1. What’s New in Fireware v11.10
WatchGuard Training
©2015 WatchGuard Technologies, Inc.

2. What’s New in v11.10 New Feature Monitoring Enhancements
Bandwidth and time user quotas
Monitoring Enhancements
Review and reset user quota data
VPN diagnostic messages and report enhancements
Gateway Wireless Controller shows and filters on rogue AP devices, and shows client signal strength
Full Screen mode in FireWatch in Fireware XTM Web UI
Subscription Services Enhancement
Setup wizards for services now available in the Web UI
VPN Enhancements
Mobile VPN with SSL v10.11 clients for Windows and Mac OS X
Certificate Management Enhancements
Manage certificates from the Web UI
Automatic CA certificate updates
WatchGuard Training

3. What’s New in v11.10 Wireless Access Point Enhancements
Wireless traffic shaping
Time-based SSID Activation
Scheduled restarts of AP devices
Multiple AP device selection for AP actions
Enable rogue access point detection
SSO Enhancements
Exchange Monitor (EM) Exchange Server 2013 support
Clientless SSO for RDP logins
Traffic through BOVPN tunnels can use SSO
Support for switching between multiple users of the SSO Client
RapidDeploy Enhancements
Improvements for CSV files on a USB drive
System Enhancements
NTP server
WatchGuard Training

4. What’s New in v11.10 Networking Enhancements
Improved routing tables
Multiple servers for DHCP relay
DHCPv6 prefix delegation
ARP limit updates
XTM Configuration Report updates
Logging & Reporting Enhancements
Simultaneously send log messages to two Log Servers
Expanded information included in Device Feedback
Management Tunnel Enhancement
Managed devices use the first distribution IP address for the Management Server
What Else is New?
The first iteration of a comprehensive Help system for Fireware with integrated instructions for all Fireware management UIs.
WatchGuard Training

5. New Feature — Quotas
WatchGuard Training

6. Bandwidth and Time Quotas
You can enable bandwidth and time usage quotas for users on your network for access to external sites.
Apply a daily limit to user Internet usage to enforce corporate acceptable use policies.
When users exceed the quota limit, a notification message appears in their web browsers and further access attempts are denied.
WatchGuard Training

7. Bandwidth and Time Quotas
You can set these types of quotas:
Bandwidth — The bandwidth quota is set in MB per day, and is enforced for all TCP and UDP traffic in both directions.
Time — The time quota is set in minutes per day.
Both bandwidth and time quotas can be enabled at the same time, and the limit that is reached first is enforced.
WatchGuard Training

8. Bandwidth and Time Quotas
Quota limits are applied to users and groups based on authentication to the Firebox.
For a quota to take effect, a user must be authenticated and match a configured policy defined with Firebox users and groups.
WatchGuard Training

9. Bandwidth and Time Quotas
To enable bandwidth and time quotas, you must:
Enable quotas and create quota rules
Apply a quota action to a rule
Enable the quota rule in a policy
WatchGuard Training

10. Bandwidth and Time Quotas
Enable time and bandwidth quotas
Add a quota rule that defines applicable users and groups, and the quota action to apply.
WatchGuard Training

11. Bandwidth and Time Quotas
A quota action defines the bandwidth and time restrictions to apply to a quota rule.
WatchGuard Training

12. Bandwidth and Time Quotas
To enforce a quota, a quota rule must be enabled for a specific policy.
The policy must be defined with users or groups to be able to apply a quota rule.
WatchGuard Training

13. Bandwidth and Time Quotas
You can create exceptions to quotas so that any traffic to a specific destination address is not counted towards the usage quota.
Create exemptions for your company's own domains, or software and antivirus signature update sites.
WatchGuard Training

14. Bandwidth and Time Quotas
Options to reset user quota data include:
Quota daily limits are automatically reset the next day (starting at 00:00)
Configuration changes automatically reset quotas for users and groups that use the updated quota action
Reboot the Firebox
Manually reset quota data for specific users from the Web UI and FSM
WatchGuard Training

15. Monitoring Enhancements
WatchGuard Training

16. Review & Reset Bandwidth and Time Quotas
Monitor user quota usage data in Fireware XTM Web UI and Firebox System Manager.
Fireware XTM Web UI — System Status > Quotas page
Firebox System Manager — Quotas tab
Quota data includes these details for each connected user:
Quotas Page (Web UI)
User Quotas Tab (FSM)
Description
User
The user name of the connected user.
Auth Domain
N/A
The authentication domain through which the user is authenticated.
Quota Action
The quota action defined on your Firebox that applies to the user.
Used/Configured Bandwidth (per day)
Bandwidth Usage (per day)
The amount of bandwidth the user has already used and is allowed to use (used/allowed), for each day.
Used/Configured Time (per day)
Time Usage (per day)
The amount of time the user has already used and is allowed to use (used/allowed), for each day.
WatchGuard Training

17. Review & Reset Bandwidth and Time Quotas
Manually reset user quota data for specific users:
Select one or more users.
Click Reset Quota.
WatchGuard Training

18. Gateway Wireless Controller — See Rogue Access Points
Use the Gateway Wireless Controller Wireless Deployment Maps to scan for foreign wireless access points
See a list of rogue access points on the Foreign BSSIDs page
A rogue access point is any wireless access point within range of your network that is not recognized as an authorized access point.
Rogue access point can be installed by a malicious user, but could also be a device installed by someone inside your organization without consent.
WatchGuard Training

19. Gateway Wireless Controller — Client Signal Strength
The Gateway Wireless Controller in Fireware XTM Web UI and Firebox System Manager now includes an indicator to show the wireless client signal strength.
WatchGuard Training

20. Enhanced VPN Diagnostic Tools
VPN diagnostic messages
New VPN messages now indicate why a branch office VPN gateway or tunnel failed, and can include information about what action to take to resolve the error.
VPN diagnostic messages appear in three places in the UI:
Firebox System Manager — Front Panel tab
WatchGuard System Manager — Device Status tab
Fireware XTM Web UI — System Status > VPN Statistics page
Enhanced VPN Diagnostic Report
Performs more checks to identify many of the most common VPN issues
Provides more actionable information
WatchGuard Training

21. VPN Diagnostic Messages
VPN diagnostic messages appear below the gateway in the Web UI and FSM.
Messages can be for a specific tunnel or gateway endpoint.
Errors
Error status — Web UI
Red text — FSM and WSM.
Warnings
Warning status — Web UI.
Orange text — FSM and WSM.
WatchGuard Training

22. VPN Diagnostic Report Enhancements
Improved VPN Diagnostic Report
The VPN Diagnostic Report now does more extensive diagnostics checks, and provides more information.
The report includes three new sections:
[Conclusion] — This section at the top summarizes what was observed, lists any detected errors, and includes suggestions of next steps to troubleshoot the VPN.
[Address Pairs in Firewalld] — This section shows the address pairs and the traffic direction (IN, OUT, or BOTH).
[Policy checker result] — This section shows policy checker results for policies that manage traffic for each tunnel route.
The VPN Diagnostic Report is now available in the Fireware XTM Web UI on the System Status > VPN Statistics page, as well as on the System Status > Diagnostics page.
WatchGuard Training

23. Branch Office VPN Troubleshooting Tips
For any branch office VPN, you can run reports and monitor error messages on both endpoint devices—the initiator and the responder.
The initiator is the endpoint that starts the tunnel negotiation
The responder receives the proposal and accepts or rejects the proposed tunnel settings from the initiator
For troubleshooting VPN negotiation, run the VPN Diagnostic Report or look at the VPN diagnostic messages on the responder.
The responder has more information about settings that do not match.
On the responder, VPN diagnostic errors include more detailed information about what setting the initiator proposed, and what setting was expected.
The initiator does not know what settings were expected.
WatchGuard Training

24. VPN Troubleshooting in Firebox System Manager
Example — VPN diagnostic message for a mismatched Phase 2 proposal
VPN diagnostic message on the initiator:
“Received ‘No Proposal Chosen’ message. Check VPN IKE diagnostic log messages on the remote gateway endpoint for more information.”
The VPN diagnostic message on the responder is more informative:
“Received ESP encryption 3DES, expecting AES”
The same messages appear in the VPN Diagnostic Report.
To run the report, right-click the gateway and select VPN Diagnostic Report.
Initiator
Responder
WatchGuard Training

25. VPN Diagnostic Messages in the Web UI
VPN diagnostic messages appear in the System Status > VPN Statistics page.
WatchGuard Training

26. VPN Diagnostic Report in the Web UI
To run the VPN Diagnostic Report from the System Status > VPN Statistics page:
On the Branch Office VPN tab, click Debug for a Gateway.
Or, select the Debug tab, select the gateway, and click Start Report.
WatchGuard Training

27. Routes Table Updates
In Fireware XTM Web UI, the Routes table in System Status > Routes includes these updates:
Filter routes by:
IP address type (IPv4, IPv6, or both — IPv6 is new)
Route Type (Connected, Static, Dynamic, VPN)
Interface (Select the interface)
Destination (Type a valid IPv4 network address)
The Routes table shows the first 100 routes that match the filter criteria.
WatchGuard Training

28. Routes Table Updates
The Firebox System Manager Status Report tab now includes two route tables.
IPv4 Routes — Shows the first 100 IPv4 routes (all routes, including static, dynamic, and VPN routes).
IPv6 Routes — Shows the first 100 IPv6 routes (all routes, including static, dynamic, and VPN routes).
Route table includes the same information as the output of the CLI “show ip route” and “show v6 ip route” commands.
These two route tables replace the four route tables that previously appeared in the Status Report (main, ethx.out, any.out, and zebra).
WatchGuard Training

29. FireWatch Enhancements
FireWatch can now be viewed in Full Screen mode in Fireware XTM Web UI
Full Screen mode options include:
Select to include one or more groups in the display
Specify the information refresh rate
The settings controls are hidden after a period of time
Select all standard filters
See information in bytes for all groups except WebBlocker, which appears in number of connections
WatchGuard Training

30. FireWatch Enhancements
Select group, data, and refresh options in Full Screen Mode
WatchGuard Training

31. FireWatch Enhancements
Select which group information appears:
Source
Destination
Applications
Policies
Interface (In)
Interface (Out)
Select the type of data that appears:
Rate
Bytes
Connection
Duration
WatchGuard Training

32. Subscription Services Enhancements
WatchGuard Training

33. Subscription Services Setup Wizards
New Web UI activation wizards that guide you through the steps to enable these Subscription Services and create a basic configuration:
spamBlocker
WebBlocker
Gateway AntiVirus
Intrusion Prevention
WatchGuard Training

34. Signature Update Warnings
New warnings displayed for services when automatic signature updates are disabled.
IPS
Gateway AntiVirus
Application Control
DLP
WatchGuard Training

35. VPN Enhancements
WatchGuard Training

36. Updates to Mobile VPN with SSL Clients
Updated WatchGuard Mobile VPN with SSL clients for Windows and Mac OS X
Both clients now use OpenVPN 2.3.6
Both clients now support more than 24 routes
The Windows client now includes the TAP driver for Windows 8.1
WatchGuard Training

37. Certificate Management Enhancements
WatchGuard Training

38. Manage Certificates from the Web UI
You can now perform all the same certificate management tasks from the Web UI that are available in Firebox System Manager.
Delete, Install, and export certificates
View certificate details
Import CRLs
Create CSRs (certificate signing requests)
WatchGuard Training

39. Automatic CA Certificate Updates
Automatically get new versions of the trusted CA certificates stored on the device and automatically install the new certificates.
Ensures all trusted CA certificates on your device are the latest version.
Expired certificates are updated, and new trusted CA certificates are added to your device.
Updated certificates are downloaded from a secure WatchGuard server.
WatchGuard Training

40. Wireless Access Point Enhancements
WatchGuard Training

41. Wireless AP Enhancements
Wireless traffic shaping
Time-based SSID Activation
Scheduled restarts of AP devices
Multiple AP device selection for AP actions
Enable rogue access point detection
WatchGuard Training

42. Wireless Traffic Shaping
Configure traffic rate shaping for each wireless SSID.
Traffic shaping is for wireless download traffic only.
Base rate — The base throughput rate for the SSID. Not allowed to exceed this limit except for burst activity.
Ceiling rate — The hard limit throughput rate for the SSID. This limit includes burst activity.
Burst — The maximum number of kilobytes allowed beyond the base rate.
WatchGuard Training

43. Time-based SSID Activation
Enable SSIDs for specific time periods.
Limits access to the SSID based on the start and end times you configure.
WatchGuard Training

44. Scheduled Restarts of AP Devices
Restart wireless services or reboot all of your AP devices at scheduled times on a daily or weekly basis.
Refreshes the AP device and makes sure the device configuration and all access control lists are up to date.
Automatically updates wireless channel selection.
AP devices are restarted in 90 second intervals to make sure they are not all restarted at the same time.
WatchGuard Training

45. Multiple AP Device Selection for AP Actions
You can select multiple AP devices to complete reboot, upgrade, and restart wireless actions.
WatchGuard Training

46. Enable Rogue Access Point Detection
Enable rogue access point detection for each SSID.
Add known device MAC addresses to the exceptions list so they are not considered a rogue access point.
WatchGuard Training

47. SSO Enhancements
WatchGuard Training

48. Single Sign-On Enhancements
Single Sign-On Enhancements include:
Support for Microsoft Exchange Server 2013 for the SSO Exchange Monitor
.NET Framework v3.5 required on Exchange Server 2013 server
Clientless SSO for RDP logins
Event Log Monitor now recognizes both logon and logoff events for RDP connections and reports this information to the SSO Agent, which sends the events to the Firebox.
The Firebox opens and closes user sessions based on the logon and logoff event reports from the Event Log Monitor.
Traffic through BOVPN tunnels can now use Single Sign-On
Support for switching between multiple users of the SSO Client on Windows 2008, 7, and Vista
WatchGuard Training

49. Single Sign-On Enhancements
New Enable SSO through BOVPN tunnels option allows users of BOVPN tunnels to use SSO for network connections
WatchGuard Training

50. RapidDeploy Enhancements
WatchGuard Training

51. RapidDeploy CSV File — Change External Interface
You can now use a CSV file to change the external interface number.
A device that starts with factory-default settings can automatically configure the external interface from settings in a CSV file on a connected USB drive.
Previously, the only valid interface you could specify in the CSV file was 0.
A device that uses Fireware v11.10 now supports interface numbers other than 0.
The format of the CSV file did not change.
This is most often used for RapidDeploy.
Example line in a CSV file to configure interface 2 as the external interface:
70XX00777X777,2,ext,Static, /24, ,
WatchGuard Training

52. System Enhancements
WatchGuard Training

53. NTP Server
After you enable a Firebox to use NTP, you can enable the device as an NTP server.
When you enable the device as an NTP server, the NTP Server policy is automatically created.
The NTP Server policy allows connections to the NTP server from clients on the trusted and optional networks.
Configure NTP clients to get the date and time from the interface IP address or domain name of the Firebox.
WatchGuard Training

54. Networking Enhancements
WatchGuard Training

55. Multiple Servers for DHCP Relay
In the DHCP Relay settings, you can now add the IP addresses of up to three DHCP servers.
Previously you could configure only one IP address for DHCP Relay.
The Firebox relays DHCP requests to the IP addresses of all DHCP servers.
WatchGuard Training

56. DHCPv6 Prefix Delegation
You can enable DHCPv6 Client Prefix Delegation on an external interface.
The device requests an IPv6 prefix from a DHCPv6 server.
You can use the delegated prefix when you configure IPv6 addresses on trusted, optional, and custom interfaces.
DHCP prefix delegation is described in RFC 3633.
WatchGuard Training

57. DHCPv6 Prefix Delegation
The delegated prefix appears on the Front Panel tab of Firebox System Manager.
WatchGuard Training

58. DHCPv6 Prefix Delegation
You can use the delegated prefix for a trusted, optional or custom interface.
Static IPv6 interface IP address
IPv6 prefix advertisement
DHCPv6 address pool
DHCPv6 reserved addresses
Select Use delegated prefix.
The delegated prefix name appears as the first part of the IPv6 address.
The prefix name includes the external interface device name, followed by “_prefix”. For example “eth0_prefix”.
Type the subnet in the adjacent text box.
Delegated prefix in a static IPv6 address
Delegated prefix in the DHCPv6 address pool
WatchGuard Training

59. DHCPv6 Prefix Delegation
You can also enable the DHCPv6 server on an interface to delegate prefixes to DHCPv6 clients.
Add prefixes to the Prefix Pool.
To reserve a specific prefix for a client, add the prefix to the Reserved Addresses and Prefixes list.
WatchGuard Training

60. Improved Route Tables — Command Line Interface
To see the first 100 IPv4 routes, use the “show ip route” command
Replaces the “show route” command
Output is easier to read than the output of the old show route command
WG>show ip route
Kernel IP routing table
Destination Gateway Genmask Interface Flags Metric
eth UG
eth U
eth U
vlan U
br U
ath U
lo U
tun U
eth U
Use command options to filter the route table (same filters as in the Web UI)
WG>show ip route ?
<cr> Carriage return
<net> IP subnet for the destination <A.B.C.D/(1-32)>
connected Connected routes
dynamic Dynamic routes
ifname Interface device name
static Static routes
vpn VPN routes
WatchGuard Training

61. Improved Route Tables — Command Line Interface
To see the first 100 IPv6 routes use “show v6 ip route”
Output — no change from 11.9.x
WG>show v6 ip route
Kernel IPv6 routing table
Destination Next Hop Interface Flags Metric
2001::/ :: vlan10 U
fe80::/ :: vlan10 U
New command options to filter the route table (same filters as in the Web UI)
WG>show v6 ip route ?
<cr> Carriage return
<netipv6> IPv6 subnet for the destination <A:B:C:D:E:F:G:H/I>
<A::G:H/I>
<::H/I>
connected Connected routes
dynamic Dynamic routes
ifname Interface device name
static Static routes
vpn VPN routes
WatchGuard Training

62. Route Diagnostics — Command Line Interface
For Support Only (RFE65096)
CLI “diagnose” command has a new “ip” option
Supports the same arguments as the linux ip-route command
WG#diagnose ip help
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-f[amily] { inet | inet6 | ipx | dnet | link } |
-o[neline] | -t[imestamp] | -b[atch] [filename] |
-rc[vbuf] [size]}
Syntax: diagnose ip ‘<arguments>’ — arguments must be in quotes
diagnose ip 'route list' diagnose ip 'route list dev eth1' diagnose ip 'route get '
Primarily intended for use by WatchGuard for troubleshooting
Caution: Do not use this command to add or remove routes.
WatchGuard Training

63. Updated ARP Limits Per Model
For Support Only (RFE83400)
New ARP limits per model based on system memory size
ARP limits have three threshold values:
The lowest threshold is when garbage collection starts.
The middle value is when garbage collection becomes more aggressive.
The top value is the maximum number of ARP entries.
Previously, ARP limits were set based on the model, and had a maximum of either 4096 or 8192
System Memory Size
GC threshold values
Less than or equal to 128M
128
512
1024
Between 128MB and 1G (including 1G)
2048
4096
Between 1G and 4G (including 4G)
8192
More than 4G
1536
6144
12288
WatchGuard Training

64. Updated XTM Configuration Report
The XTM Configuration Report available from the Fireware Web UI now includes information about Default Packet Handling and FireCluster configuration settings.
WatchGuard Training

65. Logging & Reporting Enhancements
WatchGuard Training

66. Logging Enhancements
Simultaneously send Log Messages to two WatchGuard Log Servers
Two different WatchGuard Log Servers — Dimension or WSM Log Servers
Configure two sets of Log Servers
Add primary and backup servers for each Log Server set
WatchGuard Training

67. Logging Enhancements
Fireware XTM Web UI — Logging > Log Servers 1 & Log Servers 2 tabs
WatchGuard Training

68. Logging Enhancements
Policy Manager — Logging Setup > Configure > Log Servers 1 & Log Servers 2 tabs
WatchGuard Training

69. Device Feedback Report Enhancements
New information in the Device Feedback sent to WatchGuard includes:
Start and end time stamps for the feedback data sent to WatchGuard
Peak proxy connection limit usage
Number of proxy actions with Subscription Services enabled in the configuration
Subscription Services details include:
Whether the service is enabled
Counts of the number of events for each service enabled on the Firebox
A list of the events triggered on the Firebox for each service (includes the source IP address, protocol, and threat level of the event).
WatchGuard Training

70. Management Tunnel Enhancements
WatchGuard Training

71. Management Tunnel Enhancements
For a Management Tunnel over SSL, if the tunnel goes down, the Firebox can now reconnect to the first IP address in the list specified for the Management Server and rebuild the tunnel.
In the Firebox Managed Device settings:
Specify the private IP address for the Management Server as the first IP address in the list.
Specify the public IP address for the Management Server as the second IP address in the list.
WatchGuard Training

72. What Else is New?
WatchGuard Training

73. Integrated Fireware Help
The v11.10 release includes the first iteration of a comprehensive Help system for Fireware with integrated instructions for all Fireware management UIs.
Includes context-sensitive help topics for these management and monitoring tools:
Fireware XTM Web UI
WatchGuard System Manager & all WSM tools
WatchGuard Dimension
WatchGuard WebCenter
WatchGuard Server Center & WatchGuard servers
WatchGuard Deployment Center (RapidDeploy)
WatchGuard Training

74. Additional Resources
WatchGuard Training

75. Additional Resources
Information about the new and enhanced features included in this release is available from these resources on the Product Documentation pages of the WatchGuard website:
From the Help systems:
Fireware Help — What’s New in This Release
From the What’s New presentation:
What’s New in Fireware v11.10
WatchGuard Training

76. Thank You!
WatchGuard Training