What’s New in
Fireware XTM 11.7
New Features in Fireware XTM v11.7
 Networking
•
•
•
•
•
•
•
•
IPv6
Additional external interfaces
DHCP options
Dynamic NAT — Configurable source IP address
Serial modem failover on XTM 5 Series and XTM 330
Branch office VPN modem failover
Wireless hotspot external guest authentication
Link aggregation
 Mobile VPN
•
•
•
Mobile VPN with L2TP
Mobile VPN apps for Android and iOS
Mobile VPN with SSL client changes
WatchGuard Training
2
New Features in Fireware XTM v11.7
 System
•
FireCluster

•
•

Wireless XTM devices
Hardware health monitoring for failover
Save TCP dump data to a PCAP file — FSM & Web UI
Automatic feature key synchronization
 Authentication
•
Configure authentication login limits per user or group
 Policies
•
•
Policy tags and filters
Sort policies by column in manual order mode
WatchGuard Training
3
New Features in Fireware XTM v11.7
 Management
•
•
•
•
•
•
Report Server enforces the Maximum database size setting
CA Manager in WatchGuard WebCenter
Updated UI for management of quarantined messages by recipients
1-to-1 NAT for managed VPN tunnels
Centralized Management for XTM devices behind NAT gateways
Windows 8 and Server 2012 support
 Services
•
•
•
Intrusion Prevention Service (IPS) scan modes
IPS and Application Control for HTTPS
WebBlocker with Websense Cloud
WatchGuard Training
4
Networking
IPv6 Functionality
 Fireware XTM v11.6.x supported:
•
•
•
•
•
IPv6 interface addresses in mixed routing mode
IPv6 management connections to the Web UI or CLI
IPv6 DNS servers
IPv6 static routes
IPv6 diagnostic logging
 Fireware XTM v11.7 adds support for:
•
•
•
•
•
•
IPv6 addresses in packet filter policies
MAC access control for both IPv6 and IPv4 traffic
Inspection of IPv6 traffic received and sent by the same interface
IPv6 addresses in blocked sites and exceptions
Blocked ports configuration applies to IPv6 traffic
TCP SYN checking setting applies to IPv6 traffic
 All other networking and security features do not yet support IPv6 traffic
•
WatchGuard IPv6 roadmap: http://www.watchguard.com/ipv6/index.asp
WatchGuard Training
6
IPv6 Refresher
 WatchGuard IPv6 — http://www.watchguard.com/ipv6/index.asp
•
•
•
Hype or Reality — Video and PPT
Security Implications — Video and PPT
What to Expect — Video and PPT
Network Prefix
Interface ID
2561:1900:4545:0003:0200:F8FF:FE21:67CF
16-bits
 IPv6 is manageable
•
Subnetting IPv4 /8 ~ IPv6 /48
(If you impose a false minimum of a /24 on IPv4)
WatchGuard Training
16-bits
10.0.0.254
7
IPv6 in 11.5.x and 11.6.x
 Static configuration of IPv6 addresses and DNS
 Router Advertisement for stateless address auto-configuration
on Trusted or Optional interfaces
 Address auto-configuration on External interfaces
 Static routes
WatchGuard Training
8
IPv6 Functionality — Blocked Sites
 Blocked Sites list and Blocked Sites
Exceptions now support IPv6 addresses
 Blocked site and blocked site exception
types are:
•
•
•
•
•
•
•
Host IPv4
Network IPv4
Host Range IPv4
Host IPv6
Network IPv6
Host Range IPv6
Host Name (DNS lookup)
 Auto-blocked sites can also include IPv6
addresses
WatchGuard Training
9
IPv6 Functionality — Packet Filter Policies
 Packet filter policies now support IPv6 traffic
WatchGuard Training
10
Additional External Interfaces
 You can now configure more than four interfaces as external interfaces
 Previously, the maximum number of external interfaces was four
WatchGuard Training
11
DHCP Options for VoIP
 There are two new settings for DHCP options. Many VoIP phones use
these DHCP options to download the boot configuration.
 The new settings are:
•
TFTP Server IP — The IP address of the TFTP server where the DHCP
client can download the boot configuration. This corresponds to these DHCP
options:

•

Option 66 (TFTP server name)
Option 150 (TFTP server IP address)
TFTP Boot Filename — The name of the boot file. This corresponds to this
DHCP option:

Option 67 (boot file name)
 Option 66 and 67 are described in RFC 2132.
 Option 150 is used by Cisco IP phones.
WatchGuard Training
12
DHCP Options for VoIP
 To configure the DHCP options:
•
•
•
•
Edit a trusted or optional interface
Select Use DHCP Server
Click DHCP Options
Type the TFTP Server IP and
TFTP Boot Filename required
by your VoIP phones
WatchGuard Training
13
Network Dynamic NAT — Set Source IP Address
 When you configure a new
dynamic NAT rule, you can
specify the source IP address
to use for traffic that matches
that rule.
•
•
The XTM device changes
the source IP address for
packets that match this rule
to the source IP address
you specify.
The source IP address must
be on the same subnet as
the primary or secondary
IP address of the interface
specified as the To location.
WatchGuard Training
14
Network Dynamic NAT — Set Source IP Address
 Previously, you could set the source IP address only in the dynamic NAT
settings in a policy.
 If you do not set the source IP address, or if the source IP address is not
on the same subnet as the outgoing interface, dynamic NAT changes the
source IP address to the IP address of the interface from which the
packet is sent.
WatchGuard Training
15
Serial Modem Failover on XTM 330 and XTM 5 Series
 Serial modem failover is supported for XTM 2, 3, and 5 Series devices.
•
•
Previously, modem failover was supported for XTM 2 Series and XTM 33
only.
This release adds modem support for XTM 330 and all 5 Series devices.
 The Network > Modem option is now
available for XTM 2, 3, and 5 Series
devices.
WatchGuard Training
16
Branch Office VPN Modem Failover
 Branch Office VPN can use a modem for failover if modem failover is
enabled for the device.
 To configure a VPN gateway for modem failover:
•
•
•
Enable modem failover in
Network > Modem.
Configure the local gateway
endpoint to use a domain
name ID for tunnel
authentication.
Select the Use modem
for failover check box.
 If the device has multiple
external interfaces:
•
•
You must add a gateway endpoint for each physical external interface.
The local gateway ID for each external interface must be unique.
WatchGuard Training
17
Branch Office VPN Modem Failover
 When failover occurs:
•
•
•
If all external interfaces are down, the XTM device starts a serial modem
connection between the two sites.
The XTM device initiates a VPN connection over the modem connection.
The XTM device uses the first local gateway ID configured for the external
interface as the local gateway ID for the modem connection.
 Because the device with modem failover enabled uses an ID for tunnel
authentication, the device with the modem must initiate the VPN
connection.
•
This means that you cannot enable modem failover for both gateway
endpoints for the same branch office VPN tunnel.
WatchGuard Training
18
Hotspot External Guest Authentication
 When you enable a hotspot on the Wireless Guest network, you can now
select the Hotspot Type:
•
•
Custom Page — This is the hotspot splash screen on the XTM device. It
presents the hotspot user with terms and conditions they must agree to
before they can use the hotspot.
External Guest Authentication — This new option allows you to redirect
new hotspot users to an external web server for user authentication.


WatchGuard Training
The Authentication URL and
Authentication Failure URL
values are pages on an
external web server.
The Shared Secret is used
to validate responses
from the web server.
19
Hotspot External Guest Authentication
 When you set the hotspot type to External Guest Authentication,
you must provide this information :
•
•
•
The Authentication URL on your external web server of a page that
does hotspot user authentication or collects other information.
The Authentication Failure URL on your external web server of a
page to redirect users to if external guest authentication fails.
A Shared secret that is used to validate the access response from the
external web server.
 You must configure the external web server to:
•
•
•
Accept an access request from the XTM device.
Authenticate the user (or perform any other function that you want to
use as a criteria for hotspot access.)
Provide an access decision to the XTM device.
 All communication between the XTM device and the external web
server occurs in the form of URL query strings sent through the
hotspot client browser.
WatchGuard Training
20
Hotspot External Guest Authentication
Interaction workflow:
1.
2.
3.
4.
5.
6.
7.
8.
A wireless hotspot user tries to browse to a web page.
If this is a new hotspot user, the XTM device sends
the browser a redirect to the Authentication URL on
the external web server.
This URL includes a query string that contains the
access request.
The browser sends the access request to the external
web server.
The external web server sends the Authentication
page to the browser
The hotspot user types the requested information and
submits the form to the external web server.
The external web server processes the authentication
information and sends an HTML page to the browser.
The browser sends the access decision to the XTM
device.
This URL contains a query string that contains the
access decision, a checksum, and a redirect URL.
The XTM device reads the access decision, verifies the checksum, and sends a redirect URL to the hotspot user's browser.
Based on the outcome of the external authentication process, the redirect URL can be:
•
•
•
The original URL the user browsed to
A different redirect URL, if specified by the external web server
The authentication failure URL, if authentication failed or access was denied.
WatchGuard Training
21
Link Aggregation
 New Network Configuration tab
WatchGuard Training
22
Link Aggregation — Configure Virtual Interface
 Select the Link Aggregation (LA)
Mode:
•
Static

•
Dynamic (802.3ad)

•
The same physical interface is
always used for traffic between a
given source and destination based
on source/destination MAC address
and source/destination IP address
The physical interface used for traffic
between any source and destination
is selected based on Link
Aggregation Control Protocol
Active-backup

WatchGuard Training
One member interface in the link
aggregation group is active at a time,
other member interfaces in the link
aggregation group become active
only if the active interface fails
23
Link Aggregation — Configure Virtual Interface
 Select LA interface Type:
•
•
•
•
•
Trusted
Optional
External
Bridge
VLAN
WatchGuard Training
24
Link Aggregation — Configure Virtual Interface
 Select the Link Speed and
Maximum Transmission Unit
(MTU) on the Advanced tab
 The member physical interfaces
of an LA group support the same
link speed
WatchGuard Training
25
Link Aggregation — Assign Physical Interfaces
WatchGuard Training
26
Link Aggregation — FSM
WatchGuard Training
27
Link Aggregation — FireCluster
 Only Active/Passive is supported
WatchGuard Training
28
Link Aggregation — FireCluster
 You can select a LA interface as the FireCluster Management Interface
WatchGuard Training
29
Link Aggregation — FireCluster
 Monitored link includes only virtual interface and not member interfaces
WatchGuard Training
30
Link Aggregation — FireCluster
 FSM Cluster View
WatchGuard Training
31
Link Aggregation — FireCluster
 When you configure Link Aggregation for an existing FireCluster, only
Active/Passive mode is supported.
1. Break the FireCluster.
2. Configure the Link Aggregation settings — This is important because of the
changes in the MAC Address on the LA Virtual Interface.
3. Rebuild the Active/Passive FireCluster.
WatchGuard Training
32
Mobile VPN
Mobile VPN with L2TP
 Supports L2TP connections from VPN clients native to many operating
systems such as Windows, Mac OS, Linux, Android, and iOS.
 L2TP is a more secure alternative to PPTP.
•
•
More robust than PPTP because the data is encapsulated in IPSec
Uses Aggressive Mode to connect remote clients to the firewall (like Mobile
VPN with IPSec)
 Supported authentication methods:
•
•
Firebox-DB local authentication
RADIUS
 Mobile VPN with L2TP supports multiple authentication methods (like
Mobile VPN with SSL)
•
•
Can enable more than one authentication method
If the primary method fails, you can connect with another authentication
method (such as Firebox-DB)
WatchGuard Training
34
Mobile VPN with L2TP
 Mobile VPN with L2TP appears with the other Mobile VPN options.
 Select VPN > Mobile VPN > L2TP.
•
•
Select Activate to start the L2TP Setup Wizard.
Select Configure to edit the configuration.
WatchGuard Training
35
Mobile VPN with L2TP
 Run the WatchGuard L2TP Setup Wizard to simplify L2TP configuration.
 Select the authentication server.
WatchGuard Training
36
Mobile VPN with L2TP
 As with Mobile VPN with SSL, you can define your own group in your
server, locally, or use the default group, L2TP-Users.
 You can specify the allowed resources.
•
•
Allow access to all resources
Restrict access to specific IP addresses or subnets
WatchGuard Training
37
Mobile VPN with L2TP
 Specify the virtual IP address pool range for the clients.
•
If you use a subnet within your Trusted or Optional networks, make sure this
range is not used in an existing DHCP pool.
 Select the pre-shared key or certificate to use for IPSec negotiation.
WatchGuard Training
38
Mobile VPN with L2TP
 When you enable Mobile VPN with L2TP, two new policies are created
automatically:
•
•
WatchGuard L2TP — Enables port UDP1701 for L2TP
Allow L2TP-Users — Enables L2TP group members to connect to firewall
resources
WatchGuard Training
39
Mobile VPN with L2TP
 To edit the configuration, select VPN > Mobile VPN > L2TP > Configure.
WatchGuard Training
40
Mobile VPN Apps for Android and iOS
 WatchGuard Mobile VPN App for Android
•
•
•
•
•
Free app available from the Google Play app store
Supported on mobile devices that use Android 4.0.x and 4.1.x
Uses a .wgm Mobile VPN with IPSec configuration profile to configure an
IPSec VPN connection in the WatchGuard Mobile VPN app
An IPSec VPN client you can use instead of the native VPN client
Does not support L2TP
 WatchGuard Mobile VPN App for iOS
•
•
•
•
Free app available from the Apple app store
Supported on mobile devices that use iOS 5.x and 6.x
Uses a .wgm configuration profile to configure an IPSec or L2TP VPN
connection in the native iOS VPN client
Not a VPN client — Creates an L2TP or IPSec VPN connection in the native
iOS VPN client, with the correct settings to connect to the XTM device
WatchGuard Training
41
Generate a .wgm File — Mobile VPN with IPSec
 For Mobile VPN with IPSec, the .wgm file is generated (with the .ini,
.wgx, and .vpn files) when you select a profile and click Generate.
 The file name is <groupname>.wgm
 The.wgm file for IPSec can be used with
the WatchGuard Mobile VPN apps for
Android and iOS
WatchGuard Training
42
Generate a .wgm File — Mobile VPN with L2TP
 Generate an L2TP configuration file to send to mobile users of an iOS
device.
 Select VPN > Mobile VPN > L2TP > Mobile clients
•
•
•
Type a Profile Name (default is L2TP)
Type the IP address of the external
interface to connect to
Type and confirm an encryption
password for the .wgm file
 The file name is <profile name>.wgm
 The .wgm file for L2TP can be used
only with the Mobile VPN app for iOS.
WatchGuard Training
43
Use a .wgm File to Configure an iOS Device
 Send the .wgm file to the iOS users as an email attachment.
 Use a secure method to give the encryption password to the users.
•
•
For Mobile VPN with IPSec, the encryption password is the tunnel
passphrase.
For Mobile VPN with L2TP, the encryption password is the password you set
when you generated the configuration profile.
 On the iOS device, users must:
1. Install the free WatchGuard Mobile VPN app from the Apple app store.
2. Open the email that contains the .wgm file attachment.
3. Open the .wgm file attachment.
The WatchGuard Mobile VPN app launches.
4. Type the passphrase from the administrator to decrypt the file.
The WatchGuard Mobile VPN app imports the configuration and creates an IPSec or L2TP VPN
configuration profile in the iOS VPN client.
5. To start the VPN connection, click the VPN switch in the iOS Settings list.
When the connection is established, the VPN icon appears in the status bar.
WatchGuard Training
44
Use a .wgm File to Configure an Android Device
 Send the .wgm file to the Android users as an email attachment.
 Use a secure method to give the tunnel passphrase to the users.
•
For Mobile VPN with IPSec, the encryption password is the tunnel
passphrase.
 On the Android device, users must:
1. Install the free WatchGuard Mobile VPN app from the Google Play app store.
2. Open the email that contains the .wgm file attachment.
3. Open the .wgm file attachment.
The WatchGuard Mobile VPN app launches.
4. Type the passphrase from the administrator to decrypt the file.
The WatchGuard Mobile VPN app imports the configuration and creates an IPSec VPN configuration
profile in the WatchGuard VPN app.
5. Click the VPN connection profile in the WatchGuard Mobile VPN app to start
the VPN connection.
WatchGuard Training
45
Mobile VPN with SSL Client
 The Remember connection details check box in the Mobile VPN with
SSL clients for both Mac and Windows, enables the client to remember
the Server, Username, and Password settings.
SSL VPN client for Mac
WatchGuard Training
SSL VPN client for Windows
46
System
FireCluster on Wireless Devices
 FireCluster is now supported on XTM 25-W, 26-W, and 33-W devices.
 When wireless is enabled, you can configure FireCluster only in
active/passive mode.
 When you enable FireCluster for wireless XTM devices, the configuration
must meet these requirements:
•
•
•
The XTM device must be configured as a wireless access point. FireCluster is
not supported when wireless is enabled as an external interface.
The FireCluster Interface for management IP address cannot be an interface
that is bridged to a wireless network.
The FireCluster primary cluster interface and backup cluster interface cannot
be interfaces that are bridged to a wireless network.
 All other FireCluster requirements and restrictions also apply to wireless
devices.
WatchGuard Training
48
FireCluster Failover Based on Health Indexes
 Each cluster member has a Weighted Average Index (WAI) that
indicates the health of the device.
 The Cluster Health section of the Firebox System Manager Status
Report shows these health index values for each cluster member:
•
•
•
•
System Health Index (SHI) — Health of monitored processes.
Hardware Health Index (HHI) — Health status of hardware.
Monitored Ports Health Index (MPHI) — Status of monitored ports.
Weighted Average Index (WAI) — This index is used to compare the overall
health of two cluster members.


By default, the WAI for a cluster member is a weighted average of the SHI and
MPHI for that device. HHI is not use in the calculation of WAI unless you enable it.
WAI can be a range from 0–100. A WAI of 100 indicates no issues.
 The cluster master fails over if the WAI of the cluster master is lower
than the WAI of the backup master.
WatchGuard Training
49
Hardware Health Index (HHI)
 The Hardware Health Index (HHI) indicates the status of critical
hardware components.
•
•
If no hardware failures are detected, the HHI value is 100.
If a critical monitored hardware component fails, the HHI value is zero.
 The HHI is based on the status of:
•
•
•
•
•
•
CPU and system fan speeds
CPU and system temperatures
System voltages
Cryptographic chip
Power supply (XTM 1050 and XTM 2050)
Hard disk (XTM 2050)
WatchGuard Training
50
Hardware Health Index (HHI)
 By default, hardware health status is not used in the calculation of the
weighted average index (WAI) for the cluster members.
 You can enable this option in the FireCluster Advanced settings.
•
•
When this option is enabled, the WAI calculation is a weighted average of the
SHI, HHI, and MPHI.
Exception — if the HHI of a cluster member is zero, the WAI is zero.
WatchGuard Training
51
Configurable FireCluster Lost Heartbeat Threshold
 The cluster master sends a VRRP heartbeat packet that contains the
WAI health index of the cluster master through the primary and backup
cluster interfaces once per second.
 The Lost Heartbeat Threshold determines the number of consecutive
heartbeats not received by the backup master to trigger a failover.
 Configure this threshold in the FireCluster Advanced settings.
•
•
The default value is 3.
The maximum value is 10.
 If a FireCluster experiences
unexplained failovers, with no
known cause, increasing the
Lost Heartbeat Threshold might
increase cluster stability.
WatchGuard Training
52
Save TCP Dump Data to a PCAP File — FSM & Web UI
 In many situations technical support needs to be able to obtain a packet
capture from the XTM device.
 With Fireware XTM v11.6.1, the method of capturing data was limited by:
•
•
The size of the temporary storage
The visualization of data
 The v11.6.1 implementation:
•
•
Required the data to be temporarily stored on the device and then
downloaded as the capture became available.
Allowed the raw PCAP data from the session to only be downloaded if the
capture was made from Firebox System Manager
WatchGuard Training
53
Save TCP Dump Data to a PCAP File — FSM & Web UI
 For v11.7, from FSM and Fireware XTM Web UI, you can stream the
TCP dump data directly to a PCAP file on your computer.
From FSM, you can also save the data on the XTM device to later save
in a PCAP file.
 Both options are only available when the Advanced Options check box
and TCP Dump task are selected.
 When PCAP data is sent directly to a file, no data appears in the Results
list.
 The amount of TCP dump data included in the PCAP file that is saved
directly to your computer is limited by the amount of free space on your
computer, or the file size restriction enforced by your computer’s
operating system.
 If you use FSM and save the TCP dump data to your XTM device and
later save the PCAP file, the amount of data captured can be several
megabytes.
WatchGuard Training
54
Save TCP Dump Data to a PCAP File — FSM
 To save the TCP dump data
directly in a PCAP file, from
FSM, select Tools >
Diagnostic Tasks, and
select the Advanced
Options check box.
 You must select the Stream
data to file check box and
click Browse to specify the
location and file name for
the PCAP file.
WatchGuard Training
55
Save TCP Dump Data to a PCAP File — FSM
 To save the TCP dump
data on the XTM device
and later save a PCAP file
to your computer, select
the Buffer data to save
later check box.
 When the task runs, the
data appears in the
Results list.
 After the task runs, click
the Save Pcap file button
and specify a file name and
location to save the file.
WatchGuard Training
56
Save TCP Dump Data to a PCAP File — Web UI
 To save the data directly
in a PCAP file, in the
Web UI, select System
Status > Diagnostics.
 When you select the TCP
Dump task and the
Advanced Options
check box, you can select
the new Stream data to
file check box.
 When you run the task,
the Select file button
appears. You must click
this button to specify a file
name and location to save
the PCAP file.
WatchGuard Training
57
Save TCP Dump Data to a PCAP File — Web UI
 Once the task starts,
the Run Task button
changes to Stop Task.
The number of bytes
downloaded appears
above the Results list,
but details of the TCP
dump task do not
appear in the Results
list.
 Click Stop Task to stop
collecting task results.
WatchGuard Training
58
Automatic Feature Key Synchronization
 Automatic feature key synchronization allows the XTM device to
automatically download the latest feature key from the WatchGuard web
site when any feature in the feature key is expired or about to expire. It is
not enabled by default.
 To enable automatic feature key synchronization:
•
•
In Policy Manager, select
Setup > Feature Keys.
Select the Enable automatic
feature key synchronization
check box.
WatchGuard Training
59
Automatic Feature Key Synchronization
 When you enable automatic feature key synchronization:
•
•
The XTM device immediately checks the expiration dates in the feature key,
and continues to check once each day.
If any feature is expired, or will expire within three days, the XTM device
automatically downloads the latest feature key from WatchGuard once each
day, until it successfully downloads a feature key that does not have expired
features.
 In a FireCluster, the cluster master synchronizes the feature keys for
both cluster members.
WatchGuard Training
60
Authentication
Authentication Login Limits Per User or Group
 You can specify how many times each user or group member can use
the same credentials to log in from more than one location at the same
time.
WatchGuard Training
62
Authentication Login Limits Per User or Group
 The settings you specify in the user or group configuration override the
global authentication settings you configure on the Firewall
Authentication tab for an XTM device.
 In Policy Manager, select Setup > Authentication > Authorized
Users/Groups and add or edit a user or group.
WatchGuard Training
63
Authentication Login Limits Per User or Group
 Select the Enable login limits for each user or group check box.
 To enable users or group members to log in with the same account
credentials as many times as they choose, select the Allow unlimited
concurrent firewall authentication logins from the same account
option.
WatchGuard Training
64
Authentication Login Limits Per User or Group
 To restrict the number of times a user or group member can log in, select
the Limit concurrent user sessions to option, and specify the number
of times each user or group member can log in.
 Select the action the XTM device takes when the user reaches the
specified login limit:
•
•
Reject subsequent
login attempts
Allow subsequent
attempts and log
off the first session
WatchGuard Training
65
Policies
Policy Tags & Filters
 To improve visibility and troubleshooting, you can now create groups of
policies.
 To create groups, apply policy tags to your policies and create filters that
use the policy tags to specify which policies are visible in the policy list.
You can also sort the policy list by the Tags column.
 You can save filters so you can apply them again. Remove a filter to see
the full list of policies again.
 Policy tags and filters can be managed in Policy Manager and Fireware
XTM Web UI.
WatchGuard Training
67
Policy Tags & Filters
 First, define policy tags and add them to policies.
Hold down Ctrl to apply a tag to multiple policies at the same time.
 Right-click a policy and select Policy Tags > Add to policy > New.
Or, select View > Policy Tags > Manage.
WatchGuard Training
68
Policy Tags & Filters
 Name the policy tag and select a color for the name of the policy tag.
The color only applies to the name of the policy tag, and appears in the
Tags column.
WatchGuard Training
69
Policy Tags & Filters
 When you have applied policy tags to all the policies you want to group,
click
on the Tags column to select the policy tags you want to see in
the policy list.
WatchGuard Training
70
Policy Tags & Filters
 Filtered view for only policies with the specified tag. For example, the
Web tag.
 The red filter icon ( ) indicates that a filter is applied to the policy list,
and the filer has not been saved.
WatchGuard Training
71
Policy Tags & Filters
 To save a filter, click .
 Specify a name for the filter.
WatchGuard Training
72
Policy Tags & Filters
 From the Filter drop-down list, you can easily select another filter, create
a new custom filter, or remove all filters.
WatchGuard Training
73
Policy Tags & Filters
 To remove a tag from a policy in Policy Manager, choose a method:
•
•
Select a policy in the policy list and select View > Policy Tags > Remove
from policy > <policy tag>.
Right-click the policy and select Policy Tags > Remove from policy >
<policy tag>.
WatchGuard Training
74
Policy Tags & Filters
 To remove a tag from a policy in Fireware XTM Web UI, select a policy in
the policy list and select Tags > Remove from policy > <policy tag>.
WatchGuard Training
75
Policy Tags & Filters
 If you save the configuration file to your XTM device with a filter applied,
the next time you connect to the device with Fireware XTM Web UI, or
open Policy Manager, the configuration file opens with the last filter
applied, not with the default policy list view.
 Make sure the Tags column is completely visible so the Tag Filter icon is
not hidden. You cannot apply a new filter if you cannot select the Tag
Filter icon.
 Tags and filters are only available for XTM devices with Fireware XTM
OS v11.7 and later.
WatchGuard Training
76
Manually Change the Policy Order
 With a policy filter applied, you can switch to Manual Order Mode and
change the policy order.
 The correct policy order number appears in the Order column.
WatchGuard Training
77
Management
Limit the Size of the Report Server Database
 In WSM v11.7, there are now two methods you can choose from to limit
the size of your Report Server database:
•
•
Delete reports after a
specified number of days
Delete reports at a
maximum database size
WatchGuard Training
79
Limit the Size of the Report Server Database
 The Report Server automatically deletes reports after the specified
number of days elapse.
•
•
The default setting is every 14 days at 12:00 AM.
You can change this setting to meet the needs of your organization.
 You can also can now set a Maximum database size for your Report
Server.
•
•
When the size you specify is reached, the Report Server deletes reports until
the database is within the size you specify.
This option might delete reports before the specified number of days elapse.
 If you do not specify a Maximum database size, you can enable the
Report Server to send you a notification message when the database
reaches the preferred size warning threshold that you specify.
 If you do specify a Maximum database size, you can enable the Report
Server to send you a notification message when reports are deleted.
WatchGuard Training
80
CA Manager in WatchGuard WebCenter
 CA Manager is now available in the new WatchGuard WebCenter web
UI, with Log Manager and Report Manager.
 WebCenter and CA Manager are automatically installed when you install
a WatchGuard Management Server.
 The configuration options for CA Manager are unchanged and all
available in the CA Manager pages of WatchGuard WebCenter.
WatchGuard Training
81
CA Manager in WatchGuard WebCenter
 To connect to WebCenter for CA Manager, open WatchGuard System
Manager and click .
Or, select Tools > CA Manager.
Or, open a web browser and go to https://<IP address of the
Management Server>:4130.
WatchGuard Training
82
CA Manager in WatchGuard WebCenter
v11.6.1 and earlier CA Manager
WatchGuard Training
v11.7 CA Manager
83
Quarantined Email Web UI
 When you enable notification on the Quarantine Server, the intended
recipients of quarantined mail receive a notification message.
 The notification message includes:
•
•
•
A link to a web page on the Quarantine Server where users can manage their
quarantined messages. This web page has been redesigned in v11.7.
A report of the last 50 quarantined messages.
The total number of quarantined messages.
WatchGuard Training
84
Quarantined Email Web UI
 When you click the link in the notification email, the Quarantine Email
web page launches with quarantined messages on two tabs:
•
•
Spam — Messages quarantined by spamBlocker
Virus — Messages quarantined by Gateway AntiVirus
 From this page, you can:
•
•
•
Click any message subject to see the message body.
Delete messages from the Virus or Spam tab.
Mark messages on the Spam tab as Not Spam, which releases them from
quarantine.
WatchGuard Training
85
Quarantined Email Web UI
 Users can also select whether to receive future notifications about
quarantined email messages.
WatchGuard Training
86
1-to-1 NAT for Managed VPN Tunnels
 Administrators can now configure 1-to-1 NAT in managed VPN tunnels
•
Setting is available in the VPN Resource configuration
WatchGuard Training
87
Centralized Management for XTM Devices Behind
NAT Gateways
 Our customers might not control a third-party firewall or router, but they
want to use Centralized Management for their XTM devices behind the
third-party firewall or router.
Internet
Airport
XTM Gateway
3rd Party Firewall
(NAT) Gateway
Private
Network
WSM
Client
Parking Garage
Management Log and Report
Server
Servers
Management Network
WatchGuard Training
88
Centralized Management for XTM Devices Behind
NAT Gateways
 Requirements:
•
•
•
•
•
•
•
An XTM device (gateway Firebox) is required in front of the Management
Server.
Management Tunnels are only supported for XTM devices in Routed Mode.
An XTM OS update may be required on remote devices due to BUG65928.
Remote devices must be configured as dynamic devices in WSM.
External interface(s) cannot be disabled or removed while a Management
Tunnel is established.
Each remote device in a Management Tunnel uses one tunnel route.
The gateway Firebox uses one tunnel route for each remote device in a
Management Tunnel.
WatchGuard Training
89
Centralized Management for XTM Devices Behind
NAT Gateways
 Management Tunnels enable you to make a management connection to
your remote XTM devices that are behind a third-party NAT gateway
device, so you can centrally manage your remote XTM devices.
 Each Management Tunnel has the Management Server gateway Firebox
at one end of the tunnel, and one or more remote XTM devices at the
other end of the tunnel.
 The configuration options are simplified based on which end of the tunnel
each device is located.
WatchGuard Training
90
Centralized Management for XTM Devices Behind
NAT Gateways
 The Management Network in the previous diagram should be defined by
a VPN resource for the gateway Firebox.
•
For example, consider that if the Management Server is on the Optional-1
network behind the gateway Firebox, select Optional-1 Network as the VPN
resource. For other scenarios, you can use a custom VPN resource.
 A remote XTM device’s management IP address is a virtual IP address
that is used to establish the Management Tunnel and to connect to the
remote XTM device. The IP address is used as the outward facing 1-to-1
NAT address for the Management Tunnel.
WatchGuard Training
91
Windows 8 and Server 2012 Support
Windows 8
Windows Server 2012
(requires GUI)
WatchGuard Training
92
Services
Intrusion Prevention Service (IPS) Scan Modes
 IPS now includes two scan modes:
•
•
Full Scan — Scans all packets for policies
that have IPS enabled. This is the default
setting.
Fast Scan — Scans fewer packets to
increase performance. This mode greatly
improves the throughput for scanned
traffic, but does not provide the
comprehensive coverage of Full Scan
mode.
WatchGuard Training
94
IPS and Application Control for HTTPS
 The HTTPS-proxy now performs Application Control and Intrusion
Prevention Service (IPS) scanning for decrypted HTTPS content when
deep inspection of HTTPS content is enabled.
 There are no changes to the
configuration settings for
the HTTPS-proxy, Application
Control, or IPS.
 Deep inspection of HTTPS
content must be enabled:
•
•
For IPS to scan HTTPS content
For Application Control to
identify applications that use
HTTPS
WatchGuard Training
95
WebBlocker with Websense Cloud
 WebBlocker now supports two server options.
 Websense cloud (new)
•
•
•
Uses a cloud-based URL categorization database with 125 content
categories, provided by Websense
Websense cloud does not use a locally installed WebBlocker Server
URL categorization queries are sent over HTTP
 WebBlocker Server
•
•
•
•
Uses a WatchGuard WebBlocker Server with 54 categories, provided by
SurfControl
Requires a locally installed WebBlocker Server

XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by WatchGuard
The WebBlocker Server supports the same SurfControl content categories as
in prior releases
URL categorization queries sent over UDP 5003
WatchGuard Training
96
WebBlocker with Websense Cloud
 You identify the WebBlocker server type you want to use when you
activate WebBlocker.
 Websense cloud is selected by default.
WatchGuard Training
97
WebBlocker with Websense Cloud
 The available categories depend on which type of server you choose.
Websense cloud — 125 categories
WatchGuard Training
WebBlocker Server — 54 categories
98
WebBlocker with Websense Cloud
 You can control how the XTM device handles traffic that does not match
a content category.
•
•
From the When a URL is
uncategorized drop-down
list select Allow or Deny.
The default setting is Allow.
 This setting appears in the
Category tab when you
edit a WebBlocker
configuration.
WatchGuard Training
99
WebBlocker with Websense Cloud
 When you upgrade to v11.7, the existing WebBlocker configuration is not
changed automatically.
 To use Websense cloud,
edit the WebBlocker
configuration and select
the Websense cloud
option.
 You can choose whether
to automatically convert
your existing category
selections.
WatchGuard Training
100
WebBlocker with Websense Cloud — Site Lookup
 To see how Websense categorizes a site go to www.aceinsight.com.
 In the Site Analysis section, type the URL or IP address to look up.
 Click Analyze.
WatchGuard Training
101
WebBlocker with Websense Cloud — Site Lookup
 On the Search Results page, the security risk for the site appears.
 Click the URL Website Categorization icon at the bottom of the page.
WatchGuard Training
102
WebBlocker with Websense Cloud — Site Lookup
 The static category is the category WebBlocker uses for this site.
WatchGuard Training
103
WebBlocker with Websense Cloud — Send Feedback
 If you think a site is categorized incorrectly, you can send feedback to
Websense to request a change in the categorization of a site.
 You can email feedback to suggest@websense.com.
 In the email, include:
•
•
•
The URL of the site
From which categories you think the site should be removed
To which categories you think the site should be added
WatchGuard Training
104
THANK YOU!