What - PowerPoint PPT Presentation

About This Presentation
Title:

What

Description:

What s New in Fireware XTM 11.7 WatchGuard Training * WatchGuard Training * WatchGuard Training * WatchGuard Training * WatchGuard Training * WatchGuard Training ... – PowerPoint PPT presentation

Number of Views:251
Avg rating:3.0/5.0
Slides: 106
Provided by: watchguar
Category:
Tags:

less

Transcript and Presenter's Notes

Title: What


1
Whats New inFireware XTM 11.7
2
New Features in Fireware XTM v11.7
  • Networking
  • IPv6
  • Additional external interfaces
  • DHCP options
  • Dynamic NAT Configurable source IP address
  • Serial modem failover on XTM 5 Series and XTM 330
  • Branch office VPN modem failover
  • Wireless hotspot external guest authentication
  • Link aggregation
  • Mobile VPN
  • Mobile VPN with L2TP
  • Mobile VPN apps for Android and iOS
  • Mobile VPN with SSL client changes

3
New Features in Fireware XTM v11.7
  • System
  • FireCluster
  • Wireless XTM devices
  • Hardware health monitoring for failover
  • Save TCP dump data to a PCAP file FSM Web UI
  • Automatic feature key synchronization
  • Authentication
  • Configure authentication login limits per user or
    group
  • Policies
  • Policy tags and filters
  • Sort policies by column in manual order mode

4
New Features in Fireware XTM v11.7
  • Management
  • Report Server enforces the Maximum database size
    setting
  • CA Manager in WatchGuard WebCenter
  • Updated UI for management of quarantined messages
    by recipients
  • 1-to-1 NAT for managed VPN tunnels
  • Centralized Management for XTM devices behind NAT
    gateways
  • Windows 8 and Server 2012 support
  • Services
  • Intrusion Prevention Service (IPS) scan modes
  • IPS and Application Control for HTTPS
  • WebBlocker with Websense Cloud

5
Networking
6
IPv6 Functionality
  • Fireware XTM v11.6.x supported
  • IPv6 interface addresses in mixed routing mode
  • IPv6 management connections to the Web UI or CLI
  • IPv6 DNS servers
  • IPv6 static routes
  • IPv6 diagnostic logging
  • Fireware XTM v11.7 adds support for
  • IPv6 addresses in packet filter policies
  • MAC access control for both IPv6 and IPv4 traffic
  • Inspection of IPv6 traffic received and sent by
    the same interface
  • IPv6 addresses in blocked sites and exceptions
  • Blocked ports configuration applies to IPv6
    traffic
  • TCP SYN checking setting applies to IPv6 traffic
  • All other networking and security features do not
    yet support IPv6 traffic
  • WatchGuard IPv6 roadmap http//www.watchguard.com
    /ipv6/index.asp

7
IPv6 Refresher
  • WatchGuard IPv6 http//www.watchguard.com/ipv6/i
    ndex.asp
  • Hype or Reality Video and PPT
  • Security Implications Video and PPT
  • What to Expect Video and PPT
  • IPv6 is manageable
  • Subnetting IPv4 /8 IPv6 /48
  • (If you impose a false minimum of a /24 on IPv4)

8
IPv6 in 11.5.x and 11.6.x
  • Static configuration of IPv6 addresses and DNS
  • Router Advertisement for stateless address
    auto-configuration on Trusted or Optional
    interfaces
  • Address auto-configuration on External interfaces
  • Static routes

9
IPv6 Functionality Blocked Sites
  • Blocked Sites list and Blocked Sites Exceptions
    now support IPv6 addresses
  • Blocked site and blocked site exception types
    are
  • Host IPv4
  • Network IPv4
  • Host Range IPv4
  • Host IPv6
  • Network IPv6
  • Host Range IPv6
  • Host Name (DNS lookup)
  • Auto-blocked sites can also include IPv6 addresses

10
IPv6 Functionality Packet Filter Policies
  • Packet filter policies now support IPv6 traffic

11
Additional External Interfaces
  • You can now configure more than four interfaces
    as external interfaces
  • Previously, the maximum number of external
    interfaces was four

12
DHCP Options for VoIP
  • There are two new settings for DHCP options. Many
    VoIP phones use these DHCP options to download
    the boot configuration.
  • The new settings are
  • TFTP Server IP The IP address of the TFTP
    server where the DHCP client can download the
    boot configuration. This corresponds to these
    DHCP options
  • Option 66 (TFTP server name)
  • Option 150 (TFTP server IP address)
  • TFTP Boot Filename The name of the boot file.
    This corresponds to this DHCP option
  • Option 67 (boot file name)
  • Option 66 and 67 are described in RFC 2132.
  • Option 150 is used by Cisco IP phones.

13
DHCP Options for VoIP
  • To configure the DHCP options
  • Edit a trusted or optional interface
  • Select Use DHCP Server
  • Click DHCP Options
  • Type the TFTP Server IP andTFTP Boot Filename
    required by your VoIP phones

14
Network Dynamic NAT Set Source IP Address
  • When you configure a new dynamic NAT rule, you
    can specify the source IP addressto use for
    traffic that matches that rule.
  • The XTM device changes the source IP address for
    packets that match this rule to the source IP
    address you specify.
  • The source IP address must be on the same subnet
    as the primary or secondary IP address of the
    interface specified as the To location.

15
Network Dynamic NAT Set Source IP Address
  • Previously, you could set the source IP address
    only in the dynamic NAT settings in a policy.
  • If you do not set the source IP address, or if
    the source IP address is not on the same subnet
    as the outgoing interface, dynamic NAT changes
    the source IP address to the IP address of the
    interface from which the packet is sent.

16
Serial Modem Failover on XTM 330 and XTM 5 Series
  • Serial modem failover is supported for XTM 2, 3,
    and 5 Series devices.
  • Previously, modem failover was supported for XTM
    2 Series and XTM 33 only.
  • This release adds modem support for XTM 330 and
    all 5 Series devices.
  • The Network gt Modem option is now available for
    XTM 2, 3, and 5 Series devices.

17
Branch Office VPN Modem Failover
  • Branch Office VPN can use a modem for failover if
    modem failover is enabled for the device.
  • To configure a VPN gateway for modem failover
  • Enable modem failover in Network gt Modem.
  • Configure the local gatewayendpoint to use a
    domain name ID for tunnel authentication.
  • Select the Use modem for failover check box.
  • If the device has multipleexternal interfaces
  • You must add a gateway endpoint for each physical
    external interface.
  • The local gateway ID for each external interface
    must be unique.

18
Branch Office VPN Modem Failover
  • When failover occurs
  • If all external interfaces are down, the XTM
    device starts a serial modem connection between
    the two sites.
  • The XTM device initiates a VPN connection over
    the modem connection.
  • The XTM device uses the first local gateway
    ID configured for the external interface as the
    local gateway ID for the modem connection.
  • Because the device with modem failover enabled
    uses an ID for tunnel authentication, the device
    with the modem must initiate the VPN connection.
  • This means that you cannot enable modem failover
    for both gateway endpoints for the same branch
    office VPN tunnel.

19
Hotspot External Guest Authentication
  • When you enable a hotspot on the Wireless Guest
    network, you can now select the Hotspot Type
  • Custom Page This is the hotspot splash screen
    on the XTM device. It presents the hotspot user
    with terms and conditions they must agree to
    before they can use the hotspot.
  • External Guest Authentication This new option
    allows you to redirect new hotspot users to an
    external web server for user authentication.
  • The Authentication URL andAuthentication Failure
    URLvalues are pages on an external web server.
  • The Shared Secret is usedto validate responses
    from the web server.

20
Hotspot External Guest Authentication
  • When you set the hotspot type to External Guest
    Authentication, you must provide this information
  • The Authentication URL on your external web
    server of a page that does hotspot user
    authentication or collects other information.
  • The Authentication Failure URL on your external
    web server of a page to redirect users to if
    external guest authentication fails.
  • A Shared secret that is used to validate the
    access response from the external web server.
  • You must configure the external web server to
  • Accept an access request from the XTM device.
  • Authenticate the user (or perform any other
    function that you want to use as a criteria for
    hotspot access.)
  • Provide an access decision to the XTM device.
  • All communication between the XTM device and the
    external web server occurs in the form of URL
    query strings sent through the hotspot client
    browser.

21
Hotspot External Guest Authentication
Interaction workflow
  1. A wireless hotspot user tries to browse to a web
    page.
  2. If this is a new hotspot user, the XTM device
    sends the browser a redirect to the
    Authentication URL on the external web
    server.This URL includes a query string that
    contains the access request.
  3. The browser sends the access request to the
    external web server.
  4. The external web server sends the Authentication
    page to the browser
  5. The hotspot user types the requested information
    and submits the form to the external web server.
  6. The external web server processes the
    authentication information and sends an HTML page
    to the browser.
  7. The browser sends the access decision to the XTM
    device.This URL contains a query string that
    contains the access decision, a checksum, and a
    redirect URL.
  • The XTM device reads the access decision,
    verifies the checksum, and sends a redirect URL
    to the hotspot user's browser.Based on the
    outcome of the external authentication process,
    the redirect URL can be
  • The original URL the user browsed to
  • A different redirect URL, if specified by the
    external web server
  • The authentication failure URL, if authentication
    failed or access was denied.

22
Link Aggregation
  • New Network Configuration tab

23
Link Aggregation Configure Virtual Interface
  • Select the Link Aggregation (LA) Mode
  • Static
  • The same physical interface is always used for
    traffic between a given source and destination
    based on source/destination MAC address and
    source/destination IP address
  • Dynamic (802.3ad)
  • The physical interface used for traffic between
    any source and destination is selected based on
    Link Aggregation Control Protocol 
  • Active-backup
  • One member interface in the link aggregation
    group is active at a time, other member
    interfaces in the link aggregation group become
    active only if the active interface fails

24
Link Aggregation Configure Virtual Interface
  • Select LA interface Type
  • Trusted
  • Optional
  • External
  • Bridge
  • VLAN

25
Link Aggregation Configure Virtual Interface
  • Select the Link Speed and Maximum Transmission
    Unit (MTU) on the Advanced tab
  • The member physical interfaces of an LA group
    support the same link speed

26
Link Aggregation Assign Physical Interfaces
27
Link Aggregation FSM
28
Link Aggregation FireCluster
  • Only Active/Passive is supported

29
Link Aggregation FireCluster
  • You can select a LA interface as the FireCluster
    Management Interface

30
Link Aggregation FireCluster
  • Monitored link includes only virtual interface
    and not member interfaces

31
Link Aggregation FireCluster
  • FSM Cluster View

32
Link Aggregation FireCluster
  • When you configure Link Aggregation for an
    existing FireCluster, only Active/Passive mode is
    supported.
  • Break the FireCluster.
  • Configure the Link Aggregation settings This is
    important because of the changes in the MAC
    Address on the LA Virtual Interface.
  • Rebuild the Active/Passive FireCluster.

33
Mobile VPN
34
Mobile VPN with L2TP
  • Supports L2TP connections from VPN clients native
    to many operating systems such as Windows, Mac
    OS, Linux, Android, and iOS.
  • L2TP is a more secure alternative to PPTP.
  • More robust than PPTP because the data is
    encapsulated in IPSec
  • Uses Aggressive Mode to connect remote clients to
    the firewall (like Mobile VPN with IPSec)
  • Supported authentication methods
  • Firebox-DB local authentication
  • RADIUS
  • Mobile VPN with L2TP supports multiple
    authentication methods (like Mobile VPN with SSL)
  • Can enable more than one authentication method
  • If the primary method fails, you can connect with
    another authentication method (such as
    Firebox-DB)

35
Mobile VPN with L2TP
  • Mobile VPN with L2TP appears with the other
    Mobile VPN options.
  • Select VPN gt Mobile VPN gt L2TP.
  • Select Activate to start the L2TP Setup Wizard.
  • Select Configure to edit the configuration.

36
Mobile VPN with L2TP
  • Run the WatchGuard L2TP Setup Wizard to simplify
    L2TP configuration.
  • Select the authentication server.

37
Mobile VPN with L2TP
  • As with Mobile VPN with SSL, you can define your
    own group in your server, locally, or use the
    default group, L2TP-Users.
  • You can specify the allowed resources.
  • Allow access to all resources
  • Restrict access to specific IP addresses or
    subnets

38
Mobile VPN with L2TP
  • Specify the virtual IP address pool range for the
    clients.
  • If you use a subnet within your Trusted or
    Optional networks, make sure this range is not
    used in an existing DHCP pool.
  • Select the pre-shared key or certificate to use
    for IPSec negotiation.

39
Mobile VPN with L2TP
  • When you enable Mobile VPN with L2TP, two new
    policies are created automatically
  • WatchGuard L2TP Enables port UDP1701 for L2TP
  • Allow L2TP-Users Enables L2TP group members to
    connect to firewall resources

40
Mobile VPN with L2TP
  • To edit the configuration, select VPN gt Mobile
    VPN gt L2TP gt Configure.

41
Mobile VPN Apps for Android and iOS
  • WatchGuard Mobile VPN App for Android
  • Free app available from the Google Play app store
  • Supported on mobile devices that use Android
    4.0.x and 4.1.x
  • Uses a .wgm Mobile VPN with IPSec configuration
    profile to configure an IPSec VPN connection in
    the WatchGuard Mobile VPN app
  • An IPSec VPN client you can use instead of the
    native VPN client
  • Does not support L2TP
  • WatchGuard Mobile VPN App for iOS
  • Free app available from the Apple app store
  • Supported on mobile devices that use iOS 5.x and
    6.x
  • Uses a .wgm configuration profile to configure an
    IPSec or L2TP VPN connection in the native iOS
    VPN client
  • Not a VPN client Creates an L2TP or IPSec VPN
    connection in the native iOS VPN client, with the
    correct settings to connect to the XTM device

42
Generate a .wgm File Mobile VPN with IPSec
  • For Mobile VPN with IPSec, the .wgm file is
    generated (with the .ini, .wgx, and .vpn files)
    when you select a profile and click Generate.
  • The file name is ltgroupnamegt.wgm
  • The.wgm file for IPSec can be used withthe
    WatchGuard Mobile VPN apps for Android and iOS

43
Generate a .wgm File Mobile VPN with L2TP
  • Generate an L2TP configuration file to send to
    mobile users of an iOS device.
  • Select VPN gt Mobile VPN gt L2TP gt Mobile clients
  • Type a Profile Name (default is L2TP)
  • Type the IP address of the external interface to
    connect to
  • Type and confirm an encryption password for the
    .wgm file
  • The file name is ltprofile namegt.wgm
  • The .wgm file for L2TP can be usedonly with the
    Mobile VPN app for iOS.

44
Use a .wgm File to Configure an iOS Device
  • Send the .wgm file to the iOS users as an email
    attachment.
  • Use a secure method to give the encryption
    password to the users.
  • For Mobile VPN with IPSec, the encryption
    password is the tunnel passphrase.
  • For Mobile VPN with L2TP, the encryption password
    is the password you set when you generated the
    configuration profile.
  • On the iOS device, users must
  • Install the free WatchGuard Mobile VPN app from
    the Apple app store.
  • Open the email that contains the .wgm file
    attachment.
  • Open the .wgm file attachment.The WatchGuard
    Mobile VPN app launches.
  • Type the passphrase from the administrator to
    decrypt the file.The WatchGuard Mobile VPN app
    imports the configuration and creates an IPSec or
    L2TP VPN configuration profile in the iOS VPN
    client.
  • To start the VPN connection, click the VPN switch
    in the iOS Settings list. When the connection is
    established, the VPN icon appears in the status
    bar.

45
Use a .wgm File to Configure an Android Device
  • Send the .wgm file to the Android users as an
    email attachment.
  • Use a secure method to give the tunnel passphrase
    to the users.
  • For Mobile VPN with IPSec, the encryption
    password is the tunnel passphrase.
  • On the Android device, users must
  • Install the free WatchGuard Mobile VPN app from
    the Google Play app store.
  • Open the email that contains the .wgm file
    attachment.
  • Open the .wgm file attachment.The WatchGuard
    Mobile VPN app launches.
  • Type the passphrase from the administrator to
    decrypt the file.The WatchGuard Mobile VPN app
    imports the configuration and creates an IPSec
    VPN configuration profile in the WatchGuard VPN
    app.
  • Click the VPN connection profile in the
    WatchGuard Mobile VPN app to start the VPN
    connection.

46
Mobile VPN with SSL Client
  • The Remember connection details check box in the
    Mobile VPN with SSL clients for both Mac and
    Windows, enables the client to remember the
    Server, Username, and Password settings.

SSL VPN client for Windows
SSL VPN client for Mac
47
System
48
FireCluster on Wireless Devices
  • FireCluster is now supported on XTM 25-W, 26-W,
    and 33-W devices.
  • When wireless is enabled, you can configure
    FireCluster only in active/passive mode.
  • When you enable FireCluster for wireless XTM
    devices, the configuration must meet these
    requirements
  • The XTM device must be configured as a wireless
    access point. FireCluster is not supported when
    wireless is enabled as an external interface.
  • The FireCluster Interface for management IP
    address cannot be an interface that is bridged to
    a wireless network.
  • The FireCluster primary cluster interface and
    backup cluster interface cannot be interfaces
    that are bridged to a wireless network.
  • All other FireCluster requirements and
    restrictions also apply to wireless devices.

49
FireCluster Failover Based on Health Indexes
  • Each cluster member has a Weighted Average Index
    (WAI) that indicates the health of the device.
  • The Cluster Health section of the Firebox System
    Manager Status Report shows these health index
    values for each cluster member
  • System Health Index (SHI) Health of monitored
    processes.
  • Hardware Health Index (HHI) Health status of
    hardware.
  • Monitored Ports Health Index (MPHI) Status of
    monitored ports.
  • Weighted Average Index (WAI) This index is used
    to compare the overall health of two cluster
    members.
  • By default, the WAI for a cluster member is a
    weighted average of the SHI and MPHI for that
    device. HHI is not use in the calculation of WAI
    unless you enable it.
  • WAI can be a range from 0100. A WAI of 100
    indicates no issues.
  • The cluster master fails over if the WAI of the
    cluster master is lower than the WAI of the
    backup master.

50
Hardware Health Index (HHI)
  • The Hardware Health Index (HHI) indicates the
    status of critical hardware components.
  • If no hardware failures are detected, the HHI
    value is 100.
  • If a critical monitored hardware component fails,
    the HHI value is zero.
  • The HHI is based on the status of
  • CPU and system fan speeds
  • CPU and system temperatures
  • System voltages
  • Cryptographic chip
  • Power supply (XTM 1050 and XTM 2050)
  • Hard disk (XTM 2050)

51
Hardware Health Index (HHI)
  • By default, hardware health status is not used in
    the calculation of the weighted average index
    (WAI) for the cluster members.
  • You can enable this option in the FireCluster
    Advanced settings.
  • When this option is enabled, the WAI calculation
    is a weighted average of the SHI, HHI, and MPHI.
  • Exception if the HHI of a cluster member is
    zero, the WAI is zero.

52
Configurable FireCluster Lost Heartbeat Threshold
  • The cluster master sends a VRRP heartbeat packet
    that contains the WAI health index of the cluster
    master through the primary and backup cluster
    interfaces once per second.
  • The Lost Heartbeat Threshold determines the
    number of consecutive heartbeats not received by
    the backup master to trigger a failover.
  • Configure this threshold in the FireCluster
    Advanced settings.
  • The default value is 3.
  • The maximum value is 10.
  • If a FireCluster experiences unexplained
    failovers, with no known cause, increasing the
    Lost Heartbeat Threshold might increase cluster
    stability.

53
Save TCP Dump Data to a PCAP File FSM Web UI
  • In many situations technical support needs to be
    able to obtain a packet capture from the XTM
    device.
  • With Fireware XTM v11.6.1, the method of
    capturing data was limited by
  • The size of the temporary storage
  • The visualization of data
  • The v11.6.1 implementation
  • Required the data to be temporarily stored on the
    device and then downloaded as the capture became
    available.
  • Allowed the raw PCAP data from the session to
    only be downloaded if the capture was made from
    Firebox System Manager

54
Save TCP Dump Data to a PCAP File FSM Web UI
  • For v11.7, from FSM and Fireware XTM Web UI, you
    can stream the TCP dump data directly to a PCAP
    file on your computer. From FSM, you can also
    save the data on the XTM device to later save in
    a PCAP file.
  • Both options are only available when the Advanced
    Options check box and TCP Dump task are
    selected.
  • When PCAP data is sent directly to a file, no
    data appears in the Results list.
  • The amount of TCP dump data included in the PCAP
    file that is saved directly to your computer is
    limited by the amount of free space on your
    computer, or the file size restriction enforced
    by your computers operating system.
  • If you use FSM and save the TCP dump data to your
    XTM device and later save the PCAP file, the
    amount of data captured can be several megabytes.

55
Save TCP Dump Data to a PCAP File FSM
  • To save the TCP dump data directly in a PCAP
    file, from FSM, select Tools gt Diagnostic Tasks,
    and select the Advanced Options check box.
  • You must select the Stream data to file check box
    and click Browse to specify the location and file
    name for the PCAP file.

56
Save TCP Dump Data to a PCAP File FSM
  • To save the TCP dump data on the XTM device and
    later save a PCAP file to your computer, select
    the Buffer data to save later check box.
  • When the task runs, the data appears in the
    Results list.
  • After the task runs, click the Save Pcap file
    button and specify a file name and location to
    save the file.

57
Save TCP Dump Data to a PCAP File Web UI
  • To save the data directly in a PCAP file, in the
    Web UI, select System Status gt Diagnostics.
  • When you select the TCP Dump task and the
    Advanced Options check box, you can select the
    new Stream data to file check box.
  • When you run the task, the Select file button
    appears. You must click this button to specify a
    file name and location to save the PCAP file.

58
Save TCP Dump Data to a PCAP File Web UI
  • Once the task starts, the Run Task button changes
    to Stop Task. The number of bytes downloaded
    appears above the Results list, but details of
    the TCP dump task do not appear in the Results
    list.
  • Click Stop Task to stop collecting task results.

59
Automatic Feature Key Synchronization
  • Automatic feature key synchronization allows the
    XTM device to automatically download the latest
    feature key from the WatchGuard web site when any
    feature in the feature key is expired or about to
    expire. It is not enabled by default.
  • To enable automatic feature key synchronization
  • In Policy Manager, select Setup gt Feature Keys.
  • Select the Enable automaticfeature key
    synchronizationcheck box.

60
Automatic Feature Key Synchronization
  • When you enable automatic feature key
    synchronization
  • The XTM device immediately checks the expiration
    dates in the feature key, and continues to check
    once each day.
  • If any feature is expired, or will expire within
    three days, the XTM device automatically
    downloads the latest feature key from WatchGuard
    once each day, until it successfully downloads a
    feature key that does not have expired features.
  • In a FireCluster, the cluster master synchronizes
    the feature keys for both cluster members.

61
Authentication
62
Authentication Login Limits Per User or Group
  • You can specify how many times each user or group
    member can use the same credentials to log in
    from more than one location at the same time.

63
Authentication Login Limits Per User or Group
  • The settings you specify in the user or group
    configuration override the global authentication
    settings you configure on the Firewall
    Authentication tab for an XTM device.
  • In Policy Manager, select Setup gt Authentication
    gt Authorized Users/Groups and add or edit a user
    or group.

64
Authentication Login Limits Per User or Group
  • Select the Enable login limits for each user or
    group check box.
  • To enable users or group members to log in with
    the same account credentials as many times as
    they choose, select the Allow unlimited
    concurrent firewall authentication logins from
    the same account option.

65
Authentication Login Limits Per User or Group
  • To restrict the number of times a user or group
    member can log in, select the Limit concurrent
    user sessions to option, and specify the number
    of times each user or group member can log in.
  • Select the action the XTM device takes when the
    user reaches the specified login limit
  • Reject subsequent login attempts
  • Allow subsequent attempts and log off the first
    session

66
Policies
67
Policy Tags Filters
  • To improve visibility and troubleshooting, you
    can now create groups of policies.
  • To create groups, apply policy tags to your
    policies and create filters that use the policy
    tags to specify which policies are visible in the
    policy list. You can also sort the policy list by
    the Tags column.
  • You can save filters so you can apply them again.
    Remove a filter to see the full list of policies
    again.
  • Policy tags and filters can be managed in Policy
    Manager and Fireware XTM Web UI.

68
Policy Tags Filters
  • First, define policy tags and add them to
    policies. Hold down Ctrl to apply a tag to
    multiple policies at the same time.
  • Right-click a policy and select Policy Tags gt Add
    to policy gt New.Or, select View gt Policy Tags gt
    Manage.

69
Policy Tags Filters
  • Name the policy tag and select a color for the
    name of the policy tag.The color only applies to
    the name of the policy tag, and appears in the
    Tags column.

70
Policy Tags Filters
  • When you have applied policy tags to all the
    policies you want to group, click on the
    Tags column to select the policy tags you want to
    see in the policy list.

71
Policy Tags Filters
  • Filtered view for only policies with the
    specified tag. For example, the Web tag.
  • The red filter icon ( ) indicates that a
    filter is applied to the policy list, and the
    filer has not been saved.

72
Policy Tags Filters
  • To save a filter, click .
  • Specify a name for the filter.

73
Policy Tags Filters
  • From the Filter drop-down list, you can easily
    select another filter, create a new custom
    filter, or remove all filters.

74
Policy Tags Filters
  • To remove a tag from a policy in Policy Manager,
    choose a method
  • Select a policy in the policy list and select
    View gt Policy Tags gt Remove from policy gt ltpolicy
    taggt.
  • Right-click the policy and select Policy Tags gt
    Remove from policy gt ltpolicy taggt.

75
Policy Tags Filters
  • To remove a tag from a policy in Fireware XTM Web
    UI, select a policy in the policy list and select
    Tags gt Remove from policy gt ltpolicy taggt.

76
Policy Tags Filters
  • If you save the configuration file to your XTM
    device with a filter applied, the next time you
    connect to the device with Fireware XTM Web UI,
    or open Policy Manager, the configuration file
    opens with the last filter applied, not with the
    default policy list view.
  • Make sure the Tags column is completely visible
    so the Tag Filter icon is not hidden. You cannot
    apply a new filter if you cannot select the Tag
    Filter icon.
  • Tags and filters are only available for XTM
    devices with Fireware XTM OS v11.7 and later.

77
Manually Change the Policy Order
  • With a policy filter applied, you can switch to
    Manual Order Mode and change the policy order.
  • The correct policy order number appears in the
    Order column.

78
Management
79
Limit the Size of the Report Server Database
  • In WSM v11.7, there are now two methods you can
    choose from to limit the size of your Report
    Server database
  • Delete reports after a specified number of days
  • Delete reports at a maximum database size

80
Limit the Size of the Report Server Database
  • The Report Server automatically deletes reports
    after the specified number of days elapse.
  • The default setting is every 14 days at 1200 AM.
  • You can change this setting to meet the needs of
    your organization.
  • You can also can now set a Maximum database size
    for your Report Server.
  • When the size you specify is reached, the Report
    Server deletes reports until the database is
    within the size you specify.
  • This option might delete reports before the
    specified number of days elapse.
  • If you do not specify a Maximum database size,
    you can enable the Report Server to send you a
    notification message when the database reaches
    the preferred size warning threshold that you
    specify.
  • If you do specify a Maximum database size, you
    can enable the Report Server to send you a
    notification message when reports are deleted.

81
CA Manager in WatchGuard WebCenter
  • CA Manager is now available in the new WatchGuard
    WebCenter web UI, with Log Manager and Report
    Manager.
  • WebCenter and CA Manager are automatically
    installed when you install a WatchGuard
    Management Server.
  • The configuration options for CA Manager are
    unchanged and all available in the CA Manager
    pages of WatchGuard WebCenter.

82
CA Manager in WatchGuard WebCenter
  • To connect to WebCenter for CA Manager, open
    WatchGuard System Manager and click .Or,
    select Tools gt CA Manager.Or, open a web browser
    and go to https//ltIP address of the Management
    Servergt4130.

83
CA Manager in WatchGuard WebCenter
v11.6.1 and earlier CA Manager
v11.7 CA Manager
84
Quarantined Email Web UI
  • When you enable notification on the Quarantine
    Server, the intended recipients of quarantined
    mail receive a notification message.
  • The notification message includes
  • A link to a web page on the Quarantine Server
    where users can manage their quarantined
    messages. This web page has been redesigned in
    v11.7.
  • A report of the last 50 quarantined messages.
  • The total number of quarantined messages.

85
Quarantined Email Web UI
  • When you click the link in the notification
    email, the Quarantine Email web page launches
    with quarantined messages on two tabs
  • Spam Messages quarantined by spamBlocker
  • Virus Messages quarantined by Gateway AntiVirus
  • From this page, you can
  • Click any message subject to see the message
    body.
  • Delete messages from the Virus or Spam tab.
  • Mark messages on the Spam tab as Not Spam, which
    releases them from quarantine.

86
Quarantined Email Web UI
  • Users can also select whether to receive future
    notifications about quarantined email messages.

87
1-to-1 NAT for Managed VPN Tunnels
  • Administrators can now configure 1-to-1 NAT in
    managed VPN tunnels
  • Setting is available in the VPN Resource
    configuration

88
Centralized Management for XTM Devices Behind NAT
Gateways
  • Our customers might not control a third-party
    firewall or router, but they want to use
    Centralized Management for their XTM devices
    behind the third-party firewall or router.

Airport
Parking Garage
89
Centralized Management for XTM Devices Behind NAT
Gateways
  • Requirements
  • An XTM device (gateway Firebox) is required in
    front of the Management Server.
  • Management Tunnels are only supported for XTM
    devices in Routed Mode.
  • An XTM OS update may be required on remote
    devices due to BUG65928.
  • Remote devices must be configured as dynamic
    devices in WSM.
  • External interface(s) cannot be disabled or
    removed while a Management Tunnel is established.
  • Each remote device in a Management Tunnel uses
    one tunnel route.
  • The gateway Firebox uses one tunnel route for
    each remote device in a Management Tunnel.

90
Centralized Management for XTM Devices Behind NAT
Gateways
  • Management Tunnels enable you to make a
    management connection to your remote XTM devices
    that are behind a third-party NAT gateway device,
    so you can centrally manage your remote XTM
    devices.
  • Each Management Tunnel has the Management Server
    gateway Firebox at one end of the tunnel, and one
    or more remote XTM devices at the other end of
    the tunnel.
  • The configuration options are simplified based on
    which end of the tunnel each device is located.

91
Centralized Management for XTM Devices Behind NAT
Gateways
  • The Management Network in the previous diagram
    should be defined by a VPN resource for the
    gateway Firebox.
  • For example, consider that if the Management
    Server is on the Optional-1 network behind the
    gateway Firebox, select Optional-1 Network as the
    VPN resource. For other scenarios, you can use a
    custom VPN resource.
  • A remote XTM devices management IP address is a
    virtual IP address that is used to establish the
    Management Tunnel and to connect to the remote
    XTM device. The IP address is used as the outward
    facing 1-to-1 NAT address for the Management
    Tunnel.

92
Windows 8 and Server 2012 Support
Windows 8
Windows Server 2012 (requires GUI)
93
Services
94
Intrusion Prevention Service (IPS) Scan Modes
  • IPS now includes two scan modes
  • Full Scan Scans all packets for policies that
    have IPS enabled. This is the default setting.
  • Fast Scan Scans fewer packets to increase
    performance. This mode greatly improves the
    throughput for scanned traffic, but does not
    provide the comprehensive coverage of Full Scan
    mode.

95
IPS and Application Control for HTTPS
  • The HTTPS-proxy now performs Application Control
    and Intrusion Prevention Service (IPS) scanning
    for decrypted HTTPS content when deep inspection
    of HTTPS content is enabled.
  • There are no changes to the configuration
    settings for the HTTPS-proxy, Application
    Control, or IPS.
  • Deep inspection of HTTPS content must be
    enabled
  • For IPS to scan HTTPS content
  • For Application Control to identify applications
    that use HTTPS

96
WebBlocker with Websense Cloud
  • WebBlocker now supports two server options.
  • Websense cloud (new)
  • Uses a cloud-based URL categorization database
    with 125 content categories, provided by Websense
  • Websense cloud does not use a locally installed
    WebBlocker Server
  • URL categorization queries are sent over HTTP
  • WebBlocker Server
  • Uses a WatchGuard WebBlocker Server with 54
    categories, provided by SurfControl
  • Requires a locally installed WebBlocker Server
  • XTM 2 Series and XTM 33 can use a WebBlocker
    Server hosted by WatchGuard
  • The WebBlocker Server supports the same
    SurfControl content categories as in prior
    releases
  • URL categorization queries sent over UDP 5003

97
WebBlocker with Websense Cloud
  • You identify the WebBlocker server type you want
    to use when you activate WebBlocker.
  • Websense cloud is selected by default.

98
WebBlocker with Websense Cloud
  • The available categories depend on which type of
    server you choose.

Websense cloud 125 categories
WebBlocker Server 54 categories
99
WebBlocker with Websense Cloud
  • You can control how the XTM device handles
    traffic that does not match a content category.
  • From the When a URL is uncategorized drop-down
    list select Allow or Deny.
  • The default setting is Allow.
  • This setting appears in theCategory tab when you
    edit a WebBlocker configuration.

100
WebBlocker with Websense Cloud
  • When you upgrade to v11.7, the existing
    WebBlocker configuration is not changed
    automatically.
  • To use Websense cloud, edit the WebBlocker
    configuration and selectthe Websense cloud
    option.
  • You can choose whether to automatically convert
    your existing category selections.

101
WebBlocker with Websense Cloud Site Lookup
  • To see how Websense categorizes a site go to
    www.aceinsight.com.
  • In the Site Analysis section, type the URL or IP
    address to look up.
  • Click Analyze.

102
WebBlocker with Websense Cloud Site Lookup
  • On the Search Results page, the security risk for
    the site appears.
  • Click the URL Website Categorization icon at the
    bottom of the page.

103
WebBlocker with Websense Cloud Site Lookup
  • The static category is the category WebBlocker
    uses for this site.

104
WebBlocker with Websense Cloud Send Feedback
  • If you think a site is categorized incorrectly,
    you can send feedback to Websense to request a
    change in the categorization of a site.
  • You can email feedback to suggest_at_websense.com.
  • In the email, include
  • The URL of the site
  • From which categories you think the site should
    be removed
  • To which categories you think the site should be
    added

105
THANK YOU!
Write a Comment
User Comments (0)
About PowerShow.com