What’s New in Fireware v11.12

What’s New in Fireware v11.12 Geolocation subscription service New BOVPN virtual interface that supports non-GRE IPSec tunnels to Microsoft Azure and Cisco VTI Threat Detection and Response subscription service (Beta) IPv6 support in proxy policies and subscription services Setup wizards enable services and proxies by default AP device enhancements

What’s New in Fireware v11.12 DHCP support for Active/Passive FireClusters X-forwarded detail in proxy headers shows client IP addresses in log messages Use a domain name to specify a URL for external hotspot authentication Specify resources that guest wireless users can access without authentication Mobile VPN with SSL Enhancements ConnectWise integration

What’s New in Fireware v11.12 Other enhancements Support for Huawei E3372 modem variant with a different product ID Proxy connection statistics WebBlocker proxy server support APT Blocker file size increase BOVPN pre-shared key length increase Active Directory Server Settings UI Updates FQDN support for Log Server addresses Change to auto-blocked sites list functionality

Block traffic based on geographic location Geolocation Block traffic based on geographic location

Geolocation Geolocation is a subscription service that enables the Firebox to block connections to or from specified geographic locations To enable Geolocation, the Firebox feature key must have the Reputation Enabled Defense (RED) subscription service enabled If the Firebox feature key has the RED subscription service enabled, Geolocation is enabled Geolocation information is available on the Geolocation dashboard in Fireware Web UI and in log messages No countries are blocked by default

Geolocation In Fireware Web UI or Policy Manager, select Subscription Services > Geolocation Select countries to block: Map — Select countries on a map Country List — Select countries from a list Exceptions — Specify sites to never block

Geolocation — Map On the Map tab, select countries to block Lock or unlock the map Click a country to block new connections to or from that country

Geolocation — Country List On the Country List tab, select countries to block Expand or collapse continents in the list Select which countries to block Click Select All to select all countries on a continent

Geolocation — Exceptions On the Exceptions tab, specify sites to never block based on geographic location IPv4 host, network, or address range IPv6 host, network, or address range Fully qualified domain name (FQDN)

Geolocation — Update Server Update Server settings — Control updates to the Geolocation database Automatic updates are enabled by default

Geolocation — Dashboard The Geolocation Dashboard in Fireware Web UI shows allowed connections by country This Dashboard page does not show blocked connections

Geolocation Dashboard The Map tab visually represents the source and destination locations of connections allowed through the Firebox Country color indicates the number of connections: Dark green — Highest Light green — Lower Yellow — Lowest Filter connections by: All Connections Source Country Destination Country

Geolocation Dashboard The Country List tab shows connection details by country Ranked lists show top countries by the number of hits Click a country name to see a list of connections

Geolocation Dashboard Look up the country associated with an IP address

Geolocation Activity Fireware Web UI Firebox System Manager Dashboard > Subscription Services Firebox System Manager Subscription Services tab

New Virtual Interface for BOVPNs BOVPN virtual interface support for non-GRE IPSec tunnels to Microsoft Azure and Cisco VTI endpoints

New Virtual Interface for BOVPNs A BOVPN virtual interface now supports IPSec tunnels to third-party endpoints without GRE. Microsoft Azure and Cisco Virtual Tunnel Interface (VTI) gateway endpoints are supported. In the BOVPN Virtual Interface configuration, there is a new Remote Endpoint Type setting: Firebox — Select this option for a connection to another Firebox or another gateway endpoint that supports GRE over IPSec Cloud VPN or Third-Party Gateway — Select this option for a connection to a Microsoft Azure or Cisco VTI endpoint This establishes an IPSec VPN tunnel without GRE

New Virtual Interface for BOVPNs The new WatchGuard BOVPN virtual interface supports OSPF and BGP To configure dynamic routing with BGP to Microsoft Azure, you must use Microsoft PowerShell Microsoft Azure does not support OSPF Cisco VTI supports OSPF and BGP

New Virtual Interface for BOVPNs To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using static routing: Configure the Azure virtual network In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Add a VPN route to the Azure virtual network Configure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2 From the Networking > Interface page, add a custom DHCP Option

New Virtual Interface for BOVPNs

New Virtual Interface for BOVPNs

New Virtual Interface for BOVPNs To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using BGP dynamic routing: Configure the Azure virtual network In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Configure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2 Add a virtual IP address for the Firebox Add a virtual IP address for the Azure gateway. Do not use a netmask Specify the BGP commands on the Firebox Specify the PowerShell commands on your Azure network From the Networking > Interface page, add a custom DHCP Option

New Virtual Interface for BOVPNs

New Virtual Interface for BOVPNs

New Virtual Interface for BOVPNs To configure a BOVPN virtual interface to a Cisco VTI endpoint with static routing: Configure the Cisco device In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Configure the BOVPN virtual interface to use either IKEv1 or IKEv2; Cisco supports both options Add a route to the Cisco device

New Virtual Interface for BOVPNs To configure a BOVPN virtual interface to a Cisco VTI endpoint with dynamic routing (OSPF or BGP): Configure the Cisco device In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway Select Assign virtual interface IP addresses and type the required IP addresses Enable OSPF or BGP on your Firebox, with the required OSPF or BGP commands

Threat Detection and Response Extend WatchGuard’s network security to monitor and protect the endpoint

Threat Detection and Response (TDR) Threat Detection and Response (TDR) is a new cloud-based subscription service that analyzes and responds to security events reported by the Firebox and network endpoints Public Beta starts November 14th, 2016 Open to all, including those without Total Security Suite Supported on Firebox models and XTMv models only Requires Fireware v11.12 or higher Threat Detection and Response is part of the Total Security Bundle or available as a separate security subscription Threat Detection and Response enables immediate action against new or hidden threats by correlating network and endpoint security events into a scored ranking

Threat Detection and Response (TDR) Threat Detection and Response collects, analyzes, and correlates threat indicators reported by Fireboxes and hosts Fireboxes report denied, blocked, and dropped connections Host Sensors use heuristics and behavioral analysis to report changes to files, processes, registry entries, and host configuration settings ThreatSync correlates threat intelligence, a cloud-based malware verification service, and the Host Sensor based heuristics and behavior analyses to evaluate and score reported indicators and incidents Indicators are events reported by Host Sensors and Fireboxes Incidents are groups of related indicators Incident threat score is based on the threat score of the indicators

Threat Detection and Response (TDR) Enable Threat Detection and Response on the Firebox Log in to the Threat Detection and Response cloud to manage Host Sensors, threats, remediations, policies, and exclusions.

IPv6 support in proxy policies and services

IPv6 Support — Proxy Policies Added support for IPv6 addresses in proxy policies Feature Fireware v11.11.x Fireware v11.12 Packet filter policies (all)  Proxy policies: DNS-proxy Explicit-proxy FTP-proxy HTTP-proxy HTTPS-proxy POP3-proxy SMTP-proxy TCP-UDP-proxy Application Layer Gateways SIP-ALG H323-ALG Not supported

IPv6 Support — Proxy Policies You can now specify an IPv6 address as the source or destination in a proxy policy Host IPv6 Network IPv6 Host Range IPv6

IPv6 Support — Subscription Services Added IPv6 support in Subscription Services Feature Fireware v11.11.x Fireware v11.12 Application Control  Intrusion Prevention Service WebBlocker Gateway AntiVirus APT Blocker spamBlocker Data Loss Prevention Reputation Enabled Defense* * If a client sends an HTTP request directly to an IPv6 IP address (instead of a host name), Reputation Enabled Defense does not send the IPv6 address to the server for classification

IPv6 Support — Subscription Services Many WatchGuard partners have not yet implemented IPv6 in their cloud infrastructure For these Subscription Services that connect to an external service for scoring, you must configure the external interface with both an IPv4 address and an IPv6 address: WebBlocker APT Blocker spamBlocker

Setup Wizards Enable Proxies and Services Setup wizards enable proxy policies and most licensed subscription services by default

Setup Wizards Enable Proxies and Services The setup wizards now configure policies and enable most Subscription Services to provide better security by default The setup wizards: Configure FTP-proxy, HTTP-proxy, HTTPS-proxy policies Configure DNS and Outgoing packet-filter policies Enable licensed security services — Application Control, Gateway AntiVirus, WebBlocker, Intrusion Prevention Service, Reputation Enabled Defense, Botnet Detection, Geolocation, APT Blocker Recommend WebBlocker categories to block The new default configuration provides better security with less manual configuration

Setup Wizards Enable Proxies and Services Changes to default policies created by the Web Setup Wizard and Quick Setup Wizard in Fireware OS v11.12: No FTP packet filter policy New FTP-proxy, HTTP-proxy, HTTPS proxy and DNS policies Default Policies in Fireware v11.11.x and lower Default Policies in Fireware v11.12 FTP FTP-proxy HTTP-proxy HTTPS-proxy WatchGuard Web UI Ping Ping DNS WatchGuard Outgoing

Setup Wizards Enable Proxies and Services In the Web Setup Wizard, the Subscription Services step shows your Subscription Services, which will be enabled in your Firebox configuration when the wizard completes

Setup Wizards Enable Proxies and Services In the Web Setup Wizard, the WebBlocker Settings step recommends the WebBlocker categories to block

Setup Wizards Enable Proxies and Services The Summary page shows which Subscription Services are enabled If the Firebox has a static external IP address and you do not configure a DNS server, Botnet Detection is enabled, but Reputation Enabled Defense is not enabled

Setup Wizards Enable Proxies and Services The WatchGuard Quick Setup Wizard also has two new steps The Subscription Services step appears only if you add a feature key that includes licensed Subscription Services The WebBlocker Settings step appears only if you add a feature key that includes a WebBlocker license

Setup Wizards Enable Proxies and Services Both setup wizards configure the same default policies The setup wizards always create these policies. If Subscription Services are not licensed, the policies are created without the services enabled.

Setup Wizards Enable Proxies and Services WebBlocker default configuration: Enabled in the HTTP-proxy and HTTPS-proxy policies Default-WebBlocker action blocks the categories you selected

Setup Wizards Enable Proxies and Services If the Firebox cannot connect to the WebBlocker Server, the Default- WebBlocker action: Allows the connection Sends an alarm Creates a log message If the WebBlocker license expires, the Default- WebBlocker action allows access to all sites

Setup Wizards Enable Proxies and Services Gateway AntiVirus is enabled in the FTP-proxy and HTTP-proxy policies In the HTTP-proxy action: HTTP-Request > URL Paths AV Scan all content

Setup Wizards Enable Proxies and Services In the HTTP-proxy action: HTTP Response > Content Types AV Scan all content

Setup Wizards Enable Proxies and Services HTTP Response > Body Content Types Deny executable and compressed archive file types AV Scan other body content types

Setup Wizards Enable Proxies and Services AntiVirus Drop connection if a virus is detected Allow the connection if a scan error occurs

Setup Wizards Enable Proxies and Services Gateway-AV in the FTP-proxy Download and Upload AV Scan all files

Setup Wizards Enable Proxies and Services AntiVirus in HTTP and FTP proxy actions Drop connection if a virus is detected Allow the connection if a scan error occurs

Setup Wizards Enable Proxies and Services Intrusion Prevention Service is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies IPS settings: Fast Scan Threat level actions: Critical, High — Drop, Alarm, Log Medium — Drop, Log Low — Allow, Log Information — Allow

Setup Wizards Enable Proxies and Services Application Control is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies The Global action blocks: Application — Crypto Admin Application Category — Bypass Proxies and Tunnels

Setup Wizards Enable Proxies and Services APT Blocker is enabled in the HTTP-proxy and FTP-proxy Threat actions: High — Block, Alarm, Log Medium — Drop, Alarm, Log Low — Drop, Alarm, Log Clean — Allow

Setup Wizards Enable Proxies and Services Reputation Enabled Defense is enabled in the HTTP-proxy Immediately blocks URLS that have a bad reputation Alarm and Log are enabled Does not bypass virus scanning for URLS with a good reputation

Setup Wizards Enable Proxies and Services Botnet Detection is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled

Setup Wizards Enable Proxies and Services Geolocation is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled

Setup Wizards Enable Proxies and Services New proxy actions are used by the default proxy policies Default-FTP-Client Based on FTP-Client.Standard Gateway AntiVirus is enabled Default-HTTP-Client Based on HTTP-Client.Standard WebBlocker, Gateway AntiVirus, RED, and APT blocker are enabled Default-HTTPS-Client Based on HTTPS-Client.Standard WebBlocker is enabled Content Inspection is not enabled These proxy actions are editable.

Setup Wizards Enable Proxies and Services The setup wizards enable logging for reports For the Ping, DNS, and Outgoing policies, logging is enabled at the policy level Send a log message is enabled Send a log message for reports is enabled For the FTP-proxy, HTTP-proxy, and HTTPS-proxy policies, logging is enabled in the associated proxy action Enable logging for reports is enabled in the Default-FTP- Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions

Setup Wizards Enable Proxies and Services The setup wizards enable logging of performance statistics: External interface and VPN bandwidth statistics Security Services Statistics These log messages enable richer Dimension reporting

AP Device Enhancements

AP Device Enhancements New and enhanced features for AP devices include: AP device wireless automatic channel allocation AP device wireless deployment over-the-air Remote AP device deployment with Mobile VPN with SSL

Wireless Automatic Channel Allocation The channels used by AP devices can be automatically selected and allocated for optimal wireless channel selection across your deployment Channels are scanned and selected during the Wireless Scan Interval configured in the Gateway Wireless Controller Settings (default is every hour) Works with all AP device models Preferred Channel for an AP must be set to Auto to use new auto channel selection

Preferred Channel Settings For manual channel selection, the Preferred Channel list now displays all channels. Click View Available Channels to see channels available to you based on your region and wireless configuration Note: Extension channel configuration is removed (set to lower channel only)

AP Device Wireless Deployment Deploy AP300 devices over-the-air without physical cables When the network cable is disconnected, the AP device switches to client mode and associates to the nearest wired AP300 device A client mode AP device deployed wirelessly broadcasts any configured SSIDs on the 2.4GHz radio only The 5GHz radio is only used for the extender link and any configured SSIDs on the 5GHz radio are not broadcast by the AP wirelessly deployed in client mode

AP Device Wireless Deployment Supported for AP300 devices only AP devices must be initially deployed (paired or auto- deployed) with a cable before the AP device can be deployed over-the air A wired AP device must be in range for the AP device to be able to connect in client mode and deploy over-the-air Wireless deployment uses the 5GHz band radio for the extender link for AP client mode connections. Must have less than the maximum 8 SSIDs configured on the 5GHz radio to work If you reconnect a network cable, the client mode AP device reverts to normal operation and disconnects from the wired host AP device

AP Device Wireless Deployment To enable, select Network > Gateway Wireless Controller > Settings, then select Enable deployment over wireless

Remote AP Device Deployment You can now deploy your AP devices in remote locations with Mobile VPN with SSL Available for only these AP device models: AP100 AP102 AP200 AP300

Remote AP Device Deployment Remote AP device deployment uses Mobile VPN with SSL on the Firebox You must create a user account and VPN profile on the Firebox for a remotely-deployed AP device Allows access through the VPN tunnel for Gateway Wireless Controller management traffic to manage the remote AP device Telecommuter mode can be enabled for each SSID Traffic for the SSID enabled for telecommuter mode is bridged over the VPN to the Firebox

Remote AP Device Deployment To configure your Firebox for remote AP device deployment: In your Firebox configuration, enable Mobile VPN with SSL To use Telecommuter mode, the VPN must be configured for Bridge VPN traffic instead of Routed VPN traffic

Remote AP Device Deployment Create a user account to use for the AP devices (these can be separate for each AP device or a shared account) Make sure the account belongs to the SSLVPN-Users authentication group

Remote AP Device Deployment Download the Mobile VPN with SSL client profile from https://<Firebox address>

Remote AP Device Deployment Connect to the AP device web UI Select Enable VPN Click Browse to select the Mobile VPN profile you downloaded Type the VPN username and password

Remote AP Device Deployment For telecommuter mode, enable the feature in the Gateway Wireless Controller SSID configuration

DHCP Support for FireCluster Enable an Active/Passive FireCluster that supports external addresses configured for DHCP

DHCP Support for FireCluster If your external interface uses DHCP, you can now enable an Active/Passive FireCluster Active/Active FireCluster is not supported when the external interface uses DHCP From Networking/Interface page add a custom DHCP Option

DHCP Support for FireCluster FireCluster Setup Wizard From Networking/Interface page add a custom DHCP Option

DHCP Support for FireCluster FireCluster Manual Configuration From Networking/Interface page add a custom DHCP Option

Mobile VPN with SSL Enhancements Updates to Mobile VPN with SSL authentication policies and the Authentication Portal

Mobile VPN with SSL Enhancements In Fireware OS v11.11.4 and lower, a WatchGuard Authentication policy was automatically added to your configuration file when you enabled Mobile VPN with SSL This policy allowed traffic over port 4100 and included the alias Any-External in the policy From list In Fireware OS v11.12, when you enable Mobile VPN with SSL, a WatchGuard Authentication policy that allows traffic over port 4100 is no longer created From Networking/Interface page add a custom DHCP Option

Mobile VPN with SSL Enhancements After you upgrade your Firebox to Fireware OS v11.12, if your configuration file includes a WatchGuard Authentication policy, the alias Any-External is automatically removed If you upgrade with Policy Manager, you must manually reload the configuration from the Firebox after the upgrade completes to avoid adding the alias back with a subsequent configuration save (since Policy Manager is an offline configuration tool) IMPORTANT: The alias Any-External is automatically removed from the WatchGuard Authentication policy even if you manually added the alias, and regardless of whether Mobile VPN with SSL is enabled

Mobile VPN with SSL Enhancements The Mobile VPN with SSL authentication and software download pages are no longer accessible at port 4100 Use these port 443 URLs, or specify a custom port Port 443 https://<Firebox-IP-address> https://<Firebox-IP-address>/sslvpn.html Custom port https://<Firebox-IP-address>:<port> https://<Firebox-IP-address>:<port>/sslvpn.html From Networking/Interface page add a custom DHCP Option

Mobile VPN with SSL Enhancements In Fireware OS v11.11.4 and lower, when you enable Mobile VPN with SSL, all user authentication methods appear in the Authentication Portal Domain drop-down list at https://<Firebox-IP-address> In Fireware OS v11.12, when Mobile VPN with SSL is enabled on your Firebox, and you connect to the Authentication Portal at https://<Firebox-IP-address>, you only see the authentication servers that you have configured on your Firebox for Mobile VPN with SSL From Networking/Interface page add a custom DHCP Option

Mobile VPN with SSL Enhancements For example, if the only authentication server specified in your Mobile VPN with SSL settings is Firebox-DB, the Domain drop-down list does not appear in the Authentication Portal From Networking/Interface page add a custom DHCP Option

See X-Forwarded Details in Proxy Headers X-forwarded information from the proxy header includes the IP addresses of clients behind a proxy policy

See X-Forwarded Details in Proxy Headers Log messages and Dimension reports can now show the IP addresses of clients behind proxy policies The Firebox sends the IP address of the proxy server (for example, Squid, Webmarhal, and XCS) and the client IP address in the X-forwarded information from the header, which can now be found in the log messages in the ori_src detail

See X-Forwarded Details in Proxy Headers

See X-Forwarded Details in Proxy Headers Example log message shows the ori_src detail: <ProxyMatch d="2016-09-02T10:54:35" orig="gary_xtmv" cname="" proc_id="http-proxy" pri="6" rc="594" seq="276" disp="Deny" msg_id="1AFF-0028" src_intf="1-Trusted" dst_intf="0-External" policy="HTTP-proxy-00" src_ip="10.0.1.2" dst_ip="100.100.100.3" src_port="41208" dst_port="80" pr="http/tcp" msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.Standard.1" ori_src="1.1.1.1" virus="Object tmp/scan_03.UTvg4d detected as PUP (Potentially Unwanted Program)" host="100.100.100.3" path="/ss/0db44a8f3bffa0488793e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e2 0a9" log_type="tr"/> <ProxyHTTPReq d="2016-09-02T10:54:35" orig="gary_xtmv" cname="" proc_id="http-proxy" pri="6" rc="525" seq="277" disp="Allow" msg_id="1AFF-0024" src_intf="1-Trusted" dst_intf="0-External" policy="HTTP-proxy-00" src_ip="10.0.1.2" dst_ip="100.100.100.3" src_port="41208" dst_port="80" pr="http/tcp" msg="HTTP request" proxy_act="HTTP-Client.Standard.1" ori_src="1.1.1.1" op="GET" dstname="100.100.100.3" arg="/ss/0db44a8f3bffa0488793e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e20 a9" sent_bytes="233" rcvd_bytes="2406296" elapsed_time="0.026119 sec(s)" reputation="-1" reason="262184" action="drop" log_type="tr"/>

See X-Forwarded Details in Proxy Headers When you review log messages and reports, instead of the IP address of the proxy server, you now see the real IP address of the client where the traffic originated Available in reports only with Dimension v2.1.1 and higher

Use a domain name to specify an authentication server External Hotspot Authentication URL Use a domain name to specify an authentication server

External Hotspot Authentication URL When you set up external guest authentication for a wireless hotspot, you must specify the URL of an authentication server In Fireware v11.12, you can now specify a domain name for the authentication server URL From Networking/Interface page add a custom DHCP Option

External Hotspot Authentication URL From Networking/Interface page add a custom DHCP Option

Wireless Authentication Exceptions Allow wireless guests to access select network resources without authenticating

Wireless Authentication Exceptions The hotspot configuration now includes an Authentication Exception list, where you can specify the resources that guest wireless users can use without authentication The Authentication Exception list can include: FQDN addresses IPv4 hosts IPv4 networks IPv4 ranges

Wireless Authentication Exceptions On the Hotspot Authentication tab: From Networking/Interface page add a custom DHCP Option

Wireless Authentication Exceptions On the Hotspot External Guest Authentication tab: From Networking/Interface page add a custom DHCP Option

Integrate your Firebox with ConnectWise ConnectWise Integration Integrate your Firebox with ConnectWise

ConnectWise Integration You can integrate your Firebox directly with ConnectWise, the leading professional service automation tool Enables service providers to automatically synchronize customer asset information for more efficient device management and monitoring Auto Synchronization of Asset Information — Automatically synchronizes Firebox information and security service subscription statuses, including subscription start and end dates, Firebox serial numbers, and OS versions Closed-Loop Ticketing of System, Security, and Subscription Events — Configure event thresholds on a wide range of parameters, including subscription services, device statistics, and subscription statuses that automatically trigger the creation and closure of tickets

ConnectWise Integration To enable your Firebox to communicate with ConnectWise, you must have a private and public API key generated by your ConnectWise user account

ConnectWise Integration On the Firebox: Fireware Web UI — System > Technology Integrations Policy Manager — Setup > Technology Integrations ConnectWise integration settings are also available in Device Configuration Templates for your Fireboxes under Centralized Management

ConnectWise Integration To see your Firebox in ConnectWise: Select Companies > Configurations From the configuration list, select a Firebox

ConnectWise Integration Firebox details, such as the serial number, model number, and expiration date are automatically synchronized when you activate ConnectWise integration on your Firebox

ConnectWise Integration For each Firebox, you can set Configuration Questions These are thresholds of system events that enables you to customize the events that generate tickets

ConnectWise Integration Tickets are automatically opened and closed based on your thresholds Eliminates ticket flooding and false alarms while automatically closing tickets when issues are resolved If the event reoccurs, the same ticket is opened up so that you can track repeated occurrences of the same event

ConnectWise Integration

Other Enhancements

Huawei Modem Support Added support for Huawei E3372 modem variant with a different product ID Modem Name Vendor ID Product ID Fireware OS Requirement Huawei E3372 0x12d1 0x1506 v11.10.7 or higher 0x14dc v11.12 or higher

Proxy Connection Statistics Proxy connection statistics are now available in the Firebox System Manager Status Report

WebBlocker Proxy Server Support You can now configure WebBlocker to use a proxy server to connect to the Websense cloud for lookups On the WebBlocker configuration page, click Settings The Server address must be an IPv4 address or host name If you select Basic or NTLM for authentication, you must specify the User name, User domain, and Password

APT Blocker File Size Increase The maximum file size that APT Blocker can submit to the Lastline data center for analysis increased from 8MB to 10MB This file size limit is the same for all Firebox models and is not configurable

BOVPN Shared Key Length Increase The BOVPN pre-shared key length increased to 79 characters This applies to traditional BOVPN gateways, BOVPN virtual interfaces, and Mobile VPN with L2TP over IPSec

Active Directory Server Settings UI Updates The Dead Time text box now appears below the Timeout text box, because these values are related The Login Attribute text box appears above the DN of Searching User and Password of Searching User text boxes If you select the sAMAccountName attribute, these text boxes are not available, because they are not required: DN of Searching User Password of Searching User

FQDN Support for Log Server Addresses You can now use fully qualified domain names when you specify a WatchGuard Log Server DNS must be enabled to use FQDN addresses

Auto-Blocked Sites List Functionality The deny functionality for auto-blocked sites changed In Fireware v11.12, the Firebox: denies connections from auto-blocked sites does not deny connections to auto-blocked sites In prior versions of Fireware, the Firebox denied connections both to and from auto-blocked sites The deny functionality for permanently blocked sites did not change The Firebox denies connections both to and From permanently blocked sites

Thank You!