What's New in Fireware XTM v11.5.1

arghtalentData Management

Jan 31, 2013 (4 years and 7 months ago)

181 views

What’s New in

Fireware XTM v11.5.1

New Features in Fireware XTM v11.5.1


Major Changes


IPv6


Network Configuration and Routing


FIPS 140
-
2


Dynamic Routing Enhancements


Clientless SSO


Log and Report Manager


Log Server UTC Timestamp Conversion


ConnectWise Integration


SMTP
-
Proxy TLS Encryption

2

WatchGuard Training

New Features in Fireware XTM v11.5.1


Minor Changes


Debug Logging Per Proxy Action
(60099)


WSM Management Server Search
(62143)


iOS Mobile VPN with IPSec
(41602)


Export Auto
-
Blocked Sites
(62511)


Negotiate PPPoE Client IP Address
(61930)



New Platforms


XTM 330


XTM 2050

3

WatchGuard Training

IPv6

IPv6 Refresher


WatchGuard IPv6


http://www.watchguard.com/ipv6/index.asp


Hype or Reality


Video

and
PPT


Security Implications


Video

and
PPT


What to Expect


Video

and
PPT








IPv6 is manageable


If you impose a false minimum of a /24 on IPv4


Subnetting IPv4 /8 ~ IPv6 /48

5

WatchGuard Training

10.0.0.254

16
-
bits

2561:1900:4545:0003:0200:F8FF:FE21:67CF

Interface ID

Network Prefix

16
-
bits

IPv6 in 11.5.1


If it routes, the traffic will pass

No security policies, features, or configurations are applied


Static configuration of IPv6 addresses and DNS


Router Advertisement for stateless address auto
-
configuration


Static routes

6

WatchGuard Training

IPv6 Certifications


IPv6 Ready


Phase 1, Silver Logo, was in v11.4.2


Phase 2, Gold Logo, Core is in this release


The Phase 2 Logo is a requirement for extended test categories,

including:


IPSec


IKEv2


MIPv6


NEMO


DHCPv6


SIP


SNMP
-
MIBs


MLDv2

7

WatchGuard Training

IPv6 Roadmap

IPv6 Planned Features

Static configuration of IPv6 addresses

Router Advertisement for stateless
address auto
-
configuration

Static routes and DNS servers

DHCPv6 client for external interface

V6 policies

Blocked sites/ports, and auto
-
block

Default threat protection

BOVPN 6
-
in6, 6
-
in
-
4, 4
-
in
-
6

6
-
to
-
4 transition tunnel

Future Features

Authentication, SSO, Terminal Service

DHCP Server/Relay for trusted/optional
interface

Transparent bridge and drop
-
in mode

Traffic management and QoS

4
-
to
-
6 transition tunnel

Proxy and security services (WebBloker,
GAV, …)

Application Control and IPS

Mobile User VPN

Cluster

IPv6
Stage
1, (11.5.1)

IPv6 Stage 2

IPv6 Stage 3

FIPS 140
-
2

FIPS Support in Fireware XTM


FIPS 140
-
2


Federal Information Processing Standards Publication 140
-
2, Security
Requirements for Cryptographic Modules


Describes the NIST requirements and standards for cryptographic modules
for use by federal government departments and agencies


Defines four security levels


WatchGuard XTM


XTM Devices and Fireware XTM are designed to meet the overall
requirements for FIPS 140
-
2 Level 2 security, when configured in a FIPS
-
compliant manner

10

WatchGuard Training

FIPS Support in Fireware XTM


FIPS Mode


You must use the CLI to enable FIPS mode on an XTM device


When the XTM device operates in FIPS mode, each time the device is
powered on, it runs a set of self
-
tests required by the FIPS 140
-
2 specification


If any of the tests fail, the XTM device writes a message to the log file and
shuts down


If you start the device in safe mode or recovery mode, the device is not in
FIPS

mode


Use the CLI command
fips enable

to enable FIPS mode operation


You can use the CLI command
show fips

to determine if the XTM device
is configured in FIPS mode


11

WatchGuard Training

FIPS Mode Constraints


FIPS Mode does not enforce a FIPS compliant configuration


Configure the Admin and Status administrative accounts to use passwords
with a minimum of 8 characters


When you configure VPN tunnels, you must choose only FIPS
-
approved
authentication and encryption algorithms:

SHA
-
1, SHA
-
256, SHA
-
512, 3DES, AES
-
128, AES
-
192, and AES
-
256.


When you configure VPN tunnels, you must choose Diffie
-
Hellman Group 2
or Group 5 for IKE Phase 1 negotiation


Use a minimum of 1024
-
bits for all RSA keys


Do not configure FireCluster for high availability


Do not use Mobile VPN with PPTP


Do not use PPPoE


Do not use WatchGuard System Manager to manage the device


For access to Fireware XTM Web UI, the web browser must be configured to
use only TLS 1.0 and FIPS approved cipher suites


For network access to the CLI, clients must use SSH V2.0 protocol

12

WatchGuard Training

Dynamic Routing Enhancements

14

WatchGuard Training

Dynamic Routing Enhancements


FireCluster is now supported


Configuration validation ensures working configuration


Enhanced troubleshooting capabilities


Enable debugging at runtime


Obtain more logs from Quagga


Enhanced output in the Firebox System Manager Status Report


Dynamic Routing


Diagnostic Logging


Change the
Diagnostic Log Level

setting for Dynamic Routing to the
Debug level to see detailed

log messages from all log levels.

15

WatchGuard Training

Clientless Single Sign
-
On (SSO)

Clientless SSO


Use the SSO Agent and Event Log Monitor for SSO, without the SSO
Client


Support for both single domain and multiple domains


Provides the same accuracy as the SSO Client solution


Token Groups


SSO Client


SSO ELM


Manual Authentication with samAccountName


Group Attribute


Manual Authentication and Non
-
Active Directory


Does not return nested groups


17

WatchGuard Training

Clientless SSO Process


Install the SSO Agent on your network.


Install the Event Log Monitor on each domain controller in your network.


The Event Log Monitor collects user credentials when users log on to the
domain.


The SSO Agent

queries the

Event Log

Monitor for user

credentials.

18

WatchGuard Training

Clientless SSO Work Flow

19

WatchGuard Training

Clientless SSO Contact Priority


Select whether the SSO Agent first contacts the Event Log Monitor or the
SSO Client for user credentials.

20

WatchGuard Training

Clientless SSO Supported OS


Use clientless SSO with these operating systems:

21

WatchGuard Training

Operating
System

Windows XP
SP2/SP3

(32
-
Bit)

Windows
Vista

(32
-
Bit)

Windows 7

(32
-
Bit)

Windows
Server
2003

(32
-
Bit)

Windows
Server
2003

(64
-
Bit)

Windows
Server
2008

(32
-
Bit)

Windows
Server
2008 &
2008 R2

(64
-
Bit)

SSO
Agent















Event Log
Monitor









Log and Report Manager

Log and Report Manager


Log Viewer and Report Manager are replaced in v11.5.1 with the new
Log and Report Manager web UI.


Select either the Log Viewer or Report Manager icon in WatchGuard
System Manager to launch the default web browser. The user is
prompted to connect to the WatchGuard Log Server or Report Server
with administrative credentials.

23

WatchGuard Training

Log and Report Manager


View Logs


Select the
Actions

drop
-
down list at the right to choose a time filter for
the log display, or select a Timeslice Analysis to show a summary of log
types recorded over time.


24

WatchGuard Training

Log and Report Manager


View Logs

25

WatchGuard Training

Log and Report Manager


View Reports


Select
REPORTS > Devices

to see a list of devices with reports on the
Report Server.


Select a device to see the report options.

26

WatchGuard Training

Log and Report Manager


View Reports


View Available Reports:


Select
Daily

or
Weekly

time filters, and specify a date range.


Select the tab for a report type:
Dashboard
,
Traffic
,
Web
,
Mail
,
Services
,
Device
, and
Detail.


To generate Per Client and On
-
Demand Reports for devices, click a link
at the right side of the page.

27

WatchGuard Training

Log and Report Manager


On
-
Demand Reports


Select the
Start

and
End

date and time, the type of report to generate,
and click
Run Report

to generate an On
-
Demand report.

28

WatchGuard Training

Log and Report Manager


On
-
Demand Reports


Reports include graphical and textual summary information


29

WatchGuard Training

Log Server and Report Server

UTC Time Conversion

Log and Report Server Upgrade


When the Log Server or Report Server is upgraded to v11.5.1, the server
database is upgraded to PostgreSQL 8.2.21.


If an
external

Log Server or Report Server database is used instead of
the
built
-
in

database, the user must manually upgrade the server to
PostgreSQL 8.2.21 before the Log Server or Report Server is upgraded.

31

WatchGuard Training

Log and Report Server UTC Conversion


Previously, the Log and Report Server database used the timestamp of
the host server. In v11.5.1, the UTC time stamp is used for log
messages.


When an existing server is upgraded to v11.5.1, the log message time
stamps are converted from the old format to UTC format.

This can take some time depending on the size of the log database.


An audit log is written when the conversion process starts and finishes.


If email notification is enabled, notifications are sent when conversion
starts and when conversion is complete.

32

WatchGuard Training

ConnectWise Integration

ConnectWise Integration


Your v11.5.1 Report Server can send specific reports it generates to the
third
-
party ConnectWise service to be included in the reports
ConnectWise produces.


The Report Server must be configured with the information for a
ConnectWise server and ConnectWise account.

34

WatchGuard Training

ConnectWise Integration


In the Report Server
Server Settings
, enable ConnectWise integration
and add the information for the ConnectWise server and ConnectWise
account.


Make sure to import the CA certificate for your ConnectWise server to
your Report Server.

35

WatchGuard Training

ConnectWise Integration


Create a Report Schedule and

specify the reports to generate

and send to ConnectWise.


Reports available for

ConnectWise integration include:


Firebox Statistics


Intrusion Prevention Service

Summary


WebBlocker Summary


Most Popular Domains


To send reports to ConnectWise,

you must select at least one

of these reports.


Reports must be scheduled to

run daily

36

WatchGuard Training

SMTP
-
Proxy TLS Encryption

SMTP
-
Proxy TLS Encryption Settings


v11.5.1 includes new options for TLS encryption settings in the ESMTP
category of the SMTP proxy action.


If an SMTP
-
proxy is used for mail traffic sent through an XTM device,
TLS encryption can be applied to the traffic.


Certificates used by the HTTPS
-
proxy are also used by the SMTP
-
proxy
for TLS encryption. The FSM certificate import feature is also used to
import TLS encryption certificates to the XTM device.

38

WatchGuard Training

SMTP
-
Proxy TLS Encryption Settings


Configure rules to determine which recipient domains receive TLS
encrypted email:


If
Recipient Encryption

is
Required
, the XTM device does not send email if
TLS negotiation fails.


If
Recipient Encryption

is
Preferred
, the XTM device tries to negotiate a
TLS connection, but if negotiation fails the email is sent unencrypted.


If
Recipient Encryption


is
Allowed
, the email

client can select to

encrypt or not encrypt

email, and the XTM

device sends the email

whether it is encrypted

or unencrypted.

39

WatchGuard Training

SMTP
-
Proxy TLS Encryption Settings


If
Sender Encryption

is
Required
, an option can be enabled to encrypt
not only the email data but also the sender, recipient, and body
information in the message.


40

WatchGuard Training

SMTP
-
Proxy TLS Encryption Settings


The
Authentication

category of the ESMTP settings includes an option
to require encryption of plain
-
text ESMTP authentication information.

41

WatchGuard Training

Minor Changes

Diagnostic Log Level For Proxy Actions


Set the Diagnostic Log Level for each proxy action in the
General
Settings

category.


Diagnostic Log Levels:


Error


Warning


Information


Debug


Reduce log messages from

high
-
traffic proxy actions.


To disable logging for a single

proxy action, you must disable

logging for that proxy type

globally, then enable logging

for all other proxy actions.

43

WatchGuard Training

WSM Management Server Search


New
Search

folder for the Management Server on the
Device
Management

tab.


Search supports:


Device display name


Device IP addresses


Device host names


Polled device name


Polled IP address


Polled serial number


Polled software version


Search does not support:


Serial number for

backup master


Secondary addresses


Polling multi
-
WAN

IP addresses



44

WatchGuard Training

iOS Mobile VPN with IPSec


No Profile to use, specific configuration only


iOS: Setting up VPN


Configure Fireware XTM


Shared Key Only (no certificates)


Force all traffic through tunnel


Phase 1


Authentication


MD5 or SHA
-
1


Encryption


DES, 3DES, AES
-
128,

AES
-
256 (no AES
-
192)


SA Life


1 hour


Key Group


DH Group 2


Phase 2


Authentication


MD5 or SHA
-
1


Encryption


3DES, AES
-
128, or AES
-
256


Key Expiration


1 hour and 0 Kb


Disable PFS

45

WatchGuard Training

Export Auto
-
Blocked Sites


To export the list of blocked sites, right
-
click the
Blocked Sites

list in
Firebox System Manager


Save the list as the

blocked_sites.txt

file

46

WatchGuard Training

Negotiate PPPoE Client IP Address and DNS


Configure an external interface,

select the
IPv4

tab, select
Use PPPoE
,

select
Use IP address
, and

click
Advanced Properties


Send the PPPoE client static IP address

during PPPoE negotiation


When selected, the configured address

is requested, but other addresses will

also be accepted for negotiation


When not selected, the IP address is

not negotiated in PPPoE


Negotiate DNS with PPPoE Server


47

WatchGuard Training

New Platforms

XTM 330

XTM 2050

Form Factor:

Rackmount (1U)

Rackmount (2U)

Network Interfaces:

7x GbE (RJ45)

16x GbE (RJ45)

2x 10G SFP+ Fiber

Other Interfaces:

2x USB

1x RJ45 serial

1x GbE RJ45 management

2x USB

1x RJ45 serial

Weight:

7.55 lbs

48.5 lbs

Power Supply:

100
-
240 VAC

Autosensing

Dual 100
-
240 VAC
Autosensing

49

WatchGuard Training

THANK YOU!