What’s New in
WatchGuard XCS v9.2
WatchGuard XCS v9.2
 New Feature Introduction

Ease of use enhancements









Frequent Tasks page
DLP and QMS Wizards
Improved Attachment Control pages
Improved Message Details page
Spam Rules
Content Rules enhancements (Boolean operators, nested conditions)
Multiple software updates management
Internationalization of attachment names in message
New Web Proxy engine

Web configuration added to Install Wizard
 FTP over HTTP scanning
 URL Categorization HTTPS & “Uncategorized” category
 Bypass URL Categorization
 Flush URL from web cache
 Web bandwidth usage on Dashboard and Reports
 Traffic Accelerator improvements
 WatchGuard XCS v9.2 Installation
WatchGuard Training
2
Ease of Use
Enhancements
Frequent Tasks
 Appears as the default page when you log in to the WatchGuard XCS.
 Provides direct links to the most frequent tasks you can perform to configure and
manage the WatchGuard XCS.
 Some tasks are important to run after installation, such as importing LDAP users,
updating your software, or adding additional email routing domains.
 If you want to display the Dashboard monitoring page after you log in, instead of
the Frequent Tasks page, clear the Display at Login check box.
WatchGuard Training
4
Frequent Tasks

Accept email for additional domains – Configure additional email domains for which you
accept mail.
Note: Make sure you also add a specific access pattern to trust the internal mail server you specify for the
mail route.

Import users/groups from directory services – Configure a directory server to import
user/group information for use with LDAP features.
Note: Make sure you import Directory Users after you configure a directory server.

QMS Integration Wizard – This wizard guides you through the required configuration to
integrate the WatchGuard XCS with the WatchGuard QMS (Quarantine Management Server).
Note: Make sure your WatchGuard QMS is configured and running before starting the wizard.



Block or allow email using pattern filters – Pattern filters allow you to block or allow email
messages based on message characteristics including the message header, sender,
recipient, subject, attachment content, and message body text.
Block or allow attachment types – Attachment controls allow you to block, allow, or strip
email attachments based on their file extension, MIME type, or attachment content.
Enable email encryption – SecureMail email encryption allows you to protect the
confidentiality of messages by encrypting the message before it is delivered to the recipient.
WatchGuard Training
5
Frequent Tasks

Data Loss Prevention Wizard – Guides you through the configuration of DLP rules for
inbound and outbound email and web traffic. You can block credit cards, SSN/SIN numbers,
or use a compliance dictionary to scan for specific words.
Note: If you want to use a custom compliance dictionary with the DLP wizard, you must upload the dictionary
using Dictionaries and Lists before you start the wizard.






Create and schedule backup – Use the local disk, or FTP/SCP to schedule a backup a
remote server.
Update your software – Keep your system software up-to-date by installing any software
updates available for your WatchGuard device.
Add an administrator account – Add additional administrator accounts for managing your
WatchGuard device.
Create and schedule a report – The WatchGuard XCS reports provide a comprehensive
range of detailed information about your system. You can create a report on demand or
schedule a recurring report.
View a report – See your generated reports in HTML, PDF, or CSV format.
Search message history – Search the message history database to see how specific
messages were processed and the final action performed on a message.
WatchGuard Training
6
Data Loss Prevention Wizard
 The Data Loss Prevention (DLP) wizard guides you through the configuration of
DLP content controls and rules for inbound and outbound email and web traffic.
 Available tasks:

Block credit card numbers
 Creates Content Rules in the Default Policy to block the selected types of credit
card patterns in email messages.
 Block national identification numbers
 Creates Content Rules in the Default Policy to block national identification numbers
such as a Social Security Number (USA) or Social Insurance Number (Canada) in
email messages.
 Block based on compliance terms
 Email: Creates Content Rules in the Default Policy to content scan email messages
based on the selected dictionary, such as Medical, Financial, or a custom
dictionary.
 Web: Configures Content Scanning in the Default Policy to content scan web
content based on the selected dictionary, such as Medical, Financial, or a custom
dictionary.
Note: If you want to use a custom compliance dictionary with the DLP wizard, you must
upload the dictionary using Dictionaries and Lists before you start the wizard.
WatchGuard Training
7
Data Loss Prevention Wizard
WatchGuard Training
8
Data Loss Prevention Wizard
WatchGuard Training
9
Data Loss Prevention Wizard
 DLP Wizard creates new Content Rules in the Default Policy based on your
selections.
 When you use the DLP wizard, any previous settings (configured through a
previous wizard session or configured manually) are displayed and maintained
unless you modify the configuration.
 Notifications are not configured using the wizard. After you complete the wizard,
you can manually examine any content rules created by the wizard and modify the
notification settings in the Default Policy.
WatchGuard Training
10
QMS Wizard
 The QMS Wizard guides you through the required configuration to integrate the
WatchGuard XCS with the WatchGuard QMS (Quarantine Management Server).
 This allows you to redirect spam messages from the WatchGuard XCS to the
quarantine area on the WatchGuard QMS, where users can manage their
quarantined spam.
WatchGuard Training
11
QMS Wizard – QMS Configuration

You must configure your WatchGuard QMS before starting the QMS Wizard on the XCS:




Select Configuration > Quarantine > User Spam Quarantine to enable and configure spam quarantine
services on the WatchGuard QMS.
Select Configuration > Mail > Delivery and set the Relay To field to the IP address of the WatchGuard XCS
device. This makes sure that any notifications and released spam messages will be sent to the WatchGuard XCS
for delivery.
Create local quarantine user accounts, or import user accounts from an LDAP directory. By default the
WatchGuard QMS automatically creates new user accounts when new spam messages are received for a user.
Select Configuration > Quarantine > Trusted/Blocked Senders, enable Permit Downloads, and set the
Allowed IPs text box to the IP address of the WatchGuard XCS.
WatchGuard Training
12
QMS Wizard – Configuration Settings
 When you have completed the wizard, the following configuration settings are
applied on the WatchGuard XCS:





Mail Route – A mail route is created for the specific QMS address called
".quarantine_reroute". This special reroute option is used as the Intercept Anti-Spam
action to redirect spam messages to the QMS.
Specific Access Pattern – A Specific Access Pattern is created to trust the address of
the QMS to make sure that any mail from the QMS, such as spam digest notifications
and released quarantine messages, are not scanned by the Intercept Anti-Spam or
Content Control features.
Intercept Anti-Spam – Intercept is configured to redirect spam messages for the
specified spam classifications to the QMS.
Pattern Filter – A Pattern Filter is created to prevent training on messages containing
the subject 'Quarantined Email Summary". This prevents spam digest notifications
messages from the QMS from being trained by Intercept Anti-Spam.
Trusted/Blocked Senders List – If enabled, the Trusted/Blocked Senders List is
imported from the QMS using the specified source URL of the QMS.
WatchGuard Training
13
Attachment Control
Enhancements
Attachment Control Enhancements

Redesigned Attachment Control page:
 Simplified main configuration page
 Separate file type pages for Email File Extensions, Email Content Types, and Web
Content types
 Inbound/Outbound settings and actions
 Collapsed notification settings
WatchGuard Training
15
Attachment Control – Edit File Types

Edit File Types
 Multi-page view or view all entries
 Upload and download of file types
 Inbound and outbound actions
 Filter by action and search text
 Ability to delete multiple items
WatchGuard Training
16
Attachment Control – Add and Edit File Types page
 Set inbound and outbound actions
 Former “Scan” option renamed to “Check Inbound Archive” or “Check Outbound
Archive”
WatchGuard Training
17
Attachment Control – Attachment Size Limits
 Attachment size limits now located on their own page:
Security > Content Control > (More ) > Attachment Size Limits
 You can configure separate actions for inbound and outbound mail.
WatchGuard Training
18
Message Details
Enhancements
Message Details Enhancements
 The message details have been
improved to provide these
enhancements:






Results of processing are clear
with less repetitive information
Only the most important message
details displayed
Ability to add global pattern filters
to accept or block messages based
on the sender or domain
Scan result icons for quick analysis
Final action and reason clearly
indicated
Any content rules and pattern filters
that triggered for a message
contain the rule name and number
WatchGuard Training
20
Message Details Enhancements

You can add global pattern filters to accept or block messages based on the sender or domain of
the message.





Allow Sender – Creates a pattern filter set to "Accept" for the sender Envelope From address.
Block Sender – Creates a pattern filter set to "Reject" for the sender Envelope From address.
Allow Domain – Creates a pattern filter to "Accept" the domain part of the sender Envelope From.
Block Domain – Creates a pattern filter to "Reject" any messages from the domain part of the
sender Envelope From.
The system automatically checks for duplicate or conflicting pattern filters that already exist
WatchGuard Training
21
Spam Rules
Spam Rules
 Spam Rules are a list of content rules generated by WatchGuard .
 Helps detect new types of spam messages that are not easily detected by other
Intercept Anti-Spam features.
 Spam Rules are regularly updated by WatchGuard (through Security Connection)
to make sure you are always protected from the latest variants of spam
messages.
 We recommend you enable this feature.
 Select Security > Anti-Spam > Spam Rules.
WatchGuard Training
23
Content Rules
Enhancements
Content Rules





Greater condition flexibility with powerful boolean operators (AND, OR, NOT)
Conditions can be nested using the +() button
No limit to the number of conditions in a rule
Per rule notifications
“In dictionary” search expanded to include Content Scanning
WatchGuard Training
25
Multiple Software Updates
Management
WatchGuard Training
26
Multiple Software Updates Management
 You can now install or remove multiple software updates at the same
time.
 Only need to reboot once to install multiple software updates.
 The WatchGuard XCS determines any software dependency issues and
installs/removes the updates in the correct order.

You get a warning if you are missing a software dependency.
WatchGuard Training
27
Internationalization of Attachment
Names in Message Database
WatchGuard Training
28
Internationalization of Attachment Names
 The WatchGuard XCS now supports internationalization of attachment names
in message database views.



Message history
Message details
Logs and reports
 The XCS also already supports internationalized subject headers .
WatchGuard Training
29
Web Proxy Enhancements
WatchGuard Training
30
Installation Wizard and Web Configuration
 If you have enabled Web scanning with your feature key, the installation wizard
displays a new page for Web configuration options.


HTTP/HTTPS – Enable or disable HTTP/HTTPS scanning.
Internal Mail Server – Type the address of your internal mail server that will receive
notification messages.
Note: The Internal Mail Server field only appears if you did not configure a mail server in the previous
step in the Email configuration.

In the Security Settings section of the Web Configuration page, you can enable or disable
URL Categorization, Reputation Enabled Defense, and the Anti-Virus features.
Note: If you enable URL Categorization, the feature will not be enabled until the initial control list is downloaded.
WatchGuard Training
31
FTP over HTTP Scanning



You can now scan FTP traffic that is passed over HTTP. For example, visiting an FTP site
through an ftp:// URL such as ftp://ftp.example.com/
All scanners that currently scan HTTP traffic can scan FTP traffic over HTTP.
Select Configuration > Web > HTTP/S Proxy.
(HTTP/HTTPS scanning must be enabled)

Select the Enable FTP Proxy check box.
FTP over HTTP Scanning Limitations
 Only supports FTP over HTTP in a web browser. FTP clients or web browser extensions that use the
“CONNECT” method are not supported.
 FTP over HTTP scanning is not supported in Transparent mode.
WatchGuard Training
32
URL Categorization: HTTPS and Uncategorized URLs
 HTTPS URLs


The URL Categorization feature can now categorize and take action on HTTPS URLs
For example, https://secure.example.com/
No additional configuration required. Enable URL Categorization to scan both HTTP and
HTTPS URLs.
 Uncategorized URLs



New category in the URL Categorization control list called Uncategorized.
Select the Uncategorized category to block web sites that cannot be classified in any
specific category.
Available for selection from the category list on the Configuration > Web > URL
Categorization page. (Not enabled by default)
Note: Be careful when you enable this category as you could block legitimate sites or specific pages of those sites
even if the primary page is part of a known category.
WatchGuard Training
33
Bypass URL Categorization Scanning
 Bypass URL Categorization (formerly Uncategorized Sites) allows specified
domain to bypass URL Categorization scanning.
 You can create a list of web sites to make sure they are not blocked by URL
Categorization.
 Upload a web domain list in a policy (each specified domain includes subdomains)
For example:
example.com
example2.com
example3.com
WatchGuard Training
34
Web Proxy Traffic Accelerator
 Additional Traffic Accelerator features help improve scanning
efficiency
 Preview Scanning


Preview scanning allows the web proxy to take action based on your configured
policies by scanning only the initial header of the response. If an action is taken
based on the header information, the rest of the content does not have to be
scanned.
Only certain types of responses can be handled with a header preview scan, such
as detection of MIME types for content control and streaming media bypass, or
checks on maximum files sizes reported in the header.
 Early Response


Early response scanning allows the web proxy to take action based on scanning
only part of the downloaded content.
This early response is useful for detecting issues such as files beyond the maximum
file size where the file should not be scanned.
WatchGuard Training
35
Web Proxy Traffic Accelerator (continued)
 Client Request


Many HTTP security features, such as URL Categorization, URL Block Lists, and
Trusted/Blocked Lists can perform actions without scanning the actual downloaded
content.
These Web scanning decisions are performed very quickly based on your configured
policies.
 Policy Caching



For greater efficiency, some common policy results are cached, such as those
where continuous amounts of web traffic with the same content triggers the same
policy.
In general, access of cached data is still sent to the Web Proxy content scanners
because different users can have different HTTP content policies applied to them.
Efficiency can be improved by using fewer policies that are wider in scope.
The more policies you have results in a higher probability that cached policy results
are replaced by the scanning result of a different policy.
 Web Site Content Caching

Web site content is cached if the web server does not send a non-caching directive
in the response and the response data passes the requirements of the scanning
policy.
WatchGuard Training
36
Flush URL from Web Cache
 Flush URL from Web Cache replaces the previous Flush Web Cache Domain
feature.
 Remove problematic URLs from the cache if they do not load or refresh correctly.
 The URL must be specified exactly the way it is typed, including the protocol.
For example: http://www.example.com/index.html or ftp://ftp.example.com
 Select Activity > Status > Utilities.
 Type the URL, then click Flush.
WatchGuard Training
37
Web Bandwidth Usage on Dashboard
 Appears on the Web Summary Dashboard page
 Indicates the amount of bandwidth used (in megabytes) for non-cached inbound
and outbound web traffic
WatchGuard Training
38
Web Analysis Report – Bandwidth
 New sections in the Web Analysis report indicate the amount of traffic (in
megabytes) for web client and web server inbound and outbound traffic.
WatchGuard Training
39
Install XCS v9.2
Upgrade to XCS v9.2
 Because Security Connection does not automatically download full
releases, you must download the software from the LiveSecurity site

From the Software Downloads page, download the [xcs92.zip] file and extract
the files
WatchGuard Training
41
Upgrade to XCS v9.2
 After you extract the files, run btiweb.exe
 BTIweb is a small web server on your computer that hosts the

xcs-92.img file during the XCS upgrade process
Run btiweb.exe, then click Start to start the web server
Notice
the icon
changes
after you
install
btiweb
WatchGuard Training
42
Upgrade to XCS v9.2
 Before you start the upgrade process, back up your existing
configuration so that it can be restored after the upgrade
 To upgrade the XCS device to a major release requires that you reboot the
appliance and press F1 – Install at startup to install a new software image on
the device
 Choose one of three backup options



FTP
SCP
Local Disk

Use FTP or SCP backup when you back up a large reporting database
WatchGuard Training
43
Upgrade to XCS v9.2
 Choose the items you want to back up

In most cases, we recommend that you select all backup options
WatchGuard Training
44
Upgrade to XCS v9.2
 Save the backup to your computer’s local disk.

The MG-BCKUP file is given a time stamp for easy identification
Year[11], month[04], day[30], and time[1437]
WatchGuard Training
45
Upgrade to XCS v9.2
 After you complete the backup process, open a console
connection to the XCS device. You need these items:


A monitor to connect to the VGA port on the back of the XCS
A PS2 or USB keyboard
VGA port
 With the monitor and keyboard connected, press the reset button
located on the front of the appliance to reboot the XCS
•
Press the F1 key on the keyboard
WatchGuard Training
46
Upgrade to XCS v9.2
 The WatchGuard Installation Program welcome page appears.
 Press Enter to continue.
 Choose your type of keyboard in the next page and press Enter.
WatchGuard Training
47
Upgrade to XCS v9.2
 In the Installation Type window, select Auto and then press
Enter.
 On the next page, click OK to confirm the installation.
WatchGuard Training
48
Upgrade to XCS v9.2
 On the Installation page, select Network to upgrade using the
v9.2 .img file:


Type the appropriate network information for the XCS device.
In the Install Path field, type the IP address of the computer where you
installed the btiweb.exe file. Press OK.
This is the IP address of the
computer where you installed
btiweb. Remember the trailing “/”
character.
Press Enter to
confirm
WatchGuard Training
49
Upgrade to XCS v9.2
 On the Create Restore Image page, select Save Image to Hard
Disk and press Enter.

Do not choose this option if you do not want to overwrite the previous XCS
software image stored on the XCS device’s hard disk.
WatchGuard Training
50
Upgrade to XCS v9.2
 After the disk partitioning is complete, the main console window
appears.

At this point, you can configure the device with the new installation wizard.
 After you install the system with the v9.2 wizard ,you can build a new
configuration, or restore your previous XCS configuration .
WatchGuard Training
51
Thank You!