What’s New in Fireware XTM v11.4

1
Whats New in Fireware XTM v11.4
2
New Features in Fireware XTM v11.4

• New! Application Control
• Intrusion Prevention System enhancements
• Authentication enhancements
• Support for multiple Active Directory domains
• Unique identification of each client session on
  Terminal Server / Citrix server
• Support for LDAP over SSL (LDAPS)
• Support for IEEE 802.1X (Extensible
  Authentication Protocol)
• Improved interaction between Manual
  Authentication and SSO
• Centralized Management enhancements
• New SNAT actions

3
New Features in Fireware XTM v11.4

• Wireless Security enhancements (rogue access
  point detection)
• Wireless network bridge enhancements
• Logging and Log Server enhancements
• Reporting and Report Server enhancements
• Support for A/P FireCluster in Drop-in mode
• New Global TCP timeout setting
• Diagnostics and Health Monitoring with USB
  Diagnostics
• Improved Support for proxy configuration in the
  Web UI
• Enhancements to Quick Setup Wizard

4
Fireware XTM v11.4 Device Compatibility

• Fireware XTM v11.4 is compatible with all XTM
  device models
• XTM 2 Series
• XTM 5 Series
• XTM 8 Series
• XTM 1050
• Fireware XTM v11.4 is not compatible with Firebox
  X e-Series device models

5
New! Application Control
6
Application Control Overview

• Overall Design
• You can now allow or deny access to hundreds of
  applications
• Social Network Apps, IM/P2P, Games, Streaming
  Media, Business Apps, etc.
• Application Control is an action applied to
  firewall policies
• All firewall policy types are supported
• Packet Filters and Proxy policies, Mobile VPN,
  and Branch Office VPN
• Hierarchical relationship of categories,
  applications, behaviors
• Category
• Application
• Behavior
• Design Controls
• Application identification takes a maximum of 7
  packets
• Policy-based NAT executes on first packet
• Policy-based routing executes on first packet

7
Application Control Use Cases

• Use cases by application/behavior
• By application Block Skype for all
• By application behavior Block MSN file transfer
  for all
• Use cases by IP address/user/group
• User or group Block P2P for Marketing
• Host or network Block BitTorrent for
  10.0.0.0/24
• Combinations of IP address/user/group and
  applications/behaviors
• Use policy schedules to allow different
  applications at different times
• All standard policy features are available
  Scheduling, QoS, Traffic Management, NAT, etc.

8
Application Control Signatures

• Automated updates
• Two signature sets XTM2 and XTM5/8/10
• More applications are available for XTM 5/8/10
  Series than for XTM 2 Series
• One file is downloaded for both Application
  Control and IPS
• Metadata is extracted from the file when
  downloaded
• Signatures are abstracted for Application Control
• Applications are mapped to signatures
• Mapping is not 1-1
• ExampleApplication Skype is mapped to four
  underlying signatures
• CHAT Skype login on TCP -1
• CHAT Skype login on TCP -3
• CHAT Skype login on TCP -2
• CHAT Skype login on SSL -1
• Management software shows the abstraction
• Skype

9
Application Control Behaviors

• Seven possible behaviors
• Authority Login
• Access Known command to access server or peer
• Communicate Communication with server or peer
  (chat)
• Connect Unknown command (P2P connect to peer)
• Game Games
• Media Audio and Video
• Transfer File Transfer
• Not all applications exhibit all behaviors

10
Application Control Configuration Overview

• You can now block traffic flows based on the
  application in use
• Signature-based ability to identify hundreds of
  applications
• Application Control is a Subscription Service
• Specify Application Control actions per policy

11
Add an Application Control Action

• Use the Subscription Services menu in Policy
  Manager to add and edit Application Control
  actions, and configure signature update settings
• Configure the Global Application Control action
  to use in policies, or create new Application
  Control actions

Signature update settings
12
Add an Application Control Action

• Add a new action
• Select the applications to control
• Select Allow or Drop for each application you
  select
• Drop Blocks applications
• Allow Allows applications

13
Find an Application

• Use the Search text box to quickly find an
  application by name
• Select a Category to see the applications in that
  category

14
Application Control Configuration

• The Application Control action specifies what to
  do when an application does not match the
  configured applications
• Use the Global action
• Allow the connection
• Drop the connection

15
Application Control The Global Action

• When a traffic flow does not match another
  Application Control action, you can use the
  Global action as a fall-through
• By default the Global action has no applications
  to identify
• You can edit the Global action to add
  applications to identify
• Global action has its own fall-through
• Allow the connection
• Drop the connection
• Or, apply the Global action to any of your
  policies

16
Application Control Policy Configuration

• New Enable Application Control drop-down list
  and action selector on the Policy tab
• IPS and Proxy Actions also moved to Policy tab
• Lets you configure Application Control
  policy-by-policy
• Not necessary to use proxies for this

17
Application Control Security Portal Web Page

• Application Control web page
• http//www.watchguard.com/SecurityPortal/AppDB.asp
  x
• Read descriptions of all Applications and
  Behaviors
• Applications
• Behaviors
• Explanation

18
Application Control Web Page Search for an
Application
19
Application Control Web Page Search for an
Application
20
Application Control Decision Tree
Start Traffic goes through a policy that has
Application Control enabled
Did the inspection engine identify an application
listed in the user-defined action?
Is this a user-defined Application Control action
or the Global action?
User-defined action
No Application not matched rule is Use Global
Global action
No Application not matched rule is Allow/Drop
Did the inspection engine identify an application
listed in the Global action?
Yes
No
Yes
Is the Application not matched rule set to
Allow or Drop?
Is the rule for this application Allow or Drop?
Drop connection
Drop
Drop
Allow
Allow connection
Allow
21
Application Control Logs

• Traffic logs contain application identification
  information
• Enable logging in the policy to monitor
  application usage
• The XTM device always identifies and logs denied
  traffic due to an Application Control action
• Information about applications that are not
  blocked is sent to the log file only if logging
  is enabled in the policy that has Application
  Control enabled
• Only one FWAllow or FWDeny message per connection
• Application and category are added to traffic log
  
• Sample log message
• Application identified app_name"Facebook Web IM"
  app_cat_name"Web IM" app_id"15" app_cat_id"15"
  app_beh_id"2" app_beh_name"communicate"

22
Application Control Reports

• Application Control
• Application Usage Summary
• Blocked Application Summary
• Client Reports
• Top Clients by Application Usage
• Top Clients by Blocked Applications
• Top Clients by Blocked Categories

23
Application Control Reports

• Application Usage

24
Application Control Reports

• Blocked Applications

25
Application Control Reports

• Top Clients

26
Application Control Upgrade

• Application Blocker, as it is known in Fireware
  XTM v11.3.x and previous versions, is not
  available after you upgrade to v11.4
• New Application Control is a Subscription Service
• Comes with UTM Bundle but can be purchased
  separately
• If a customer does not purchase Application
  Control, Application Control is not available
  (and Application Blocker is not available in
  v11.4)
• Customers must synchronize feature keys
• If the customer has the UTM Bundle, the new
  feature key includes Application Control

27
Intrusion Prevention System Enhancements
28
Intrusion Prevention Enhancements Overview

• Intrusion Prevention is now a global setting
• Actions for different threat levels are set
  globally
• Applies equally to any policy that has IPS
  enabled
• You can enable IPS per-policy
• No longer configured only in Proxy Actions
• Apply Intrusion Prevention to packet filter or
  proxy policies
• Simpler configuration
• Only five threat levels instead of 100

29
Intrusion Prevention Enhancements Configuration

• Configure in Policy ManagerSubscription
  Services gt Intrusion Prevention
• Actions to take
• Allow Allows the connection
• Drop Denies the specific request and drops the
  connection. Does not send a response to the
  sender. The XTM device sends only a TCP reset
  packet to the client.
• Block Denies the request.Drops the
  connectionAdds the site to the auto-blocked list
  for the configured duration.

30
Intrusion Prevention Enhancements Disable Per
Policy

• Intrusion Prevention dialog box Policies tab
• Lists all firewall policies and whether IPS is
  disabled for each one
• Lets you enable IPS per policy
• Policy Propertiesdialog box, enable IPS for
  asingle policy on the Policy tab

31
Intrusion Prevention Service Conversion from
v11.3.x

• If IPS is not enabled in the pre-v11.4
  configuration file, Global IPS is not enabled in
  the converted v11.4 configuration file
• If IPS is enabled in a policy in the pre-v11.4
  configuration file, Global IPS is enabled in the
  v11.4 configuration file
• If a proxy policy from the pre-v11.4
  configuration file has IPS enabled, that policy
  will have IPS enabled in the converted
  configuration file
• All other policies have IPS disabled in the
  v11.4 configuration file
• Threat levels set to default
• Allow for Information (lowest threat) level (do
  not log)
• Drop for all higher threat levels (and log)
• IPS signature exceptions are removed

32
IPS Security Portal Web Page

• IPS web page http//www.watchguard.com/SecurityPo
  rtal/ThreatDB.aspx
• Read descriptions of all IPS signatures
• Hyperlinks to reference sources (where available)
• mitre.org CVE web page
• NIST web page
• Securityfocus.com (Bugtraq) web page
• Secunia Advisory page
• Snort page

33
IPS Web Page Search by Rule ID or Name
34
IPS Web Page CVE, Secunia, Bugtraq, Snort, and
Other References
35
IPS More Information in the Web UI

• Fireware XTM Web UI also has information on
  signatures
• Subscription Services gt IPS gt Signatures
  tabDouble-click a signature to get information

36
IPS More Information in the Web UI
37
IPS Look Up Signature Information in FSM

• To go to the SecurityPortal web site, right-click
  an entry in Traffic Monitor that indicates an IPS
  signature was triggered

38
Authentication Enhancements
39
Authentication EnhancementsMultiple Active
Directory Domains
40
Multiple Active Directory Domains Overview

• You can now specify multiple Active Directory
  domains
• Filter your policies by user or group specific to
  each domain
• Specify the domain to use for Mobile VPN
  authentication
• Click Add to add an Active Directory domain

41
Add Active Directory Domains

• Specify the DNS name or IP address for the
  authentication server
• Specify the port
• Specify whether to use LDAPS

42
Add Users from Active Directory Domains

• Select the authentication server when you add the
  user or group

43
Manual Authentication

• Select the domain to use when you authenticate to
  the authentication portal over port 4100

44
Conversion from pre-v11.4 Configuration

• Conversion looks at the Search Base of the
  existing Active Directory settings
• Converted configuration has an Active Directory
  object named for the dc portions of the Search
  Base
• Example
• Search Base for Active Directory in pre-v11.4
  configuration isoucorporate users and
  groups,dctoronto,dccompany,dcnet
• Active Directory domain in v11.4 is named
  toronto.company.net

45
Authentication EnhancementsLDAP over SSL
46
LDAP over SSL for Active Directory, LDAP

• Standard LDAPS port is 636
• For Active Directory Global Catalog queries, SSL
  port is 3269
• Validate the server certificate to prevent
  man-in-the-middle attacks

47
LDAP over SSL for Active Directory, LDAP

• Validate the server certificate to prevent
  man-in-the-middle attacks
• To validate the server certificate
• Import the CA certificate from the CA that issued
  the AD/LDAP servers SSL certificate
• Use FSM to import the CA certificate
• Use purpose IPSec, Web Server, Other
• When you add the AD or LDAP server to Policy
  Manager, make sure to indicate the address (IP
  address or DNS name) correctly to match the
  servers certificate
• To validate the certificate, Fireware XTM checks
  if the configured server address (IP address or
  DNS name) matches one of these items in the
  servers certificate
• Common Name in Subject field
• DNS Name in Subject Alternative Name field
• IP Address in Subject Alternative Name field
• If no match, then certificate validation fails

48
Authentication EnhancementsMultiple Active
Directory Domains For Single Sign-On
49
Multiple Active Directory Domains for Single
Sign-On

• Requires a new SSO Agent install
• After the new SSO Agent is installed, use the new
  SSO Configuration Tool to add Active Directory
  servers for the agent to query
• SSO Configuration Tool executable is installed by
  default in this directory \Program
  Files\WatchGuard\WatchGuard Authentication
  Gateway
• SSO Configuration Tool enables the SSO admin to
  add users to perform SSO functions
• In a multi-domain SSO environment, you must
  install the SSO Client software on all client
  computers that can use SSO
• In single-domain SSO, SSO Client software is
  still optional
• SSO Client software is highly recommended in
  single-domain environments for accuracy of SSO
  information

50
SSO Agent User Interface

• Two default accounts
• admin / readwrite
• status / readonly
• Configuration tools

51
SSO Agent User Interface

• Edit gt Add Domain
• Instant error-checking
• You cannot add the domain if the information is
  wrong

52
SSO Agent User Interface

• You can add users with read-only or read-write
  privileges
• There is only one admin user
• Root Admin user can add/edit users and give a
  user the permission to add or remove domain
  information

53
Authentication EnhancementsManual
Authentication and Single Sign-On Seamless
Coexistence
54
SSO and Manual Authentication Working Together
Better

• In versions prior to 11.4, when SSO was enabled,
  and you went to the authentication portal on port
  4100, the message You have been successfully
  authenticated appeared immediately.
• This happened whether or not you were already
  authenticated by SSO.
• To manually authenticate, users first had to log
  off the authentication portal
• These scenarios did not work well with SSO
  enabled
• Guest computer that cannot use SSO (for example,
  a Windows computer that does not belong to the
  domain)
• Computer is a Mac or runs Linux and cannot use
  SSO
• SSO authenticated user wants to raise permissions
  by manually authenticating

55
SSO and Manual Authentication Working Together
Better

• New in v11.4
• Users no longer see the message You have been
  successfully authenticated, when they go to the
  manual authentication portal on port 4100 and SSO
  is enabled
• Works as users expect in v11.4
• Manual authentication (port 4100) takes
  precedence over SSO
• If user is already authenticated with SSO, the
  user can go to the manual authentication portal
  and authenticate as a different user

56
Authentication EnhancementsIEEE 802.1X for XTM
2 Series Wireless
57
802.1X Authentication Overview

• Lets you ensure that users connect to legitimate,
  authorized wireless networks
• Instead of credential-stealing imposter access
  points
• The Enterprise part of WPA-Enterprise and
  WPA2-Enterprise
• Support for XTM 2 Series wireless device as
• 802.1X Authenticator
• Authentication Server
• Supported on Access Point 1 (AP1), AP2, and Guest
  Wireless AP

58
802.1X Authentication Technology Overview

• 802.1X has three main components
• Supplicant
• The endpoint that wants access to the LAN
• More precisely, the software on the endpoint
  computer that handles the authentication attempt
• Authenticator
• The gatekeeper that allows or denies layer 2
  access to the LAN
• Typically a wireless access point XTM 2 Series
  wireless device
• Also can be an Ethernet switch (possible wired
  support post-v11.4)
• Authentication Server
• The server that validates the endpoints
  credentials
• Typically a RADIUS server
• Alternatively, you can use the XTM 2 Series
  device as the Authentication Server instead of a
  RADIUS server

59
802.1X Authentication Technology Overview

• Authentication Server can be the XTM device or a
  RADIUS server
• XTM device is always the Authenticator when you
  enable 802.1X on an access point
• When XTM device is the Authentication Server,
  these EAP (Extensible Authentication Protocol)
  methods are supported
• EAP-TLS
• EAP-PEAP
• EAP-TTLS
• When RADIUS is the Authentication Server, any
  EAP method is supported
• XTM device is only the Authenticator in this case
• It only passes
• EAP messages between itself and the end user (EAP
  Over LAN or EAPOL)
• RADIUS messages between itself and the
  Authentication Server

60
802.1X Authentication Technology Overview

• EAP (Extensible Authentication Protocol) is an
  IETF standard framework for building
  authentication methods (EAP methods)
• EAP for wireless networks allows secure exchange
  of unique Pairwise Master Keys for each wireless
  client
• More secure than static pre-shared keys or
  passphrases
• There are many different EAP methods EAP-TLS,
  EAP-PEAP, EAP-TTLS, EAP-PSK, EAP-IKEv2, EAP-FAST,
  etc.
• IEEE 802.1X is built on EAP
• It is a standard for passing EAP messages over a
  LAN
• EAP messages are encapsulated in layer 2 frames
• EAP over LAN (or EAPOL) messages can use 802.11
  (wireless) or 802.3 (Ethernet) or FDDI (fiber)
  frames
• Operates at Layer 2 of OSI model (link layer)
• Port-based network access control lets you
  require user authentication before wireless
  client is allowed on the WLAN network
• Port means an abstract connection point between
  the LAN and a computer

61
802.1X Authentication Basic Protocol Operation

• Four main steps in 802.1X protocol operation
• Initialization
• Authenticator detects a new Supplicant
• Authenticator enables a port (abstracted
  connection point)
• Port is set to Unauthorized state
• Only 802.1X traffic is allowed
• Any other traffic (such as DHCP or HTTP) is
  disallowed
• Initiation
• Authenticator sends EAP-Request Identity frames
  to Supplicant, to a special layer 2 address that
  the Supplicant listens on
• Supplicant responds with EAP-Response Identity
  frame that includes some identifying information
  (User ID or certificate)
• Authenticator encapsulates Response Identity in a
  RADIUS Access-Request message
• Authenticator forwards a RADIUS message to
  Authentication Server

62
802.1X Authentication Basic Protocol Operation

• Negotiation
• Authentication Server sends RADIUS
  Access-Challenge message to Authenticator
• Access-Challenge message includes EAP Request
  message, indicating an EAP Method for the
  Supplicant to use
• Authenticator encapsulates EAP Request message in
  an EAPOL frame and sends to the Supplicant
• The Supplicant can start the requested EAP Method
• Or, the Supplicant can reply with NAK and respond
  with EAP Methods it supports
• The Supplicant and the Authentication Server must
  agree on the EAP Method or EAP fails
• Authentication
• The Authenticator translates the EAP Requests and
  Responses and relays them between the Supplicant
  and the Authentication Server
• Successful authentication is indicated by a
  RADIUS Access-Accept message
• The port is set to Authorized and normal traffic
  is allowed
• Unsuccessful authentication is indicated by a
  RADIUS Access-Deny message
• The port remains in the Unauthorized state

63
802.1X Authentication EAP-TLS XTM Device as
the Authentication Server

• EAP-TLS (Transport Layer Security)
• The original EAP standard, very secure
• Native support on all platforms
• The only method that requires both client
  certificates and certificate for Authenticator
  (XTM device)
• Users authenticated to network and network
  authenticated to users with digital certificates
• Not often deployed because of client certificate
  requirement
• Must use third-party certificates when an XTM
  device is the Authentication Server
• Import certificates with FSM
• CA certificate from CA that issued Authentication
  Server certificate
• CA certificate from CA that issued client
  certificates (likely the same CA certificate as
  above)
• Authentication Server certificate

64
802.1X Authentication EAP-PEAP XTM Device as
the Authentication Server

• EAP-PEAP (Protected EAP)
• Requires certificate only for the Authentication
  Server (XTM device)
• Can use default certificate signed by the XTM
  device
• Client certificates optional
• Verification of the Authentication Servers
  certificate by the Supplicant is optional but
  highly recommended
• Without verification, it is easy to introduce a
  fake access point to capture MS-CHAPv2 handshakes
• EAP-PEAP with MS-CHAPv2 as the inner EAP method
  is the second most widely supported EAP method
  (after EAP-TLS)
• Built-in support on Windows XP and later, and
  most recent Apple and Cisco releases
• A TLS tunnel is set up between Supplicant and
  Authenticator to securely pass the inner
  authentication EAP method
• Only MS-CHAPv2 is supported in the v11.4 release,
  but specification allows other legacy protocols
  such as MS-CHAPv1, CHAP, and PAP

65
802.1X Authentication EAP-TTLS XTM Device as
Authentication Server

• EAP-TTLS (Tunneled TLS)
• Requires certificate only for Authentication
  Server (XTM device)
• Can use default certificate signed by XTM device
• Client certificates optional
• Verification of the Authentication Servers
  certificate by the Supplicant is optional but
  highly recommended
• Without verification, it is easy to introduce a
  fake access point to capture MS-CHAPv2 handshakes
• EAP-TTLS has wide support across many platforms,
  but no native support on Windows
• Requires add-on supplicant software, such as
  Intel ProSet Wireless, SecureW2, etc.
• A TLS tunnel is set up between the Supplicant and
  the Authenticator to securely pass an inner
  authentication EAP method
• Only MS-CHAPv2 is supported in v11.4 release, but
  the specification allows other legacy protocols
  such as MS-CHAPv1, CHAP, and PAP

66
802.1X Authentication Policy Manager

• Select WPA Enterprise, WPA2 Enterprise, or
  WPA/WPA2 Enterprise
• Select Firebox-DB or RADIUS
• If you select RADIUS, all other EAP options are
  not available negotiated between Supplicant and
  RADIUS server
• Select EAP-TLS, EAP-PEAP, or EAP-TTLS
• Only MSCHAP-v2 is supported for inner EAP method
  with PEAP and TTLS
• Select certificate to use for Authenticator

67
802.1X Authentication XTM Device Certificates

• Two new certificates are generated on 2 Series
  Wireless devices
• One for the Authentication Server function
• One CA Import the CA certificate to client
  computers to verify the server certificate

68
Authentication EnhancementsIdentifying
Individuals on a Terminal Server or Citrix Server
69
Terminal Server/Citrix Server Overview

• Terminal Services Agent software installed on
  your Terminal Server or Citrix server
• Monitors traffic flows from Terminal Server or
  Citrix server clients
• Agent software consists of
• TO Agent
• Receives the session ID from the XTM device after
  a user authenticates to the XTM device
• Reports to the XTM device which client a traffic
  flow belongs to
• TO Driver
• Connects to Windows Sockets to monitor which
  Terminal Server /Citrix server client generates
  each traffic flow
• TO Set Tool
• Gives the TO Agent the IP address of the XTM
  device
• Specifies for the TO Agent which traffic
  destinations to not monitor (reduces overhead for
  traffic you know will not go through an Ethernet
  interface on the XTM device)
• TO stands for Traffic Owner

70
Terminal Server/Citrix Server Requirements

• You must install the TO Agent software on your
  Terminal Server or Citrix server
• TO Agent identifies which traffic flow belongs to
  each user
• Users must authenticate to the XTM device after
  they log in to the Terminal Server/Citrix server
• Users authenticate to https//ltxtm.device.ip.addre
  ssgt4100
• Specify the IP addresses of the Terminal
  Servers/Citrix servers in Policy Manager
• Setup gt Authentication gt Authentication Settings
  gt Terminal Services tab
• Support for up to 32 Terminal Servers
• TCP ports 8118 and 9898 must be open from the XTM
  device to the Terminal Server/Citrix server
• Ports 8118, 9898, 8337, and 12345 must be allowed
  through the Windows Firewall (or other local
  firewall) on the Terminal Server/Citrix server

71
Terminal Server/Citrix Server Configuration
Tasks

• Install WatchGuard software on your Terminal
  Server or Citrix server
• TO_Agent.exe
• Configure settings on the Terminal Server or
  Citrix server
• TO Set Tool
• Configure settings on the XTM device
• Specify the IP addresses of Terminal
  Server/Citrix server computers in Policy Manager
• Maximum 32 Terminal Servers/Citrix servers
• Make sure the correct ports are open between the
  XTM device and Terminal Server or Citrix server
• Force Terminal Server or Citrix server client
  users to authenticate to the XTM device
• https//ltxtm.device.ip.addressgt4100

72
Terminal Server/Citrix Server Install TO Agent

• Simple installer with no installation options
• Install as a user with admin rights
• Installation requires a reboot of your Terminal
  Server/Citrix server
• Installs the Set Tool application
• Also installs the TO Driver
• TO Driver uses Windows Sockets (WinSock) to
  connect to traffic flows generated by clients
• No UI for driver

73
Terminal Server/Citrix Server Configure Server

• Configure the Terminal Server/Citrix server
  settings with the TO Set Tool
• Specify the IP address of your XTM device
• Specify the destination of traffic that the TO
  Agent can ignore
• Reduces the workload of the TO Agent for traffic
  that does not go through the XTM device

74
Terminal Server/Citrix Server Configure the
XTM Device

• Configure settings on the XTM device
• Specify the IP addresses of Terminal
  Server/Citrix server computers in Policy Manager
• Maximum of 32Terminal Servers/Citrix servers

75
Terminal Server/Citrix Server Open Ports

• XTM Device connects to the TO Agent over these
  ports
• TCP port 8118
• This port is used to transfer NOTIFY and QUERY
  messages
• Must be open from the XTM device to the Terminal
  Server/Citrix server
• TCP port 9898
• This port is used to transfer information about
  manual authentication and authentication logoff
  events
• Must be open from the XTM device to the Terminal
  Server/Citrix server
• TCP port 8337
• TO Driver sends traffic owner information to TO
  Agent over this port
• Does not need to be open between XTM device and
  Terminal Server/Citrix server, but cannot be
  blocked by Windows Firewall or another local
  firewall
• TCP port 12345
• TO Set Tool connects to TO Agent over this port
  to communicate settings information
• Does not need to be open between XTM device and
  Terminal Server/Citrix server, but cannot be
  blocked by Windows Firewall or other local
  firewall

76
Terminal Server/Citrix Server Client
Authentication

• Enable auto-redirect to force users to
  authenticate
• Make sure there is no firewall policy that allows
  outgoing traffic from the IP address of the
  Terminal Server/Citrix server
• Any-Trusted and Any-Optional should not be
  include in the Firewall Policies From list
• No other alias that includes the IP address of
  the Terminal Server/Citrix server in the From
  list
• Firewall policy that allows outgoing traffic from
  Terminal Server/Citrix server client users must
  include their user or group names in the From
  list
• Traffic is allowed from the user only after the
  user authenticates
• Enable the Auto redirect user to authentication
  page for authentication setting
• Policy Manager gt Setup gt Authentication gt
  Authentication Settings

77
Centralized Management Enhancements
78
Changes to Centralized Management

• Management Server now supports configuration
  history/rollback for fully managed devices and
  templates
• Devices are no longer subscribed to templates
• Template subscription concept replaced by
  single template application action
• New 11.4 Template on Management Server
• Administrators can control how template settings
  are applied to a device configuration file
• Support for SNAT added to template configuration
• Template history displayed similarly to
  configuration history
• SNAT configuration added to template policies

79
Configuration History and Rollback

• Devices managed by a Management Server in Fully
  Managed Mode can roll back to previous
  configurations
• Configure the rollback settings on the new
  Management Server Configuration History tab
• Specify the maximum number of saved revisions or
  maximum amount of disk space to use

80
Configuration History and Rollback

• From the Configuration History tab
• View Review the previous configuration in
  Policy Manager
• Revert Roll back the device to the selected
  configuration file and move that configuration
  file to the top of the Revision History list as
  the most recent revision

81
Effect of Rollback on Managed VPNs

• Managed VPN attributes are stored on the
  Management Server, not in the individual device
  configuration files in the Configuration History
• If a device is reverted to a previous
  configuration, the managed tunnel settings are
  removed and then updated on the reverted
  configuration after it is applied to the device

82
Templates in v11.4 Management Server
83
Managed Templates Template Behavior in v11.4

• Templates are updated in v11.4 to support changes
  to Application Blocking and IPS behavior, and to
  support new features
• When the Management Server is upgraded to v11.4,
  devices subscribed to a template have the
  subscription link removed, because the
  subscription feature is removed from v11.4
• When a device configuration file is upgraded to
  v11.4, the v11.4 Policy Manager allows policies
  in a managed device configuration file for a
  device subscribed to a v11.3 template to be named
  locally with the T_ prefix
• You can now apply templates to devices with
  manually ordered policies
• You can configure Inheritance Settings, which
  determine whether or not template properties
  override local configuration settings
• You can now add a policy to a template that
  defines an incoming connection
• The new object to allow this is an SNAT action
  (Static NAT)

84
Managed Templates Subscriptions Removed

• Removing the subscription concept means that more
  properties can be configured within the template,
  such as spamBlocker settings
• Instead of subscribing to a template, a one time
  application of the template to selected devices
  is used in v11.4
• Templates must be applied to devices with
  compatible versions of Fireware XTM
• You can apply templates to a single device, or
  multiple devices in a folder, using drag-and-drop
• The first time you apply a template to multiple
  devices, you select a check box for each device
• After the first application of the template, the
  next time you apply it, you can see which devices
  you applied this template to the last time
• Saves the work of selecting the check boxes again

85
Managed Templates Overview
Inheritance settings
Revision history
List of templates
Most recent application of this template
86
Managed Templates Inheritance Settings

• You select which properties in the template can
  be inherited from the template and which cannot
  be inherited
• In Policy Manager for the Device Configuration
  Template, select View gt Inheritance Settings

Template status bar indicates version
87
Managed Templates Inheritance Settings

• If you do not select Allow Override for an object
  in the template, and the device configuration
  file includes an object with the same name, the
  template object replaces the object in the device
  configuration file when the template is applied
• If an object with the same name does not exist in
  the device configuration file, the object in the
  template is added to the device configuration
  file when the template is applied to the device

88
Managed Templates New SNAT Action

• You can now add a policy to a template that
  defines an incoming connection
• SNAT (Static NAT) in v11.4 is configured in a new
  Policy Manager menu Setup gt Actions gt SNAT
• You can use SNAT actions in policies in your
  template

89
Managed Templates Define a New SNAT Action

• External IP Address in the Static NAT must be
  Any-External
• This applies correctly to all managed devices,
  regardless of the IP address actually assigned to
  the devices external interface
• Internal IP Address in theStatic NAT should be a
  place-holder IP address
• No IP address can be correct for all
  environments
• After you apply the template to a device, edit
  the devices configuration and change the
  Internal IP Address in the SNAT action to be
  the IP address of that devices internal host

90
Managed Templates Configuration History

• See the revision history of each template

91
Managed Templates Application History

• See when a template was applied, and to which
  devices

92
SNAT Actions(Static NAT for Incoming Connections)
93
SNAT Actions

• Static NAT is now an action you apply to a policy
• Applies to stand-alone (not managed) devices as
  well as to templates for managed devices
• Lets you reuse an SNAT object in policies
• Only one SNAT action per policy
• One SNAT action can contain multiple Static NAT
  mappings

94
SNAT Actions

• Multiple Static NAT members in a policy become
  one SNAT Action with multiple mappings

95
SNAT Actions

• All members of the SNAT Action must be of the
  same type
• Static NAT
• Server Load Balancing

96
Wireless Security Enhancements
97
Rogue Access Point Detection

• Feature specific for Payment Card Industry
  (PCI) Branch Office Compliance
• Ability to detect Rogue Access Points within the
  operational area
• Select the checkbox at the bottom of the Wireless
  Configuration dialog box in Policy Manager

98
Trusted Access Points

• Manually add Trusted Access Points to the device.
• Can be configured to send notification when a
  rogue access point is detected.

99
Schedule a Rogue Access Point Detection Scan

• XTM 2 Series device can be configured exclusively
  for rogue Access Point scanning
• Always scan is usually selected
• Can be configured to complete scheduled scanning
  when the device is also used either as a Wireless
  Client on External or as an Access Point

100
Rogue Access Point Detection Used with a
Wireless Client as External Interface

• Impacts network traffic
• Connections still get through but access is
  slower
• Sends an alarm log message when a rogue access
  point is discovered

101
Rogue Access Point Detection Used with Wireless
as an Access Point

• Device used as an access point cannot run a
  continuous scan
• Connections to the access point are interrupted
  when the radio is used for scanning
• Sends an alarm and log message when a rogue
  access point is discovered

102
Rogue Access Point Detection Scan On-Demand

• Use Firebox System Manager (FSM) to run an
  on-demand scan for rogue access points
• Click Scan Now to start a scan
• Requires the administrator passphrase to run a
  scan
• Can run an on-demand scan even if the device is
  not enabled to scan rogue access points

103
Logging, Reporting, and Notification

• Option on the Summary Log to choose whether to
  send a log message and/or an alert message for
  rogue access point (AP) detection activities,
  which include
• Scan initiated
• Scan completed
• Rogue APs found
• No rogue APs found
• Trusted APs found
• No trusted APs found
• Detailed log messages and alerts for each rogue
  and trusted access point found
• Log messages are available in real-time in FSM

104
Logging, Reporting, and Notification

• A new WatchGuard Report includes data about when
  scans are initiated/completed and shows results
  of the scans
• This is very important for PCI-DSS compliance.
• Notification sends an email and/or SNMP trap when
  a scan results in a Rogue AP Found

105
FSM Traffic Monitor Scan Log Messages
106
Wireless Bridge Enhancements
107
Wireless Bridge Enhancements

• In v11.4, you can enable a wireless bridge to a
  set of bridged physical interfaces

108
Logging and Log Server Enhancements
109
Log Server Enhancements

• Increased performance and scalability
• Improved log insertion performance with bulk copy
• Much faster insertion of log messages
• Log messages from devices are inserted in bulk,
  or several at a time
• Free-string search in LogViewer only searches the
  message field in a log message
• Eliminates the RAW table, which reduces the size
  of the Log Server database
• Log messages from devices are inserted one at a
  time
• Contains the majority of the XML log message as a
  string in one column
• Traditionally used to provide LogViewer with a
  combined view of all logs over a given time range
• Consumes the same amount of disk space as the
  log-type specific tables
• Eliminating the RAW table frees up roughly 50 of
  the disk space requirements used by the Log
  Server database

110
Log Server Enhancements

• The ability to purge Diagnostic log messages from
  devices
• Diagnostic log messages are now stored in a
  separate table from other log messages
• Diagnostic log messages consume large amounts of
  disk space
• Can remove Diagnostics log messages that have a
  level of Debug or higher
• Can be performed with the Log Server API or in
  the Log Server Server Settings

111
Log Server Enhancements WSDL

• The Log Server API purge_diagnostics
• No input argument
• Result status success, reason under the
  following condition If there are no Diagnostic
  log messages in the database, the tables
  containing Diagnostic log messages are dropped
  successfully
• Result status fail, reason reason
  description If there are errors which result
  in a purging failure, the return status shows
  fail and the reason describes the failure reason
• Log message in the log file notifies you when the
  purge is executed and completed
• Log Level INFO BEGIN purge diagnostics
• When starting to call purge_diagnostics
• Log Level INFO