Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v

Published byMichael Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v"— Presentation transcript:

1 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v11.11.4

2 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v11.11.4  Firebox T70 Support  Perfect Forward Secrecy (PFS) in SMTP and HTTPS Proxies  Other Proxy Enhancements HTTPS Proxy — Allow SSL v2 as a non- compliant SSL protocol POP3 Proxy — Examine file names and types stored in compressed archive files  Non-EKU VPN Certificate Support 2

3 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v11.11.4  Reset AP Devices from the Gateway Wireless Controller  Remove AP Firmware from your Firebox  Enhancements to support WatchGuard Wi-Fi Cloud  Localization Enhancement 3

4 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Use WatchGuard System Manager to Administer the Firebox T70 Firebox T70 Support 4

5 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Firebox T70 Support  WatchGuard System Manager can now manage the Firebox T70 tabletop model  Fireware v11.11.4 is an OS upgrade for the Firebox T70 The Firebox T70 ships with Fireware v11.11.3 installed, which is not publicly available. 5

6 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy in the SMTP and HTTPS proxies Perfect Forward Secrecy 6

7 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy  Perfect Forward Secrecy (PFS) cipher settings control the type of TLS ciphers the Firebox negotiates when it acts as client or server for content inspection purposes Fireware supports ephemeral elliptic curve Diffie-Hellman (ECDHE) PFS-capable ciphers for PFS When the proxy uses a PFS-capable cipher, the client and server negotiate a new set of Diffie-Hellman parameters for each session. These parameters are ephemeral and cannot be reused  PFS is not supported for Firebox T10, T30, T50, XTM 25/26, or XTM 33 devices 7

8 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy  Fireware v11.11.4 adds support for PFS in: SMTP proxy action > TLS Encryption settings HTTPS proxy action > Content Inspection settings  PFS options in the SMTP-proxy and HTTPS-proxy actions include: None — The Firebox does not support PFS-capable ciphers in the TLS handshake process Allowed — The Firebox supports both PFS-capable and non- PFS capable ciphers in the TLS handshake process Required — The Firebox only supports PFS-capable ciphers in the TLS handshake process 8

9 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy — SMTP Proxy  Configure PFS in the TLS Encryption settings Configure PFS for the sender and recipient The PFS settings apply to all channels that use STARTTLS encryption, as specified in the Encryption Rules  By default, PFS is set to Allowed for both sender and recipient 9

10 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Perfect Forward Secrecy — HTTPS Proxy  Configure PFS in the Content Inspection settings  The same PFS setting applies to both client and server TLS connections  When set to Allowed, the client does not use a PFS-cipher unless the server also uses one  PFS is set to Allowed by default 10

11 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Other enhancements to the POP3 and HTTPS Proxies Proxy Enhancements 11

12 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training POP3 Proxy — Examine Compressed Files  The POP3 proxy now completes actions based on the file names and file types that are included in.ZIP and.GZIP compressed archive files  For example, a file name extension rule that is configured to strip.EXE files will now also strip.EXE files that are found in a compressed.ZIP file 12

13 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training HTTPS Proxy — SSL v2 Support  Because of security vulnerabilities, SSLv2 is considered a non- compliant SSL protocol in Fireware v11.11.1 and higher  In Fireware v11.11.4, the HTTPS proxy allows SSLv2 traffic only when the Allow only SSL compliant traffic check box is not selected and content inspection is not enabled 13

14 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Support for non-EKU certificates VPN Certificate Requirements 14

15 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Support for Non-EKU IPSec VPN Certificates  Extended key usage (EKU) object ID numbers (OIDs) indicate the allowed uses of an encryption key  Prior to Fireware v11.11.4, imported VPN IPSec certificates had to include the EKU OID number 1.3.6.1.5.5.8.2.2  This requirement was not RFC compliant — RFC 4945 specifies that no special OIDs are necessary for IPSec  You can now select an IPSec VPN certificate that does not include an EKU identifier 15

16 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Non-EKU Certificates — UI Changes  A new Show All Certificates check box appears on these pages: BOVPN Gateway Configuration (Fireware Web UI & WSM) BOVPN VIF Gateway Configuration (Fireware Web UI & WSM) Mobile VPN with L2TP and Mobile VPN with IPSec (Fireware Web UI & WSM)  To select a certificate that does not contain an EKU, select Show All Certificates (all available certificates appear)  If you do not select Show All Certificates, only certificates with EKUs appear 16

17 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Non-EKU Certificates — Fireware Web UI 17

18 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Non-EKU Certificates — WSM 18

19 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Reset AP devices to factory-default settings from the Gateway Wireless Controller Reset AP Devices

20 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Reset AP Device from GWC  All actions for AP devices are available on the Access Points tab, from the new Actions drop-down list  From the Gateway Wireless Controller, you can now reset an AP device to factory-default settings 20

21 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Remove all AP device firmware from your Firebox with the Gateway Wireless Controller Remove AP Firmware

22 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Remove AP Firmware from Your Firebox  From the Gateway Wireless Controller, you can now remove all AP firmware from your Firebox 22

23 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Remove AP Firmware from Your Firebox  To remove the current AP device firmware on your Firebox, click Manage Firmware  Click Remove All Firmware  To download a specific available version of firmware, adjacent to each version to download, click Download 23

24 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements to support WatchGuard Wi-Fi Cloud WatchGuard Wi-Fi Cloud

25 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements for WatchGuard Wi-Fi Cloud  Domain names for WatchGuard Wi-Fi Cloud services are now included by default in the HTTP Proxy Exceptions list  This prevents communications issues with cloud services and the HTTP Proxy when behind a Firebox 25

26 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements for WatchGuard Wi-Fi Cloud  Domain names for WatchGuard Wi-Fi Cloud are now included in the HTTPS Proxy Domain Names list  This allows access to the domain and bypasses HTTPS content inspection  This also prevents communication issues with cloud services and the HTTPS Proxy when behind a Firebox 26

27 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Enhancements for WatchGuard Wi-Fi Cloud  A new predefined packet filter policy is available for management of AP devices with WatchGuard Wi-Fi Cloud  The WG-Cloud-Managed- WiFi packet filter policy template defines the required ports (TCP 443 and UDP 3851) and destination domains to allow AP devices to communicate with cloud services 27

28 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Localization Enhancement 28

29 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Localization Enhancements  The v11.11.4 release includes localization of content introduced in the v11.11 release  Newly localized content appears in: WatchGuard System Manager Fireware Web UI Fireware Help  Content added after v11.11 might appear in English  Supported languages: French (FR) Spanish (LA) Japanese 29

30 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Thank You! 30

31 Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training

Download ppt "Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v"

Similar presentations

What’s New in Fireware XTM

What’s New in Fireware XTM
What’s New in Fireware XTM v11.6.1

What’s New in Fireware XTM v11.6.1
Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.

Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
Introduction to the WatchGuard AP Device

Introduction to the WatchGuard AP Device
What’s New in Fireware XTM v11.7.3

What’s New in Fireware XTM v11.7.3
What’s New in Fireware XTM

What’s New in Fireware XTM
What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
What’s New in Fireware XTM v11.8.3

What’s New in Fireware XTM v11.8.3
What’s New in Fireware XTM v11.9.1

What’s New in Fireware XTM v11.9.1
What’s New in WatchGuard Dimension v1.2

What’s New in WatchGuard Dimension v1.2
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
What’s New in Fireware v11.10

What’s New in Fireware v11.10
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
What’s New in Fireware XTM v11.8.1 WatchGuard Training.

What’s New in Fireware XTM v WatchGuard Training.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Similar presentations

Ads by Google