Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in v New Features and Enhancements WatchGuard AP300 – AP firmware availability after upgrade – Fast Handover – Band Steering – Fast Roaming – Client Limits for each radio Wireless Scan Interval Wireless Event Alarms View Wireless Client Host Name and IP Address APT Blocker Support for the POP3-proxy Default Firebox Certificate Updates 3G/4G Modem Support – Support for Novatel U620L USB modem Send Log Messages for Reports for Packet Filter Allowed Traffic 2
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard AP300 Features: Concurrent 3x3 MIMO (Multiple Input Multiple Output) capability Dual radios for 2.4GHz and 5GHz ac capability on 5GHz, including 20/40/80MHz channel widths Auto channel selects more diverse channels on the 2.4GHz band 3
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard AP300 Requires Fireware OS v or higher AP300 Firmware version — LED indicator behavior changes (different than AP100, AP102, AP200): Power and wireless indicators alternately flash green — AP device is powered on and ready to be paired Power indicator slowly flashes green — A firmware upgrade is in progress 4
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training AP Firmware Availability after Upgrade If you upgrade your Firebox to Fireware OS v from v or lower, the Firebox will not have the current AP firmware installed and available for all AP device models Starting in v , AP device firmware is installed in a different partition on the Firebox because of increasing firmware image sizes Because of this change, when you upgrade to Fireware v , you must run the upgrade process twice to correctly install the latest AP firmware on your Firebox. AP device firmware is also not available after a factory reset of a Firebox. If you reset your Firebox, you must use the process to upgrade your Firebox to Fireware v again. 5
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Fast Handover Encourages wireless clients that are roaming between WatchGuard AP devices to disconnect from their current AP devices and connect to an AP device with a stronger signal Prevents wireless clients from maintaining their current AP device connection, even when the signal degrades as the wireless client moves farther away Uses the RSSI (Received Signal Strength Indicator) as a threshold to indicate when a client should be encouraged to move to an AP device with a stronger RSSI level 6
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Fast Handover is only supported on WatchGuard AP300 devices Configured on the general Access Point Settings tab Disabled by default Fast Handover 7
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Fast Handover Wireless clients can have very different RSSI strengths depending on the manufacturer; you must set your RSSI threshold accordingly Fast Handover will disconnect a client when RSSI threshold is reached Check your environment to make sure APs are in range for handover based on your thresholds We recommend that you only enable Fast Handover for AP devices in high-traffic density areas Do not enable Fast Handover on adjacent AP devices that also have the Band Steering feature enabled Clients steered to the 5GHz band might have a drop in RSSI strength that can result in disconnections because of the Fast Handover RSSI threshold 8
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Band Steering Encourages dual-band clients to move from 2.4GHz to 5GHz Helps reduce congestion on the more widely-used 2.4GHz radio spectrum Configured on the Access Point Settings tab Disabled by default 9
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Band Steering Only supported on WatchGuard AP300 devices The same SSID and security mode must be configured on both 2.4GHz and 5GHz radios to enable wireless clients to switch frequency bands Do not enable if the Fast Handover feature is enabled: Switching to the 5GHz band can result in a loss of RSSI strength for the client Disconnections because of the Fast Handover RSSI threshold can occur 10
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Band Steering Band Steering is usually not required in an environment where most wireless devices are newer devices that are already optimized to choose the 5GHz band In some cases, Band Steering can cause connectivity issues with older, legacy wireless clients that only support 2.4GHz For these devices, we recommend that you disable Band Steering or have clients manually connect to the SSID 11
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Fast Roaming Fast Roaming enables a wireless client to quickly handover wireless communications as it moves from one WatchGuard AP device to another Helps provide a seamless communications transition and improves performance and stability of streaming-intensive applications such as VoIP and video streaming as you roam Fast Roaming works by decreasing the re-authentication time for WPA2-Enterprise authentication for a wireless client on an SSID 12
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Fast Roaming Configured in the security settings for an SSID Only supported on WatchGuard AP300 devices Disabled by default Can only be enabled for WPA/WPA2 Enterprise mixed or WPA2-Enterprise protected SSIDs Wireless client must support the k and r standards 13
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Client Limits Per Radio Limit the number of concurrently-connected client devices for a specific radio on AP300 devices Applied as a global limit for all configured SSIDs on a radio Default is unlimited You can specify a limit from 1 to
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Wireless Scan Interval Configure the interval for automatic wireless scans for Wireless Deployment Maps and Rogue Access Point detection Default is 1 hour Increase the automatic scan interval to reduce wireless traffic and resource usage from scanning the wireless network 15
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Wireless Event Alarms Enable alarms to notify you when these wireless events occur: An AP device goes offline – Causes include: network disruption, power loss, and firmware upgrades A rogue AP is detected Configure notifications for alarms on the Notifications tab 16
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training View Wireless Client Hostname & IP Address On the Dashboard > Gateway Wireless Controller > Wireless Clients page, if the clients connected to your AP device use the Firebox as a DHCP server, you can see the Hostname and IP Address of the wireless clients connected to your AP device 17
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training View Wireless Client Hostname & IP Address To see more information about a wireless client, click the IP address to view the client in FireWatch or Traffic Monitor 18
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training View Wireless Client Hostname & IP Address If your Firebox is a wireless model, on the System Status > Wireless Statistics page, if the clients connected to your wireless Firebox use the Firebox as a DHCP server, you can see the Hostname and IP Address of the wireless clients connected to your Firebox 19
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Other Wireless Enhancements Automatic AP device firmware upgrades now occur from 00:00 (midnight) to 04:00 based on the local time of the Firebox You can manually upgrade an AP device at any time Default 2.4Ghz mode is now g/n TKIP-only mode support has been removed from the SSID security settings TKIP is still available in mixed TKIP or AES mode Hotspot guest account authentication is now performed over HTTP to prevent web browser HTTPS certificate warnings 20
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training APT Blocker Support for the POP3-proxy You can now enable APT Blocker for a POP3-proxy policy Before you can enable APT Blocker for the POP3-proxy, you must enable Gateway AntiVirus on your Firebox The Drop, Block, and Quarantine actions strip the attachment before the message is delivered 21
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Default Firebox Certificate Upgrades SHA-1 is being deprecated by many popular web browsers, and WatchGuard recommends that you now use SHA-256 certificates New certificate signing requests (CSR) now use SHA-256 as the default signature hash algorithm Newly generated default Firebox certificates use the SHA-256 algorithm with a 2048-bit key length Default certificates are not automatically upgraded after you install Fireware v To upgrade and regenerate any default Firebox certificate to use SHA-256 and a 2048-bit key length, delete the certificate and reboot the Firebox You can also use the CLI to manually upgrade specific certificates 22
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Default Firebox Certificate Upgrades The Proxy Server certificate is used for inbound HTTPS with content inspection and SMTP with TLS inspection. The Proxy Authority certificate is used for outbound HTTPS with content inspection. The two certificates are linked because the default Proxy Server certificate is signed by the default Proxy Authority certificate. You can upgrade the default Proxy Authority and Proxy Server certificates with the Fireware CLI. After you upgrade, you must redistribute the new Proxy Authority certificate to your clients. Without the new certificate, users will receive web browser warnings when they browse HTTPS sites, if content inspection is enabled. There are special considerations if you use a third-party Proxy Server certificate: – The CLI command will not work unless you first delete the Proxy Authority certificate. The CLI command will regenerate both the Proxy Server and Proxy Authority default certificates. – If you originally used a third-party tool to create the CSR, you can simply re- import your existing third-party certificate and private key. – If you originally created your CSR from the Firebox, you must create a new CSR to be signed, and then import a new third-party certificate. 23
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Default Firebox Certificate Upgrades To upgrade the default Proxy Authority and Proxy Server certificates for use with HTTPS content inspection, you can use the CLI command: upgrade certificate proxy To upgrade the Firebox web server certificate, use the CLI command: upgrade certificate web To upgrade the SSLVPN certificate, use the CLI command: upgrade certificate sslvpn To upgrade the 802.1x certificate, use the CLI command: upgrade certificate 8021x 24
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training 3G/4G Modem Support New 3G/4G USB modem supported for modem failover Modem — Novatel U620L modem Carrier — Verizon 25
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Log Messages for Reports For traffic that is allowed through Packet Filter policies, you can now enable the Firebox to send log messages that are only used in reports These log messages do not appear in Traffic Monitor or Log Manager To see log messages in Traffic Monitor or Log Manager from a Firebox that runs Fireware OS v or higher, you must also select the Send a log message check box 26
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Send Log Messages for Reports To enable your Firebox to send log messages that are included in reports: 1. Add or edit a packet filter policy 2. Select Logging > Send log message for reports 27
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Thank You! 28