Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v  Firebox T70 Support  Perfect Forward Secrecy (PFS) in SMTP and HTTPS Proxies  Other Proxy Enhancements HTTPS Proxy — Allow SSL v2 as a non- compliant SSL protocol POP3 Proxy — Examine file names and types stored in compressed archive files  Non-EKU VPN Certificate Support 2

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v  Reset AP Devices from the Gateway Wireless Controller  Remove AP Firmware from your Firebox  Enhancements to support WatchGuard Wi-Fi Cloud  Localization Enhancement 3

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Use WatchGuard System Manager to Administer the Firebox T70 Firebox T70 Support 4

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Firebox T70 Support  WatchGuard System Manager can now manage the Firebox T70 tabletop model  Fireware v is an OS upgrade for the Firebox T70 The Firebox T70 ships with Fireware v installed, which is not publicly available. 5

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy in the SMTP and HTTPS proxies Perfect Forward Secrecy 6

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy  Perfect Forward Secrecy (PFS) cipher settings control the type of TLS ciphers the Firebox negotiates when it acts as client or server for content inspection purposes Fireware supports ephemeral elliptic curve Diffie-Hellman (ECDHE) PFS-capable ciphers for PFS When the proxy uses a PFS-capable cipher, the client and server negotiate a new set of Diffie-Hellman parameters for each session. These parameters are ephemeral and cannot be reused  PFS is not supported for Firebox T10, T30, T50, XTM 25/26, or XTM 33 devices 7

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy  Fireware v adds support for PFS in: SMTP proxy action > TLS Encryption settings HTTPS proxy action > Content Inspection settings  PFS options in the SMTP-proxy and HTTPS-proxy actions include: None — The Firebox does not support PFS-capable ciphers in the TLS handshake process Allowed — The Firebox supports both PFS-capable and non- PFS capable ciphers in the TLS handshake process Required — The Firebox only supports PFS-capable ciphers in the TLS handshake process 8

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy — SMTP Proxy  Configure PFS in the TLS Encryption settings Configure PFS for the sender and recipient The PFS settings apply to all channels that use STARTTLS encryption, as specified in the Encryption Rules  By default, PFS is set to Allowed for both sender and recipient 9

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy — HTTPS Proxy  Configure PFS in the Content Inspection settings  The same PFS setting applies to both client and server TLS connections  When set to Allowed, the client does not use a PFS-cipher unless the server also uses one  PFS is set to Allowed by default 10

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Other enhancements to the POP3 and HTTPS Proxies Proxy Enhancements 11

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training POP3 Proxy — Examine Compressed Files  The POP3 proxy now completes actions based on the file names and file types that are included in.ZIP and.GZIP compressed archive files  For example, a file name extension rule that is configured to strip.EXE files will now also strip.EXE files that are found in a compressed.ZIP file 12

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training HTTPS Proxy — SSL v2 Support  Because of security vulnerabilities, SSLv2 is considered a non- compliant SSL protocol in Fireware v and higher  In Fireware v , the HTTPS proxy allows SSLv2 traffic only when the Allow only SSL compliant traffic check box is not selected and content inspection is not enabled 13

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Support for non-EKU certificates VPN Certificate Requirements 14

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Support for Non-EKU IPSec VPN Certificates  Extended key usage (EKU) object ID numbers (OIDs) indicate the allowed uses of an encryption key  Prior to Fireware v , imported VPN IPSec certificates had to include the EKU OID number  This requirement was not RFC compliant — RFC 4945 specifies that no special OIDs are necessary for IPSec  You can now select an IPSec VPN certificate that does not include an EKU identifier 15

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Non-EKU Certificates — UI Changes  A new Show All Certificates check box appears on these pages: BOVPN Gateway Configuration (Fireware Web UI & WSM) BOVPN VIF Gateway Configuration (Fireware Web UI & WSM) Mobile VPN with L2TP and Mobile VPN with IPSec (Fireware Web UI & WSM)  To select a certificate that does not contain an EKU, select Show All Certificates (all available certificates appear)  If you do not select Show All Certificates, only certificates with EKUs appear 16

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Non-EKU Certificates — Fireware Web UI 17

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Non-EKU Certificates — WSM 18

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Reset AP devices to factory-default settings from the Gateway Wireless Controller Reset AP Devices

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Reset AP Device from GWC  All actions for AP devices are available on the Access Points tab, from the new Actions drop-down list  From the Gateway Wireless Controller, you can now reset an AP device to factory-default settings 20

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Remove all AP device firmware from your Firebox with the Gateway Wireless Controller Remove AP Firmware

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Remove AP Firmware from Your Firebox  From the Gateway Wireless Controller, you can now remove all AP firmware from your Firebox 22

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Remove AP Firmware from Your Firebox  To remove the current AP device firmware on your Firebox, click Manage Firmware  Click Remove All Firmware  To download a specific available version of firmware, adjacent to each version to download, click Download 23

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements to support WatchGuard Wi-Fi Cloud WatchGuard Wi-Fi Cloud

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements for WatchGuard Wi-Fi Cloud  Domain names for WatchGuard Wi-Fi Cloud services are now included by default in the HTTP Proxy Exceptions list  This prevents communications issues with cloud services and the HTTP Proxy when behind a Firebox 25

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements for WatchGuard Wi-Fi Cloud  Domain names for WatchGuard Wi-Fi Cloud are now included in the HTTPS Proxy Domain Names list  This allows access to the domain and bypasses HTTPS content inspection  This also prevents communication issues with cloud services and the HTTPS Proxy when behind a Firebox 26

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements for WatchGuard Wi-Fi Cloud  A new predefined packet filter policy is available for management of AP devices with WatchGuard Wi-Fi Cloud  The WG-Cloud-Managed- WiFi packet filter policy template defines the required ports (TCP 443 and UDP 3851) and destination domains to allow AP devices to communicate with cloud services 27

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Localization Enhancement 28

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Localization Enhancements  The v release includes localization of content introduced in the v11.11 release  Newly localized content appears in: WatchGuard System Manager Fireware Web UI Fireware Help  Content added after v11.11 might appear in English  Supported languages: French (FR) Spanish (LA) Japanese 29

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Thank You! 30

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training