1. What’s New in Fireware v11.12

2. What’s New in Fireware v11.12
Geolocation subscription service
New BOVPN virtual interface that supports non-GRE IPSec tunnels to Microsoft Azure and Cisco VTI
Threat Detection and Response subscription service (Beta)
IPv6 support in proxy policies and subscription services
Setup wizards enable services and proxies by default
AP device enhancements

3. What’s New in Fireware v11.12
DHCP support for Active/Passive FireClusters
X-forwarded detail in proxy headers shows client IP addresses in log messages
Use a domain name to specify a URL for external hotspot authentication
Specify resources that guest wireless users can access without authentication
Mobile VPN with SSL Enhancements
ConnectWise integration

4. What’s New in Fireware v11.12
Other enhancements
Support for Huawei E3372 modem variant with a different product ID
Proxy connection statistics
WebBlocker proxy server support
APT Blocker file size increase
BOVPN pre-shared key length increase
Active Directory Server Settings UI Updates
FQDN support for Log Server addresses
Change to auto-blocked sites list functionality

5. Block traffic based on geographic location
Geolocation
Block traffic based on geographic location

6. Geolocation
Geolocation is a subscription service that enables the Firebox to block connections to or from specified geographic locations
To enable Geolocation, the Firebox feature key must have the Reputation Enabled Defense (RED) subscription service enabled
If the Firebox feature key has the RED subscription service enabled, Geolocation is enabled
Geolocation information is available on the Geolocation dashboard in Fireware Web UI and in log messages
No countries are blocked by default

7. Geolocation
In Fireware Web UI or Policy Manager, select Subscription Services > Geolocation
Select countries to block:
Map — Select countries on a map
Country List — Select countries from a list
Exceptions — Specify sites to never block

8. Geolocation — Map On the Map tab, select countries to block
Lock or unlock the map
Click a country to block new connections to or from that country

9. Geolocation — Country List
On the Country List tab, select countries to block
Expand or collapse continents in the list
Select which countries to block
Click Select All to select all countries on a continent

10. Geolocation — Exceptions
On the Exceptions tab, specify sites to never block based on geographic location
IPv4 host, network, or address range
IPv6 host, network, or address range
Fully qualified domain name (FQDN)

11. Geolocation — Update Server
Update Server settings — Control updates to the Geolocation database
Automatic updates are enabled by default

12. Geolocation — Dashboard
The Geolocation Dashboard in Fireware Web UI shows allowed connections by country
This Dashboard page does not show blocked connections

13. Geolocation Dashboard
The Map tab visually represents the source and destination locations of connections allowed through the Firebox
Country color indicates the number of connections:
Dark green — Highest
Light green — Lower
Yellow — Lowest
Filter connections by:
All Connections
Source Country
Destination Country

14. Geolocation Dashboard
The Country List tab shows connection details by country
Ranked lists show top countries by the number of hits
Click a country name to see a list of connections

15. Geolocation Dashboard
Look up the country associated with an IP address

16. Geolocation Activity Fireware Web UI Firebox System Manager
Dashboard > Subscription Services
Firebox System Manager
Subscription Services tab

17. New Virtual Interface for BOVPNs
BOVPN virtual interface support for non-GRE IPSec tunnels to Microsoft Azure and Cisco VTI endpoints

18. New Virtual Interface for BOVPNs
A BOVPN virtual interface now supports IPSec tunnels to third-party endpoints without GRE. Microsoft Azure and Cisco Virtual Tunnel Interface (VTI) gateway endpoints are supported.
In the BOVPN Virtual Interface configuration, there is a new Remote Endpoint Type setting:
Firebox — Select this option for a connection to another Firebox or another gateway endpoint that supports GRE over IPSec
Cloud VPN or Third-Party Gateway — Select this option for a connection to a Microsoft Azure or Cisco VTI endpoint
This establishes an IPSec VPN tunnel without GRE

19. New Virtual Interface for BOVPNs
The new WatchGuard BOVPN virtual interface supports OSPF and BGP
To configure dynamic routing with BGP to Microsoft Azure, you must use Microsoft PowerShell
Microsoft Azure does not support OSPF
Cisco VTI supports OSPF and BGP

20. New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using static routing:
Configure the Azure virtual network
In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway
Add a VPN route to the Azure virtual network
Configure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2
From the Networking > Interface page, add a custom DHCP Option

21. New Virtual Interface for BOVPNs

22. New Virtual Interface for BOVPNs

23. New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Microsoft Azure VPN gateway using BGP dynamic routing:
Configure the Azure virtual network
In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway
Configure the BOVPN virtual interface to use IKEv2. Azure requires IKEv2
Add a virtual IP address for the Firebox
Add a virtual IP address for the Azure gateway. Do not use a netmask
Specify the BGP commands on the Firebox
Specify the PowerShell commands on your Azure network
From the Networking > Interface page, add a custom DHCP Option

24. New Virtual Interface for BOVPNs

25. New Virtual Interface for BOVPNs

26. New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Cisco VTI endpoint with static routing:
Configure the Cisco device
In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway
Configure the BOVPN virtual interface to use either IKEv1 or IKEv2; Cisco supports both options
Add a route to the Cisco device

27. New Virtual Interface for BOVPNs
To configure a BOVPN virtual interface to a Cisco VTI endpoint with dynamic routing (OSPF or BGP):
Configure the Cisco device
In your Firebox configuration, set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway
Select Assign virtual interface IP addresses and type the required IP addresses
Enable OSPF or BGP on your Firebox, with the required OSPF or BGP commands

28. Threat Detection and Response
Extend WatchGuard’s network security to monitor and protect the endpoint

29. Threat Detection and Response (TDR)
Threat Detection and Response (TDR) is a new cloud-based subscription service that analyzes and responds to security events reported by the Firebox and network endpoints
Public Beta starts November 14th, 2016
Open to all, including those without Total Security Suite
Supported on Firebox models and XTMv models only
Requires Fireware v11.12 or higher
Threat Detection and Response is part of the Total Security Bundle or available as a separate security subscription
Threat Detection and Response enables immediate action against new or hidden threats by correlating network and endpoint security events into a scored ranking

30. Threat Detection and Response (TDR)
Threat Detection and Response collects, analyzes, and correlates threat indicators reported by Fireboxes and hosts
Fireboxes report denied, blocked, and dropped connections
Host Sensors use heuristics and behavioral analysis to report changes to files, processes, registry entries, and host configuration settings
ThreatSync correlates threat intelligence, a cloud-based malware verification service, and the Host Sensor based heuristics and behavior analyses to evaluate and score reported indicators and incidents
Indicators are events reported by Host Sensors and Fireboxes
Incidents are groups of related indicators
Incident threat score is based on the threat score of the indicators

31. Threat Detection and Response (TDR)
Enable Threat Detection and Response on the Firebox
Log in to the Threat Detection and Response cloud to manage Host Sensors, threats, remediations, policies, and exclusions.

32. IPv6 support in proxy policies and services

33. IPv6 Support — Proxy Policies
Added support for IPv6 addresses in proxy policies
Feature
Fireware v11.11.x
Fireware v11.12
Packet filter policies (all) 
Proxy policies:
DNS-proxy
Explicit-proxy
FTP-proxy
HTTP-proxy
HTTPS-proxy
POP3-proxy
SMTP-proxy
TCP-UDP-proxy
Application Layer Gateways
SIP-ALG
H323-ALG
Not supported

34. IPv6 Support — Proxy Policies
You can now specify an IPv6 address as the source or destination in a proxy policy
Host IPv6
Network IPv6
Host Range IPv6

35. IPv6 Support — Subscription Services
Added IPv6 support in Subscription Services
Feature
Fireware v11.11.x
Fireware v11.12
Application Control 
Intrusion Prevention Service
WebBlocker
Gateway AntiVirus
APT Blocker
spamBlocker
Data Loss Prevention
Reputation Enabled Defense*
* If a client sends an HTTP request directly to an IPv6 IP address (instead of a host name), Reputation Enabled Defense does not send the IPv6 address to the server for classification

36. IPv6 Support — Subscription Services
Many WatchGuard partners have not yet implemented IPv6 in their cloud infrastructure
For these Subscription Services that connect to an external service for scoring, you must configure the external interface with both an IPv4 address and an IPv6 address:
WebBlocker
APT Blocker
spamBlocker

37. Setup Wizards Enable Proxies and Services
Setup wizards enable proxy policies and most licensed subscription services by default

38. Setup Wizards Enable Proxies and Services
The setup wizards now configure policies and enable most Subscription Services to provide better security by default
The setup wizards:
Configure FTP-proxy, HTTP-proxy, HTTPS-proxy policies
Configure DNS and Outgoing packet-filter policies
Enable licensed security services — Application Control, Gateway AntiVirus, WebBlocker, Intrusion Prevention Service, Reputation Enabled Defense, Botnet Detection, Geolocation, APT Blocker
Recommend WebBlocker categories to block
The new default configuration provides better security with less manual configuration

39. Setup Wizards Enable Proxies and Services
Changes to default policies created by the Web Setup Wizard and Quick Setup Wizard in Fireware OS v11.12:
No FTP packet filter policy
New FTP-proxy, HTTP-proxy, HTTPS proxy and DNS policies
Default Policies in Fireware v11.11.x and lower
Default Policies in Fireware v11.12
FTP
FTP-proxy HTTP-proxy HTTPS-proxy
WatchGuard Web UI
Ping
Ping DNS
WatchGuard
Outgoing

40. Setup Wizards Enable Proxies and Services
In the Web Setup Wizard, the Subscription Services step shows your Subscription Services, which will be enabled in your Firebox configuration when the wizard completes

41. Setup Wizards Enable Proxies and Services
In the Web Setup Wizard, the WebBlocker Settings step recommends the WebBlocker categories to block

42. Setup Wizards Enable Proxies and Services
The Summary page shows which Subscription Services are enabled
If the Firebox has a static external IP address and you do not configure a DNS server, Botnet Detection is enabled, but Reputation Enabled Defense is not enabled

43. Setup Wizards Enable Proxies and Services
The WatchGuard Quick Setup Wizard also has two new steps
The Subscription Services step appears only if you add a feature key that includes licensed Subscription Services
The WebBlocker Settings step appears only if you add a feature key that includes a WebBlocker license

44. Setup Wizards Enable Proxies and Services
Both setup wizards configure the same default policies
The setup wizards always create these policies. If Subscription Services are not licensed, the policies are created without the services enabled.

45. Setup Wizards Enable Proxies and Services
WebBlocker default configuration:
Enabled in the HTTP-proxy and HTTPS-proxy policies
Default-WebBlocker action blocks the categories you selected

46. Setup Wizards Enable Proxies and Services
If the Firebox cannot connect to the WebBlocker Server, the Default- WebBlocker action:
Allows the connection
Sends an alarm
Creates a log message
If the WebBlocker license expires, the Default- WebBlocker action allows access to all sites

47. Setup Wizards Enable Proxies and Services
Gateway AntiVirus is enabled in the FTP-proxy and HTTP-proxy policies
In the HTTP-proxy action:
HTTP-Request > URL Paths
AV Scan all content

48. Setup Wizards Enable Proxies and Services
In the HTTP-proxy action:
HTTP Response > Content Types
AV Scan all content

49. Setup Wizards Enable Proxies and Services
HTTP Response > Body Content Types
Deny executable and compressed archive file types
AV Scan other body content types

50. Setup Wizards Enable Proxies and Services
AntiVirus
Drop connection if a virus is detected
Allow the connection if a scan error occurs

51. Setup Wizards Enable Proxies and Services
Gateway-AV in the FTP-proxy
Download and Upload
AV Scan all files

52. Setup Wizards Enable Proxies and Services
AntiVirus in HTTP and FTP proxy actions
Drop connection if a virus is detected
Allow the connection if a scan error occurs

53. Setup Wizards Enable Proxies and Services
Intrusion Prevention Service is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies
IPS settings:
Fast Scan
Threat level actions:
Critical, High — Drop, Alarm, Log
Medium — Drop, Log
Low — Allow, Log
Information — Allow

54. Setup Wizards Enable Proxies and Services
Application Control is enabled in all policies, except the WatchGuard and WatchGuard Web UI policies
The Global action blocks:
Application — Crypto Admin
Application Category — Bypass Proxies and Tunnels

55. Setup Wizards Enable Proxies and Services
APT Blocker is enabled in the HTTP-proxy and FTP-proxy
Threat actions:
High — Block, Alarm, Log
Medium — Drop, Alarm, Log
Low — Drop, Alarm, Log
Clean — Allow

56. Setup Wizards Enable Proxies and Services
Reputation Enabled Defense is enabled in the HTTP-proxy
Immediately blocks URLS that have a bad reputation
Alarm and Log are enabled
Does not bypass virus scanning for URLS with a good reputation

57. Setup Wizards Enable Proxies and Services
Botnet Detection is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled

58. Setup Wizards Enable Proxies and Services
Geolocation is also enabled if the Firebox feature key has Reputation Enabled Defense (RED) enabled

59. Setup Wizards Enable Proxies and Services
New proxy actions are used by the default proxy policies
Default-FTP-Client
Based on FTP-Client.Standard
Gateway AntiVirus is enabled
Default-HTTP-Client
Based on HTTP-Client.Standard
WebBlocker, Gateway AntiVirus, RED, and APT blocker are enabled
Default-HTTPS-Client
Based on HTTPS-Client.Standard
WebBlocker is enabled
Content Inspection is not enabled
These proxy actions are editable.

60. Setup Wizards Enable Proxies and Services
The setup wizards enable logging for reports
For the Ping, DNS, and Outgoing policies, logging is enabled at the policy level
Send a log message is enabled
Send a log message for reports is enabled
For the FTP-proxy, HTTP-proxy, and HTTPS-proxy policies, logging is enabled in the associated proxy action
Enable logging for reports is enabled in the Default-FTP- Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions

61. Setup Wizards Enable Proxies and Services
The setup wizards enable logging of performance statistics:
External interface and VPN bandwidth statistics
Security Services Statistics
These log messages enable richer Dimension reporting

62. AP Device Enhancements

63. AP Device Enhancements
New and enhanced features for AP devices include:
AP device wireless automatic channel allocation
AP device wireless deployment over-the-air
Remote AP device deployment with Mobile VPN with SSL

64. Wireless Automatic Channel Allocation
The channels used by AP devices can be automatically selected and allocated for optimal wireless channel selection across your deployment
Channels are scanned and selected during the Wireless Scan Interval configured in the Gateway Wireless Controller Settings (default is every hour)
Works with all AP device models
Preferred Channel for an AP must be set to Auto to use new auto channel selection

65. Preferred Channel Settings
For manual channel selection, the Preferred Channel list now displays all channels.
Click View Available Channels to see channels available to you based on your region and wireless configuration
Note: Extension channel configuration is removed (set to lower channel only)

66. AP Device Wireless Deployment
Deploy AP300 devices over-the-air without physical cables
When the network cable is disconnected, the AP device switches to client mode and associates to the nearest wired AP300 device
A client mode AP device deployed wirelessly broadcasts any configured SSIDs on the 2.4GHz radio only
The 5GHz radio is only used for the extender link and any configured SSIDs on the 5GHz radio are not broadcast by the AP wirelessly deployed in client mode

67. AP Device Wireless Deployment
Supported for AP300 devices only
AP devices must be initially deployed (paired or auto- deployed) with a cable before the AP device can be deployed over-the air
A wired AP device must be in range for the AP device to be able to connect in client mode and deploy over-the-air
Wireless deployment uses the 5GHz band radio for the extender link for AP client mode connections.
Must have less than the maximum 8 SSIDs configured on the 5GHz radio to work
If you reconnect a network cable, the client mode AP device reverts to normal operation and disconnects from the wired host AP device

68. AP Device Wireless Deployment
To enable, select Network > Gateway Wireless Controller > Settings, then select Enable deployment over wireless

69. Remote AP Device Deployment
You can now deploy your AP devices in remote locations with Mobile VPN with SSL
Available for only these AP device models:
AP100
AP102
AP200
AP300

70. Remote AP Device Deployment
Remote AP device deployment uses Mobile VPN with SSL on the Firebox
You must create a user account and VPN profile on the Firebox for a remotely-deployed AP device
Allows access through the VPN tunnel for Gateway Wireless Controller management traffic to manage the remote AP device
Telecommuter mode can be enabled for each SSID
Traffic for the SSID enabled for telecommuter mode is bridged over the VPN to the Firebox

71. Remote AP Device Deployment
To configure your Firebox for remote AP device deployment:
In your Firebox configuration, enable Mobile VPN with SSL
To use Telecommuter mode, the VPN must be configured for Bridge VPN traffic instead of Routed VPN traffic

72. Remote AP Device Deployment
Create a user account to use for the AP devices (these can be separate for each AP device or a shared account)
Make sure the account belongs to the SSLVPN-Users authentication group

73. Remote AP Device Deployment
Download the Mobile VPN with SSL client profile from address>

74. Remote AP Device Deployment
Connect to the AP device web UI
Select Enable VPN
Click Browse to select the Mobile VPN profile you downloaded
Type the VPN username and password

75. Remote AP Device Deployment
For telecommuter mode, enable the feature in the Gateway Wireless Controller SSID configuration

76. DHCP Support for FireCluster
Enable an Active/Passive FireCluster that supports external addresses configured for DHCP

77. DHCP Support for FireCluster
If your external interface uses DHCP, you can now enable an Active/Passive FireCluster
Active/Active FireCluster is not supported when the external interface uses DHCP
From Networking/Interface page add a custom DHCP Option

78. DHCP Support for FireCluster
FireCluster Setup Wizard
From Networking/Interface page add a custom DHCP Option

79. DHCP Support for FireCluster
FireCluster Manual Configuration
From Networking/Interface page add a custom DHCP Option

80. Mobile VPN with SSL Enhancements
Updates to Mobile VPN with SSL authentication policies and the Authentication Portal

81. Mobile VPN with SSL Enhancements
In Fireware OS v and lower, a WatchGuard Authentication policy was automatically added to your configuration file when you enabled Mobile VPN with SSL
This policy allowed traffic over port 4100 and included the alias Any-External in the policy From list
In Fireware OS v11.12, when you enable Mobile VPN with SSL, a WatchGuard Authentication policy that allows traffic over port 4100 is no longer created
From Networking/Interface page add a custom DHCP Option

82. Mobile VPN with SSL Enhancements
After you upgrade your Firebox to Fireware OS v11.12, if your configuration file includes a WatchGuard Authentication policy, the alias Any-External is automatically removed
If you upgrade with Policy Manager, you must manually reload the configuration from the Firebox after the upgrade completes to avoid adding the alias back with a subsequent configuration save (since Policy Manager is an offline configuration tool)
IMPORTANT: The alias Any-External is automatically removed from the WatchGuard Authentication policy even if you manually added the alias, and regardless of whether Mobile VPN with SSL is enabled

83. Mobile VPN with SSL Enhancements
The Mobile VPN with SSL authentication and software download pages are no longer accessible at port 4100
Use these port 443 URLs, or specify a custom port
Port 443
Custom port
From Networking/Interface page add a custom DHCP Option

84. Mobile VPN with SSL Enhancements
In Fireware OS v and lower, when you enable Mobile VPN with SSL, all user authentication methods appear in the Authentication Portal Domain drop-down list at
In Fireware OS v11.12, when Mobile VPN with SSL is enabled on your Firebox, and you connect to the Authentication Portal at you only see the authentication servers that you have configured on your Firebox for Mobile VPN with SSL
From Networking/Interface page add a custom DHCP Option

85. Mobile VPN with SSL Enhancements
For example, if the only authentication server specified in your Mobile VPN with SSL settings is Firebox-DB, the Domain drop-down list does not appear in the Authentication Portal
From Networking/Interface page add a custom DHCP Option

86. See X-Forwarded Details in Proxy Headers
X-forwarded information from the proxy header includes the IP addresses of clients behind a proxy policy

87. See X-Forwarded Details in Proxy Headers
Log messages and Dimension reports can now show the IP addresses of clients behind proxy policies
The Firebox sends the IP address of the proxy server (for example, Squid, Webmarhal, and XCS) and the client IP address in the X-forwarded information from the header, which can now be found in the log messages in the ori_src detail

88. See X-Forwarded Details in Proxy Headers

89. See X-Forwarded Details in Proxy Headers
Example log message shows the ori_src detail:
<ProxyMatch d=" T10:54:35" orig="gary_xtmv" cname="" proc_id="http-proxy" pri="6" rc="594" seq="276" disp="Deny" msg_id="1AFF-0028" src_intf="1-Trusted" dst_intf="0-External" policy="HTTP-proxy-00" src_ip=" " dst_ip=" " src_port="41208" dst_port="80" pr="http/tcp" msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.Standard.1" ori_src=" " virus="Object tmp/scan_03.UTvg4d detected as PUP (Potentially Unwanted Program)" host=" " path="/ss/0db44a8f3bffa e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e2 0a9" log_type="tr"/>
<ProxyHTTPReq d=" T10:54:35" orig="gary_xtmv" cname="" proc_id="http-proxy" pri="6" rc="525" seq="277" disp="Allow" msg_id="1AFF-0024" src_intf="1-Trusted" dst_intf="0-External" policy="HTTP-proxy-00" src_ip=" " dst_ip=" " src_port="41208" dst_port="80" pr="http/tcp" msg="HTTP request" proxy_act="HTTP-Client.Standard.1" ori_src=" " op="GET" dstname=" " arg="/ss/0db44a8f3bffa e15e1076efcc7b6d77f5bc436ffe6bf6f65cfb5e20 a9" sent_bytes="233" rcvd_bytes=" " elapsed_time=" sec(s)" reputation="-1" reason="262184" action="drop" log_type="tr"/>

90. See X-Forwarded Details in Proxy Headers
When you review log messages and reports, instead of the IP address of the proxy server, you now see the real IP address of the client where the traffic originated
Available in reports only with Dimension v2.1.1 and higher

91. Use a domain name to specify an authentication server
External Hotspot Authentication URL
Use a domain name to specify an authentication server

92. External Hotspot Authentication URL
When you set up external guest authentication for a wireless hotspot, you must specify the URL of an authentication server
In Fireware v11.12, you can now specify a domain name for the authentication server URL
From Networking/Interface page add a custom DHCP Option

93. External Hotspot Authentication URL
From Networking/Interface page add a custom DHCP Option

94. Wireless Authentication Exceptions
Allow wireless guests to access select network resources without authenticating

95. Wireless Authentication Exceptions
The hotspot configuration now includes an Authentication Exception list, where you can specify the resources that guest wireless users can use without authentication
The Authentication Exception list can include:
FQDN addresses
IPv4 hosts
IPv4 networks
IPv4 ranges

96. Wireless Authentication Exceptions
On the Hotspot Authentication tab:
From Networking/Interface page add a custom DHCP Option

97. Wireless Authentication Exceptions
On the Hotspot External Guest Authentication tab:
From Networking/Interface page add a custom DHCP Option

98. Integrate your Firebox with ConnectWise
ConnectWise Integration
Integrate your Firebox with ConnectWise

99. ConnectWise Integration
You can integrate your Firebox directly with ConnectWise, the leading professional service automation tool
Enables service providers to automatically synchronize customer asset information for more efficient device management and monitoring
Auto Synchronization of Asset Information — Automatically synchronizes Firebox information and security service subscription statuses, including subscription start and end dates, Firebox serial numbers, and OS versions
Closed-Loop Ticketing of System, Security, and Subscription Events — Configure event thresholds on a wide range of parameters, including subscription services, device statistics, and subscription statuses that automatically trigger the creation and closure of tickets

100. ConnectWise Integration
To enable your Firebox to communicate with ConnectWise, you must have a private and public API key generated by your ConnectWise user account

101. ConnectWise Integration
On the Firebox:
Fireware Web UI — System > Technology Integrations
Policy Manager — Setup > Technology Integrations
ConnectWise integration settings are also available in Device Configuration Templates for your Fireboxes under Centralized Management

102. ConnectWise Integration
To see your Firebox in ConnectWise:
Select Companies > Configurations
From the configuration list, select a Firebox

103. ConnectWise Integration
Firebox details, such as the serial number, model number, and expiration date are automatically synchronized when you activate ConnectWise integration on your Firebox

104. ConnectWise Integration
For each Firebox, you can set Configuration Questions
These are thresholds of system events that enables you to customize the events that generate tickets

105. ConnectWise Integration
Tickets are automatically opened and closed based on your thresholds
Eliminates ticket flooding and false alarms while automatically closing tickets when issues are resolved
If the event reoccurs, the same ticket is opened up so that you can track repeated occurrences of the same event

106. ConnectWise Integration

107. Other Enhancements

108. Huawei Modem Support
Added support for Huawei E3372 modem variant with a different product ID
Modem Name
Vendor ID
Product ID
Fireware OS Requirement
Huawei E3372
0x12d1
0x1506
v or higher
0x14dc
v11.12 or higher

109. Proxy Connection Statistics
Proxy connection statistics are now available in the Firebox System Manager Status Report

110. WebBlocker Proxy Server Support
You can now configure WebBlocker to use a proxy server to connect to the Websense cloud for lookups
On the WebBlocker configuration page, click Settings
The Server address must be an IPv4 address or host name
If you select Basic or NTLM for authentication, you must specify the User name, User domain, and Password

111. APT Blocker File Size Increase
The maximum file size that APT Blocker can submit to the Lastline data center for analysis increased from 8MB to 10MB
This file size limit is the same for all Firebox models and is not configurable

112. BOVPN Shared Key Length Increase
The BOVPN pre-shared key length increased to 79 characters
This applies to traditional BOVPN gateways, BOVPN virtual interfaces, and Mobile VPN with L2TP over IPSec

113. Active Directory Server Settings UI Updates
The Dead Time text box now appears below the Timeout text box, because these values are related
The Login Attribute text box appears above the DN of Searching User and Password of Searching User text boxes
If you select the sAMAccountName attribute, these text boxes are not available, because they are not required:
DN of Searching User
Password of Searching User

114. FQDN Support for Log Server Addresses
You can now use fully qualified domain names when you specify a WatchGuard Log Server
DNS must be enabled to use FQDN addresses

115. Auto-Blocked Sites List Functionality
The deny functionality for auto-blocked sites changed
In Fireware v11.12, the Firebox:
denies connections from auto-blocked sites
does not deny connections to auto-blocked sites
In prior versions of Fireware, the Firebox denied connections both to and from auto-blocked sites
The deny functionality for permanently blocked sites did not change
The Firebox denies connections both to and From permanently blocked sites

116. Thank You!