1. What’s New in Fireware v11.11.2

2. What’s New in Fireware v11.11.2
IKEv2 Support
Certificate Portal
AP Wireless Enhancements
AP120 and AP320 support
Pairing Passphrase removed
Download AP firmware from WatchGuard servers
Miscellaneous wireless enhancements

3. What’s New in Fireware v11.11.2
Other Enhancements
NTP now enabled by default
Default FireCluster ID change
Disable X-WatchGuard headers in the SMTP-proxy
Improved performance of web traffic through the HTTPS-proxy when content inspection is enabled
Terminal Services user account creation

4. IKEv2
BOVPN support for IKEv2

5. IKEv2 Support
IKEv2 is version 2 of the Internet Key Exchange (IKE) protocol used for IPSec VPN negotiation (RFC 7296)
New procedure to negotiate IKE and IPSec security association
Uses the same UDP ports (500 and 4500) as IKEv1
No backward compatibility with IKEv1
You can enable IKEv1 and IKEv2 at the same time for different BOVPN gateways on the Firebox
Both gateway endpoints for a VPN must use the same IKE version

6. IKEv2 Support Fireware OS v11.11.2 supports IKEv2 in:
Manual BOVPN Gateways
BOVPN Virtual Interfaces
This release does not support IKEv2 for:
Managed BOVPNs
Mobile VPN with IPSec
IKEv2 Configuration UI
Supported in Fireware Web UI, Policy Manager, CLI
Not supported for managed VPNs in Dimension, or WSM Management Server

7. IKEv2 Advantages over IKEv1
No exchange modes
Simplified Phase 1 message exchange
IKEv2 requires only four messages to establish a tunnel
IKEv1 requires six to nine messages to establish a tunnel, depending on the exchange mode (main/aggressive)
More reliable than IKEv1:
More informative messages when a settings mismatch occurs
Cryptographic enhancements
Payload enhancements
Interoperability with third-party gateways that use IKEv2

8. IKEv2 in BOVPN Gateway Configuration
Select the IKE version in the Phase1 settings tab

9. IKEv2 vs IKEv1 Settings
IKEv2 has no settings for Mode or IKE Keep-Alive
With IKEv2, NAT Traversal and DPD are always enabled
DPD can be traffic-based or time-based

10. IKEv2 Shared Settings
If a gateway has at least one peer with a dynamic IP address, the IKEv2 settings are shared
Shared Settings are:
NAT Traversal
Phase 1 Transforms
These settings are shared by all IKEv2 gateways that have at least one dynamic peer

11. IKEv2 Shared Settings in Policy Manager
In Policy Manager, you can configure IKEv2 shared settings from several places
Select VPN > IKEv2 Shared Settings

12. IKEv2 Shared Settings in Policy Manager
If a BOVPN has a remote gateway endpoint with a dynamic IP address, you can also edit the IKEv2 shared settings in the Shared Settings tab in the gateway Phase1 settings

13. IKEv2 Shared Settings in Fireware Web UI
In the Web UI, if a BOVPN uses IKEv2 Shared Settings, you cannot edit the shared settings in the gateway configuration

14. IKEv2 Shared Settings in Fireware Web UI
In the Web UI, to edit the shared settings, you must select VPN > IKEv2 Shared Settings

15. IKEv2 Diagnostic Messages
Just as with IKEv1, IKEv2 negotiation errors appear in diagnostics messages in:
Web UI, System Status > VPN Statistics page
Firebox System Manager Front Panel tab
WatchGuard System Manager Device Status tab
VPN Diagnostic Report

16. Allow Clients to Download Proxy Certificates
Certificate Portal
Allow Clients to Download Proxy Certificates

17. Certificate Portal
When you enable content inspection in the HTTPS proxy, the Firebox uses the default self-signed Proxy Authority CA certificate to re-encrypt the traffic
End users will receive a warning in their web browsers because this certificate is an untrusted self-signed certificate
To prevent these warnings, you can import this certificate (or your own certificate) on each client device
If you cannot easily deploy this certificate, clients can connect to the Certificate Portal on your Firebox to download and install the certificate

18. Certificate Portal
When you enable HTTPS content inspection, the Firebox automatically creates a new policy:
Policy name — WatchGuard Certificate Portal
Service — WG-Cert-Portal
From — Any-Trusted and Any-Optional
To — Firebox
Port — 4126

19. Certificate Portal
To access the Certificate Portal and download the certificate, go to: IP address>:4126/certportal

20. Certificate Portal
The Certificate Portal shares the customization features of the Authentication Portal
You can customize the page logo and the page colors
The page title and text of the Certificate Portal cannot be customized

21. AP Device Enhancements
AP120 and AP320 Support

22. New AP120 and AP320 Devices New AP120 and AP320 devices
AP120 — Concurrent 2x2 MIMO capability and a dual radio that supports 2.4GHz (802.11b/g/n) and 5GHz (11a/n/ac)
AP320 — 3x3 MIMO capability and a dual radio that supports 2.4GHz (802.11b/g/n) and 5GHz (11a/n/ac)
AP120
AP320

23. AP120 and AP320 Management
There are two ways you can manage AP120 and AP320 devices:
WatchGuard Wi-Fi Cloud — A powerful, cloud-based, enterprise-level wireless management solution for AP device configuration, security, and monitoring
WatchGuard Firebox Gateway Wireless Controller — Local management, configuration, security, and monitoring of AP devices directly from your WatchGuard Firebox
Your Firebox must run Fireware OS v or higher to use the Gateway Wireless Controller for local management of AP120 and AP320 devices

24. AP120 and AP320 Local Management
You can manage AP120 and AP320 devices locally with the Gateway Wireless Controller on your Firebox
In their factory-default state, AP120 and AP320 devices first try to connect to WatchGuard Wi-Fi Cloud
If the AP device is not activated and provisioned for cloud management, the AP device continues to try to connect to the cloud for 5 minutes
When the AP device appears in the Gateway Wireless Controller Unpaired Access Points list, you can then pair the device
When you pair the AP device with the Gateway Wireless Controller, the AP device will not try to connect to Wi-Fi Cloud again until you complete a factory reset on the AP device

25. AP120 and AP320 Local Management
These features are not supported on locally managed AP120/320 devices:
LED controls
Fast Handover
Radio rate settings
Client limits
External syslog support
Cannot disable DFS or select outdoor channels

26. Other enhancements to AP devices and WatchGuard Wireless Fireboxes
AP Device Enhancements
Other enhancements to AP devices and WatchGuard Wireless Fireboxes

27. Pairing Passphrase Removed
You no longer must type a pairing passphrase to pair an AP device with the Gateway Wireless Controller
Only the Gateway Wireless Controller management passphrase is used to pair and manage AP devices
If you must pair an AP device that is not configured with the default pairing passphrase, you must reset the AP device to factory-default settings

28. AP Firmware Downloads
AP firmware is no longer bundled with Fireware OS
From FSM and Fireware Web UI, you can check for updates and download AP firmware directly from WatchGuard to your Gateway Wireless Controller

29. AP Firmware Downloads
After download, the firmware is available in the Gateway Wireless Controller for installation on the AP devices it manages
New AP firmware versions:
AP100, AP102, AP200 —
AP300 —

30. AP Device Enhancements
AP300 now supports Fast roaming for all WPA2-based security modes (Enterprise and PSK)
The Restart Wireless action for AP devices now forces the AP device to reload the configuration
A reboot of an AP device does not force the AP device to reload the configuration
In System Status > Diagnostics, Fault Reports now include kernel crashes for AP100, AP102, AP200, and AP300 models
SSH access for AP devices is deprecated and removed

31. Wireless Firebox Enhancements
For a wireless Firebox, you can now adjust the maximum transmit power
You can set the TX Power between 3dBm to 20dBm, or set the value to Auto
The default (Auto) is 20dBm 

32. Other Enhancements

33. NTP
Previously, customers who did not have NTP enabled often had support issues related to incorrect time, for example, log data in Dimension without a correct timestamp
With Fireware v , NTP is enabled by default after you use the Quick Setup Wizard or Web Setup Wizard to configure your Firebox

34. FireCluster Default ID Update
The default FireCluster ID has changed from 1 to 50.
The previous default value of 1 created VRRP conflicts with third-party devices in some networks

35. SMTP Proxy — Disable X-WatchGuard Headers
The SMTP proxy adds X-WatchGuard headers to mail messages when Gateway AntiVirus or spamBlocker are enabled:
X-WatchGuard-Spam-Score: 0, clean; 0, virus threat unknown X-WatchGuard-Mail-Client-IP: X-WatchGuard-Mail-From: X-WatchGuard-AntiVirus: part scanned. clean action=allow
These X headers alter the body and can cause message processing issues for some servers because of too many message headers, or result in false positives for mail servers that complete DKIM or DomainKeys anti-spam checks

36. SMTP Proxy — Disable X-WatchGuard Headers
You can now enable or disable X-WatchGuard headers in the SMTP-proxy configuration
Disable X- WatchGuard headers if you have issues with message processing with some servers

37. HTTP-Proxy Performance Enhancement
Added support for SSL session reuse in the HTTPS-proxy
This change improves the performance of web traffic handled by the HTTPS-proxy when content inspection is enabled

38. Terminal Services User Account Creation
When you enable Terminal Services in the Firebox Authentication settings, the Backend-User user account required by the Terminal Services agent is automatically added to the Authorized Users and Groups list

39. Thank You