WatchGuard Training
You only need to specify the Tunnel ID, SSL password, and the management
encryption and certificate details.
71
SHA2 Support
WatchGuard Training
SHA2 Support
 Fireware XTM v11.8 adds support for SHA2 for branch office VPN, Mobile
VPN with IPSec, and Mobile VPN with L2TP.
 SHA2 is stronger than either SHA1 or MD5.
 Fireware XTM supports three variants of SHA2.
•
•
•
SHA2-256 — produces a 265 bit (32 byte) message digest.
SHA2-384 — produces a 384 bit (48 byte) message digest.
SHA2-512 — produces a 512 bit (64 byte) message digest
 SHA2 is supported only on XTM devices with hardware cryptographic
acceleration for SHA2.
•
•
SHA2 is not supported on XTM 21, 22, 23, 5 Series, 810, 820, 830, 1050, and
2050 devices.
SHA2 appears as an option in the configuration only if it is supported on the
hardware.
WatchGuard Training
73
SHA2 Support
 SHA2 is supported for
•
•
•
Branch Office VPN
Mobile VPN with IPSec
Mobile VPN with L2TP
 For Mobile VPN with IPSec, SHA2 is supported for VPN connections from:
•
•
•
Shrew Soft VPN client v2.2.1 or higher
WatchGuard IPSec Mobile VPN client v11.32 or higher.
SHA2 is not supported for VPN connections from Android or iOS devices, and is
not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN
clients.
WatchGuard Training
74
Mobile VPN with SSL
Password Control
WatchGuard Training
Mobile VPN with SSL Password Control
 A new check box in the Mobile VPN
with SSL configuration controls
whether the Mobile VPN with SSL
client remembers the password.
 The Remember connection details
option is removed from the client.
•
•
The client always remembers the
Server and Username.
The client remembers the Password
only if you allow it in the Mobile VPN
with SSL configuration.
WatchGuard Training
76
Updated Web UI
WatchGuard Training
Updated Web UI
 No longer dependent on Adobe Flash Player. Adobe Flex is replaced by
HTML and JavaScript.
 Mobile Ready — Responsive web interface is designed to provide optimal
viewing experience for users on all types of devices such as desktop
browsers, tablets and smart phones.
 Improved Monitoring Capability — Dashboard and System Status sections
now offer functionality similar to Firebox System Manager.
WatchGuard Training
78
Web UI — Responsive Design
 The new Web UI is responsive to the size of the viewport it is being
displayed in.
 The layout of the user interface changes depending on the size of the
browser window.
 The lowest resolution is 320x768 in either portrait or landscape mode.
 When a viewport drops below a width of 768 pixels (the width of a
landscape phone or portrait mode on a tablet) the left navigation menu
moves to the top provide space on the screen for the rest of the content.
WatchGuard Training
79
Web UI — Responsive Design (continued)
 The form elements in pages respond to the width of the viewport.
Example page on a desktop viewport
WatchGuard Training
Equivalent page on a
smaller viewport
80
Web UI — Session Expiration
 If your login session expires (usually this is caused by the session timeout
setting being triggered), you are immediately notified by an alert at the top
of the screen.
 This alert includes a login link to redirect you to the login page.
 After successful login, the browser displays the page you were on before
session expiration.
WatchGuard Training
81
Web UI — Success Message and Redirection
 During configuration changes, a successful save displays a success
message at the top of the current parent page.
WatchGuard Training
82
Web UI — Firewall Policies
 Actions
•
•
You can now clone actions directly from a policy.
You can edit a non-default action or apply existing actions within the policy.
WatchGuard Training
83
Web UI — Firewall Policies (continued)
 Actions can now be created within the policy for:
•
•
•
•
Application Control
Schedule
Traffic Management
Proxy
WatchGuard Training
84
Web UI — System Status
 Many System Status features have moved into the Dashboards.
 The table shows where features from the previous Web UI have moved to in
the new Web UI.
WatchGuard Training
85
Web UI — System Status (continued)
WatchGuard Training
86
Web UI — System Status Copy
 Copy buttons have been removed from the UI.
 You can now select and copy text in the browser just as you would on any
other web page.
WatchGuard Training
87
Web UI — Refresh Buttons and Timers
 The Refresh button and timer controls have been removed from the System
Status pages.
 Pages with information that need to be actively refreshed are all in the
Dashboard section.
 The Dashboard pages all refresh every 30 seconds automatically with the
exception of the Traffic Monitor, which refreshes every 5 seconds.
WatchGuard Training
88
Web UI — Traffic Monitor
 Refreshes every 5 seconds
WatchGuard Training
89
Web UI — FireWatch
 FireWatch is a real-time, interactive report tool, that groups, aggregates,
and filters statistics about the traffic through your XTM device in an easy-tounderstand form.
 FireWatch includes options to pivot, refine, and filter information about your
firewall traffic.
WatchGuard Training
90
Web UI — FireWatch
 Some of the information you can see at a glance includes:
•
•
•
•
•
•
•
Top Users
Top Domains
Application Usage
Bandwidth Usage
Firewall Traffic
Security Service Activity
Device State
WatchGuard Training
91
Secondary PPPoE Interfaces
WatchGuard Training
Secondary PPPoE Interfaces
 Secondary PPPoE interfaces enable a single external interface to support
multiple simultaneous PPPoE connections.
•
•
•
Enable PPPoE on an external interface.
Add up to 25 secondary PPPoE interfaces.
Associate each secondary with a primary
external interface that has PPPoE enabled.
WatchGuard Training
93
Global Setting to Clear Active Connections
 By default, the XTM device does not clear active connections when you
modify a static NAT action.
 You can change the global
SNAT setting so that the
XTM device clears active
connections that use an
SNAT action you modify.
WatchGuard Training
94
Thank You!
WatchGuard Training
95