What’s New in Fireware v11.12.4
What’s New in Fireware v11.12.4 Support for Firebox M370, M470, M570, M670 models APT Blocker Region Selection IPS default Scan Mode changes Explicit Proxy with Chromebook Integration Guide Improved log messages for HTTPS-proxy and SMTP-proxy SSL negotiation errors
What’s New in Fireware v11.12.4 Support for new AP420 devices Gateway Wireless Controller enhancements ConnectWise FireCluster Monitoring and Company ID lookup Manage Firebox Cloud with Dimension
New Firebox Models WatchGuard System Manager can now manage four new Firebox models: M370 – 8 interfaces M470, M570, M670 – 8 interfaces, plus one interface module slot Fireware v11.12.4 is an upgrade for these four models These models are all manufactured with Fireware v11.12.3
APT Blocker Region Selection In the APT Blocker Advanced settings, you can now select a Server Region for APT Blocker requests Any (Default) Europe This meets requirements of EU customers who want data to remain in Europe By default, APT Blocker sends requests to the nearest regional server
APT Blocker Region Selection
IPS Default Scan Mode The default setting for the Intrusion Prevention Service Scan Mode is set when your run the setup wizard
IPS Default Scan Mode The scan mode for your Firebox depends on the model Full Scan All Firebox M models Firebox T70 FireboxV Firebox Cloud Fast Scan Firebox T10, T30, T30-W, T50, T50-W All XTM device models (includes XTMv) If you upgrade your Firebox, the current Scan Mode setting in your configuration file is not changed
Explicit Proxy with Chromebook The Explicit Proxy has now been tested and verified to work with Chromebooks managed by the Google Admin console This is not a new feature implementation For more information, see the WatchGuard Explicit Proxy with Chromebook Integration Guide, on the WatchGuard Technology Partners page: https://www.watchguard.com/wgrd-partners/technology-partners
SSL Error Log Message Enhancements SSL error log messages generated by the HTTPS-proxy and SMTP-proxy now include more detailed information: Internal SSL error message Associated domain name from SNI or server certificate Proxy action PFS settings These additional details make it easier to: Troubleshoot SSL connection issues Identify domains that require PFS ciphers, if PFS ciphers are not enabled in the proxy action If a site requires PFS, and you do not want to enable PFS ciphers in the proxy action, you can add a content inspection exception for the domain that appears in the log message
SSL Error Log Message Enhancements For information about PFS ciphers in a proxy action, see Cannot connect to website with error: err_ssl_version_or_cipher_mismatch in the Knowledge Base Sample error log messages: Server requires PFS, but PFS is set to None in the proxy action Mar 30 10:19:04 2017 M500 local3.err pxy[1610]: 0x84eff48-191 44: 0.0.0.0:36589 -> 100.100.100.124:443 [B t] {N}: Connect SSL Error [ret -1 | SSL err 1 | Details: SSL23_GET_SERVER_HELLO/sslv3 alert handshake failure] Domain: 100.100.100.124 PFS: NONE | NONE Proxy does not support any of the client advertised ciphers Mar 27 19:08:20 2017 M500 local3.err pxy[2541]: 12: 10.0.1.2:35829 - > 74.125.28.103:443 [A t] {B}: Accept SSL Error [ret -1 | SSL err 1 | Details: ssl3_get_client_hello/no shared cipher] Domain: www.google.com PFS: NONE | NONE
SSL Error Log Message Enhancements Proxy does not trust the web server certificate Mar 30 09:38:34 2017 M500 local3.err pxy[1611]: 0x8188180-11 12: 10.0.1.103:39216 -> 100.100.100.121:443 [A t] {B}: Accept SSL Error [ret 0 | SSL err 1 | Details: ssl3_read_bytes/tlsv1 alert unknown ca] Domain: 100.100.100.121 PFS: NONE | NONE
AP420 Device Support added for the AP420 High performance enterprise AP device 4x4:4 MU-MIMO 802.11ac Wave 2 access point Dedicated third radio for scanning and over-the-air attack prevention Limitations 160MHz channel width currently not supported Third radio not available in local mode with a Gateway Wireless Controller
AP420 Management You can manage AP420 devices with one of these methods: WatchGuard Wi-Fi Cloud — Powerful, cloud-based, enterprise- level wireless management for AP device configuration, security, and monitoring WatchGuard Firebox Gateway Wireless Controller — Local management, configuration, security, and monitoring of AP devices directly from your WatchGuard Firebox To locally manage AP420 devices from the Gateway Wireless Controller, your Firebox must run Fireware OS v11.12.4 or higher
Gateway Wireless Controller Enhancements AP devices are now automatically trusted when you pair a new AP device with the Gateway Wireless Controller FireCluster support for Gateway Wireless Controller features includes synchronization of: AP device configuration state Last known IP address and passphrase Auto-generated AP passphrases Trust store records AP firmware downloads
Gateway Wireless Controller Enhancements Wireless configuration changes (such as changes to SSID settings, radio channels, and power levels) no longer require a reboot of an AP120, AP320, or AP322 device Note: Changes to network settings (such as IP address, DHCP, VLAN, and NTP settings) still require a reboot Firmware for legacy AP100, AP102, AP200, and AP300 devices is no longer bundled with Fireware AP firmware is still available from the Gateway Wireless Controller or WatchGuard Software Downloads page
ConnectWise FireCluster Monitoring You can now configure ConnectWise to create a ticket when a FireCluster failover occurs The new FireCluster master generates a ticket when the failover occurs The member IDs of the new master and the previous master are included in the ticket The ticket is closed after five minutes of cluster stability
ConnectWise Company ID Lookup When you configure ConnectWise integration on a Firebox, you can now look up a Company ID and select the ID from a list of companies
Manage Firebox Cloud with Dimension You can now configure your instance of Firebox Cloud to be managed by Dimension Select System > Managed Device
Thank You!