1 / 50

What’s New in Fireware XTM v11.5.1

What’s New in Fireware XTM v11.5.1. New Features in Fireware XTM v11.5.1. Major Changes IPv6 – Network Configuration and Routing FIPS 140-2 Dynamic Routing Enhancements Clientless SSO Log and Report Manager Log Server UTC Timestamp Conversion ConnectWise Integration

giovanna
Download Presentation

What’s New in Fireware XTM v11.5.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s New inFireware XTM v11.5.1

  2. New Features in Fireware XTM v11.5.1 • Major Changes • IPv6 – Network Configuration and Routing • FIPS 140-2 • Dynamic Routing Enhancements • Clientless SSO • Log and Report Manager • Log Server UTC Timestamp Conversion • ConnectWise Integration • SMTP-Proxy TLS Encryption WatchGuard Training

  3. New Features in Fireware XTM v11.5.1 • Minor Changes • Debug Logging Per Proxy Action (60099) • WSM Management Server Search (62143) • iOS Mobile VPN with IPSec (41602) • Export Auto-Blocked Sites (62511) • Negotiate PPPoE Client IP Address (61930) • New Platforms • XTM 330 • XTM 2050 WatchGuard Training

  4. IPv6

  5. IPv6 Refresher • WatchGuard IPv6 — http://www.watchguard.com/ipv6/index.asp • Hype or Reality — Video and PPT • Security Implications — Video and PPT • What to Expect — Video and PPT • IPv6 is manageable • If you impose a false minimum of a /24 on IPv4 • Subnetting IPv4 /8 ~ IPv6 /48 Network Prefix Interface ID 2561:1900:4545:0003:0200:F8FF:FE21:67CF 16-bits 16-bits 10.0.0.254 WatchGuard Training

  6. IPv6 in 11.5.1 • If it routes, the traffic will passNo security policies, features, or configurations are applied • Static configuration of IPv6 addresses and DNS • Router Advertisement for stateless address auto-configuration • Static routes WatchGuard Training

  7. IPv6 Certifications • IPv6 Ready • Phase 1, Silver Logo, was in v11.4.2 • Phase 2, Gold Logo, Core is in this release • The Phase 2 Logo is a requirement for extended test categories, including: • IPSec • IKEv2 • MIPv6 • NEMO • DHCPv6 • SIP • SNMP-MIBs • MLDv2 WatchGuard Training

  8. IPv6 Stage 1, (11.5.1) IPv6 Roadmap IPv6 Stage 2 IPv6 Stage 3

  9. FIPS 140-2

  10. FIPS Support in Fireware XTM • FIPS 140-2 • Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules • Describes the NIST requirements and standards for cryptographic modules for use by federal government departments and agencies • Defines four security levels • WatchGuard XTM • XTM Devices and Fireware XTM are designed to meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner WatchGuard Training

  11. FIPS Support in Fireware XTM • FIPS Mode • You must use the CLI to enable FIPS mode on an XTM device • When the XTM device operates in FIPS mode, each time the device is powered on, it runs a set of self-tests required by the FIPS 140-2 specification • If any of the tests fail, the XTM device writes a message to the log file and shuts down • If you start the device in safe mode or recovery mode, the device is not in FIPS mode • Use the CLI command fips enable to enable FIPS mode operation • You can use the CLI command show fips to determine if the XTM device is configured in FIPS mode WatchGuard Training

  12. FIPS Mode Constraints • FIPS Mode does not enforce a FIPS compliant configuration • Configure the Admin and Status administrative accounts to use passwords with a minimum of 8 characters • When you configure VPN tunnels, you must choose only FIPS-approved authentication and encryption algorithms:SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, and AES-256. • When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE Phase 1 negotiation • Use a minimum of 1024-bits for all RSA keys • Do not configure FireCluster for high availability • Do not use Mobile VPN with PPTP • Do not use PPPoE • Do not use WatchGuard System Manager to manage the device • For access to Fireware XTM Web UI, the web browser must be configured to use only TLS 1.0 and FIPS approved cipher suites • For network access to the CLI, clients must use SSH V2.0 protocol WatchGuard Training

  13. Dynamic Routing Enhancements

  14. Dynamic Routing Enhancements • FireCluster is now supported • Configuration validation ensures working configuration • Enhanced troubleshooting capabilities • Enable debugging at runtime • Obtain more logs from Quagga • Enhanced output in the Firebox System Manager Status Report WatchGuard Training

  15. Dynamic Routing – Diagnostic Logging • Change the Diagnostic Log Level setting for Dynamic Routing to the Debug level to see detailed log messages from all log levels. WatchGuard Training

  16. Clientless Single Sign-On (SSO)

  17. Clientless SSO • Use the SSO Agent and Event Log Monitor for SSO, without the SSO Client • Support for both single domain and multiple domains • Provides the same accuracy as the SSO Client solution • Token Groups • SSO Client • SSO ELM • Manual Authentication with samAccountName • Group Attribute • Manual Authentication and Non-Active Directory • Does not return nested groups WatchGuard Training

  18. Clientless SSO Process • Install the SSO Agent on your network. • Install the Event Log Monitor on each domain controller in your network. • The Event Log Monitor collects user credentials when users log on to the domain. • The SSO Agent queries the Event Log Monitor for user credentials. WatchGuard Training

  19. Clientless SSO Work Flow WatchGuard Training

  20. Clientless SSO Contact Priority • Select whether the SSO Agent first contacts the Event Log Monitor or the SSO Client for user credentials. WatchGuard Training

  21. Clientless SSO Supported OS • Use clientless SSO with these operating systems: WatchGuard Training

  22. Log and Report Manager

  23. Log and Report Manager • Log Viewer and Report Manager are replaced in v11.5.1 with the new Log and Report Manager web UI. • Select either the Log Viewer or Report Manager icon in WatchGuard System Manager to launch the default web browser. The user is prompted to connect to the WatchGuard Log Server or Report Server with administrative credentials. WatchGuard Training

  24. Log and Report Manager — View Logs • Select the Actions drop-down list at the right to choose a time filter for the log display, or select a Timeslice Analysis to show a summary of log types recorded over time. WatchGuard Training

  25. Log and Report Manager — View Logs WatchGuard Training

  26. Log and Report Manager — View Reports • Select REPORTS > Devices to see a list of devices with reports on the Report Server. • Select a device to see the report options. WatchGuard Training

  27. Log and Report Manager — View Reports • View Available Reports: • Select Daily or Weekly time filters, and specify a date range. • Select the tab for a report type: Dashboard, Traffic, Web, Mail, Services, Device, and Detail. • To generate Per Client and On-Demand Reports for devices, click a link at the right side of the page. WatchGuard Training

  28. Log and Report Manager — On-Demand Reports • Select the Start and End date and time, the type of report to generate, and click Run Report to generate an On-Demand report. WatchGuard Training

  29. Log and Report Manager — On-Demand Reports • Reports include graphical and textual summary information WatchGuard Training

  30. Log Server and Report ServerUTC Time Conversion

  31. Log and Report Server Upgrade • When the Log Server or Report Server is upgraded to v11.5.1, the server database is upgraded to PostgreSQL 8.2.21. • If an external Log Server or Report Server database is used instead of the built-in database, the user must manually upgrade the server to PostgreSQL 8.2.21 before the Log Server or Report Server is upgraded. WatchGuard Training

  32. Log and Report Server UTC Conversion • Previously, the Log and Report Server database used the timestamp of the host server. In v11.5.1, the UTC time stamp is used for log messages. • When an existing server is upgraded to v11.5.1, the log message time stamps are converted from the old format to UTC format.This can take some time depending on the size of the log database. • An audit log is written when the conversion process starts and finishes. • If email notification is enabled, notifications are sent when conversion starts and when conversion is complete. WatchGuard Training

  33. ConnectWise Integration

  34. ConnectWise Integration • Your v11.5.1 Report Server can send specific reports it generates to the third-party ConnectWise service to be included in the reports ConnectWise produces. • The Report Server must be configured with the information for a ConnectWise server and ConnectWise account. WatchGuard Training

  35. ConnectWise Integration • In the Report Server Server Settings, enable ConnectWise integration and add the information for the ConnectWise server and ConnectWise account. • Make sure to import the CA certificate for your ConnectWise server to your Report Server. WatchGuard Training

  36. ConnectWise Integration • Create a Report Schedule and specify the reports to generate and send to ConnectWise. • Reports available for ConnectWise integration include: • Firebox Statistics • Intrusion Prevention Service Summary • WebBlocker Summary • Most Popular Domains • To send reports to ConnectWise, you must select at least one of these reports. • Reports must be scheduled to run daily WatchGuard Training

  37. SMTP-Proxy TLS Encryption

  38. SMTP-Proxy TLS Encryption Settings • v11.5.1 includes new options for TLS encryption settings in the ESMTP category of the SMTP proxy action. • If an SMTP-proxy is used for mail traffic sent through an XTM device, TLS encryption can be applied to the traffic. • Certificates used by the HTTPS-proxy are also used by the SMTP-proxy for TLS encryption. The FSM certificate import feature is also used to import TLS encryption certificates to the XTM device. WatchGuard Training

  39. SMTP-Proxy TLS Encryption Settings • Configure rules to determine which recipient domains receive TLS encrypted email: • If Recipient Encryption is Required, the XTM device does not send email if TLS negotiation fails. • If Recipient Encryption is Preferred, the XTM device tries to negotiate a TLS connection, but if negotiation fails the email is sent unencrypted. • If Recipient Encryptionis Allowed, the email client can select to encrypt or not encrypt email, and the XTM device sends the email whether it is encrypted or unencrypted. WatchGuard Training

  40. SMTP-Proxy TLS Encryption Settings • If Sender Encryption is Required, an option can be enabled to encrypt not only the email data but also the sender, recipient, and body information in the message. WatchGuard Training

  41. SMTP-Proxy TLS Encryption Settings • The Authentication category of the ESMTP settings includes an option to require encryption of plain-text ESMTP authentication information. WatchGuard Training

  42. Minor Changes

  43. Diagnostic Log Level For Proxy Actions • Set the Diagnostic Log Level for each proxy action in the General Settings category. • Diagnostic Log Levels: • Error • Warning • Information • Debug • Reduce log messages from high-traffic proxy actions. • To disable logging for a single proxy action, you must disable logging for that proxy type globally, then enable logging for all other proxy actions. WatchGuard Training

  44. WSM Management Server Search • New Search folder for the Management Server on the Device Management tab. • Search supports: • Device display name • Device IP addresses • Device host names • Polled device name • Polled IP address • Polled serial number • Polled software version • Search does not support: • Serial number for backup master • Secondary addresses • Polling multi-WAN IP addresses WatchGuard Training

  45. iOS Mobile VPN with IPSec • No Profile to use, specific configuration only • iOS: Setting up VPN • Configure Fireware XTM • Shared Key Only (no certificates) • Force all traffic through tunnel • Phase 1 • Authentication — MD5 or SHA-1 • Encryption — DES, 3DES, AES-128, AES-256 (no AES-192) • SA Life — 1 hour • Key Group — DH Group 2 • Phase 2 • Authentication — MD5 or SHA-1 • Encryption — 3DES, AES-128, or AES-256 • Key Expiration — 1 hour and 0 Kb • Disable PFS WatchGuard Training

  46. Export Auto-Blocked Sites • To export the list of blocked sites, right-click the Blocked Sites list in Firebox System Manager • Save the list as the blocked_sites.txt file WatchGuard Training

  47. Negotiate PPPoE Client IP Address and DNS • Configure an external interface, select the IPv4 tab, select Use PPPoE,select Use IP address, andclick Advanced Properties • Send the PPPoE client static IP address during PPPoE negotiation • When selected, the configured addressis requested, but other addresses willalso be accepted for negotiation • When not selected, the IP address isnot negotiated in PPPoE • Negotiate DNS with PPPoE Server WatchGuard Training

  48. New Platforms

  49. WatchGuard Training

  50. THANK YOU!

More Related