What

1
Whats New in Fireware XTM v11.3.2
2
New Features in Fireware XTM v11.3.2

• DHCP release and renew functionality in Web UI
  and CLI
• Updated default Body Content Types rule for
  Windows EXE/DLL files
• Updated CLI help text for wireless guest hotspot
• Ability to add an IP address range or subnet to
  the SSO Exceptions list
• Support in Web UI to use a host range or network
  IP address when you add a Tunnel Address as a
  member of a policy
• Ability to edit aliases from within a policy
• Ability to send a log message when an SMTP
  command is denied
• Updated default WebBlocker exception for
  watchguard.com in Policy Manager

3
DHCP Release and Renew in Web UI and CLI

• Two new command options have been added to the
  dhcp command in Interface config mode. These
  options are available if the interface is
  configured to get the IP address through DHCP
• release
• renew
• These options are available in the Web UI on the
  System Status gt Interfaces page
• New CLI command options

3
WatchGuard Training
4
Updated Default Body Content Types Rule

• New pattern 0x4d5a
• This new pattern successfully identifies a much
  larger class of executable Windows files,
  including DOS and OS/2 executables, and non-PE
  and PE Windows executables.
• This change applies only to new configurations
  created in Policy Manager using v11.3.2 or later.
  The existing configuration on your device does
  not change when you upgrade from a previous v11.x
  version.
• To correct the Body Content Types rule in your
  existing configuration, go to the Body Content
  Types category in your HTTP proxy action and edit
  the Windows EXE/DLL rule. (Note that in Policy
  Manager, you must be in Advanced View to edit the
  rule.) Use Pattern Match and for the pattern use
  0x4d5a

4
WatchGuard Training
5
Updated CLI Help Text for Wireless Guest Hotspot

• The CLI help text was updated for wireless guest
  hotspot commands to indicate that the imported
  text file should be UTF-8 encoded. UTF-8 format
  is required to support languages that use
  double-byte character sets. This affects the CLI
  Help for these commands
• wireless guest hotspot welcome-message from
• wireless guest hotspot terms-text from

5
WatchGuard Training
6
Add a Range or Subnet to the SSO Exceptions List

• You can now add a range of IP addresses or a
  subnet to the SSO Exceptions list in Policy
  Manager, the Web UI, and the CLI

Policy Manager
Fireware XTM Web UI
6
WatchGuard Training
7
Add a Range or Subnet to the SSO Exceptions List

• For the CLI, three options were added to the
  auth-setting single-sign-on except-ip command.
  These options allow users to add a host IP
  address, IP address range, or subnet to the SSO
  Exceptions list. Previously, you could only type
  one or more individual IP addresses. New
  parameters
• host
• range
• subnet

7
WatchGuard Training
8
Web UI Flexibility in the Tunnel Address for a
Policy Member

• The Web UI now supports a host range or network
  IP address when you add a Tunnel Address as a
  member of a policy. Options include
• Host IP
• Host Range
• Network IP
• Previously, the Web UI only enabled configuration
  of a single IP address for a Tunnel Address in a
  policy.

8
WatchGuard Training
9
Edit an Alias from a Policy

• In previous releases, to make changes to the
  members of an alias, you had to open the Aliases
  dialog box. You can now select an alias in the
  New Policy Properties or Edit Policy Properties
  dialog boxes, and click Edit to add or delete
  members of the alias.

10
Changes to Proxy Policy Logging Settings

• You can now also send a log message when an SMTP
  command is denied. On the SMTP Proxy Action
  Configuration General Settings page, select the
  Send a log message when an SMTP command is denied
  check box.

11
Updated Default WebBlocker Exception

• Updated the default WebBlocker exception for
  watchguard.com in Policy Manager
• Old .watchguard.com/
• New 0-9a-zA-Z_\-.1,256\.watchguard\.com/
• More closely matches the WatchGuard domain.
• URLs that use www.watchguard.com as a path in the
  URL no longer match this WebBlocker Exception.
  For example, a URL such as www.example.com/www.wat
  chguard.com/index.html no longer matches the
  default WebBlocker exception for WatchGuard.
• Applies only to new configurations created in
  Policy Manager v11.3.2 or later. It does not
  apply to the Web UI. Your existing configuration
  does not change when you upgrade from a previous
  11.x version.
• To correct the WebBlocker Exception in your
  existing configuration From Policy Manager, edit
  your WebBlocker action and go to the Exceptions
  tab. Edit the WatchGuard exception. Change the
  Match Type to Regular Expression and use this
  expression
• 0-9a-zA-Z_\-.1,256\.watchguard\.com/

11
WatchGuard Training
12
Summary
13
Summary

• Fireware XTM v11.3.2 includes many new features
• DHCP release and renew functionality in Web UI
  and CLI
• Updated CLI help text for wireless guest hotspot
• Ability to add an IP address range or subnet to
  the SSO Exceptions list
• Support in Web UI to use a host range or network
  IP address when you add a Tunnel Address as a
  member of a policy
• Edit an alias from within a policy
• Ability to send a log message when an SMTP
  command is denied
• Updated default WebBlocker exception for
  watchguard.com

14
THANK YOU!