600 likes | 752 Views
Fireware Pro 9.1 What’s New. What’s New in Fireware 9.1 Overview. This presentation has three categories: New Features in 9.1 Enhancements to existing features Miscellaneous changes. Fireware 9.1 New Features. Factory Shipped User Area New power-on mode New steps for Quick Setup Wizard
E N D
Fireware Pro 9.1 What’s New
What’s New in Fireware 9.1Overview • This presentation has three categories: • New Features in 9.1 • Enhancements to existing features • Miscellaneous changes
Fireware 9.1New Features • Factory Shipped User Area • New power-on mode • New steps for Quick Setup Wizard • Quarantine Server • HTTP proxy exceptions • POP3 proxy • Automatic redirect after firewall authentication • New authentication web server certificate • Server load balancing • Import/export proxy actions and rulesets • Support for jumbo frames • Support for Windows Vista • Find Policy feature
Factory Shipped User AreaFireware pre-loaded from factory • Benefits: • Improved out-of-box experience • Faster, easier deployment • One computer can get to the Internet during QSW • Register box with LSS and get feature key during QSW • No need to disconnect from Firebox, connect to live Internet connection, get feature key, reconnect to Firebox, continue Wizard • User can still finish QSW if user forgot to (or did not know to) install Fireware on the management station • Not sure yet when manufacturing cutover happens
Power-on optionsSafe Mode & Recovery Mode • Safe Mode (New boot method) • Power-on + down arrow button • Hold button until LCD shows WatchGuard Technologies • Available only if 9.1 image is installed on box • Allows one computer out to the Internet • Saves time: Loads new Fireware image only if image on computer is newer • Recovery Mode (Same as current method) • Power-on + up arrow button • Used to be called Safe Mode • No Internet access until QSW is done • Must have feature key to finish • New Fireware image is always loaded
Quick Setup WizardNew and different steps • Skip instructional steps if user knows that the box is in a discoverable state Next step, discovery At least four more steps until discovery
Quick Setup WizardNew and changed steps • Set external IP address information during QSW • External interface settings are saved to Firebox immediately • Lets user out to Internet before or during feature key step • DNS information • The Firebox must have DNS information for spamBlocker to work, and to get Gateway AV/IPS updates • Feature key step of QSW: “Click to go to LiveSecurity site” • Works only if 9.1 installed • Works only if booted using down arrow • Detects and displays current license if user ran the QSW previously • Remote management step • Adds an external IP address to the From: field of WatchGuard policy
Quarantine ServerQuarantine spam • Works with spamBlocker only • Does not quarantine based on virus signature or content types • SMTP proxy yes; quarantine spam, bulk, or suspect email • POP3 proxy no; cannot quarantine POP3 email New icon in WatchGuard toolbar Install with server components during WSM install
Quarantine ServerNew “Quarantine” action in spamBlocker • Quarantine based on spam classification • Quarantine based on Exception
Quarantine ServerServer Settings • Set maximum database size • Admin notification when database gets close to capacity • SMTP server settings
Quarantine ServerExpiration Settings • How long to keep messages • For which domains the Quarantine Server will keep email
Quarantine ServerUser notification Customize body text for notification emails sent to users
Quarantine ServerRules • Automatically remove messages based on: • From specific domains • From specific senders • With specific text in the Subject
Quarantine ServerStatistics Export data to: • Excel • CSV Filter report by: • Date • Spam classification View data by: • Month • Week • Day
Quarantine ServerSimple for user to delete or release emails
HTTP Proxy ExceptionsBypass rule checking • An easy way to allow content from: • Windows Updates • Symantec Updates • Other friendly sites Proxy sets all rules to Allow for these sites • Allows all content from hosts that match this list
POP3 ProxyBenefits • Content Type filtering • Strip or lock attachments based on declared MIME type • Filename filtering • Strip or lock attachments based on filename pattern • AV scanning • Strip or lock attachments if virus found • IPS scanning • Strip or lock attachments if signature matches • spamBlocker • Allow or tag based on categorization • No quarantine for spam with POP3 email (only SMTP email can be quarantined)
POP3 ProxyBenefits • Simpler, easier-to- understand defaults
POP3 ProxyLimitations • POP3 proxy cannot block POP3 emails: • In POP3 transaction, client gets message count first • Client keeps trying until number of messages received matches count • We must deliver the correct number of messages • Attachment scanning • Inline engine – not store-and-forward • Client may get truncated attachment along with the deny message • spamBlocker cannot quarantine POP3 messages • For the same reasons we cannot block POP3 mail • spamBlocker can [Allow] or [Add Subject Tab] only
Firewall Authentication Automatic redirect after authentication • Setup > Authentication > Authentication Settings • Authentication settings moved here from Setup > Global settings • New Redirect option: User’s browser is redirected to this URL five seconds after successful authentication
Firewall Authentication Customizable Web Server Certificate • No more security warnings! • Why does the user get warnings from the browser? • The name on the certificate does not match the URL in the browser • Fixed with new Fireware web server certificate • Uses subject alternative names to match several possible URLs • Three different options for Fireware’s web server certificate • Certificate is not trusted • User still must import the CA cert from the issuing authority or the (web server certificate itself) • Import to trusted root store
Firewall Authentication Customizable web server certificate • Three options: • Default certificate • Uses each trusted interface IP address as subject alt names • Third party certificate • Must import using FSM • Mark purpose as “web server” when generating Certificate Signing Request (CSR) • Custom Certificate • Signed by Firebox • Option to add more subject alt name fields:IP addresses or domain names
Server Load BalancingBalances incoming traffic to server clusters • Add it in a familiar, intuitive way. • In the To: field, select Add > Add NAT • New drop-down list to select Server Load Sharing instead of Static NAT • Sticky Connections makes sure new connections from the same client use the same server for the specified time.
Server Load BalancingAlgorithms • Supports up to 10 servers per object • Algorithms: • Weighted Round-robin • Weighted Least Connections
Policy Manager EnhancementsImport and Export from Policy Manager • Useful for managing many boxes • Copy back and forth between XML configurations • Must be from the same version of WSM/Policy Manager • Cannot import 9.0 object into 9.1 Policy Manager, for example • Convert older configuration before exporting for use in newer version • Objects you can import/export: • Proxy actions • Individual rulesets within proxy actions • Custom policies • WebBlocker exceptions • spamBlocker exceptions • Schedules
Import/export Objects you can import/export • Proxy actions
Import/export Objects you can import/export Must be in Advanced View to see Import/Export buttons • Individual rulesets within proxy actions • SMTP: greeting rules; authentication schemes, content types, filenames, mail from, mail to, headers • HTTP: request methods, URL paths, headers, authentication schemes, content types, cookies, body content types • DNS: OPCodes, query types, query names • FTP: commands, downloads, uploads • POP3: authentication schemes, content types, filenames, headers
Import/export Objects you can import/export • Custom policies
Import/export Objects you can import/export • WebBlocker Exceptions
Import/export Objects you can import/export • spamBlocker Exceptions
Import/export Objects you can import/export • Schedules
Ethernet Driver UpdatesSupport for Jumbo Frames • You can now set MTU on Firebox interfaces up to 9000 • Previous limit was 1500 • 1500 is normal maximum MTU for Ethernet
WSM EnhancementSupport for Windows Vista • All variants of Windows Vista are supported in WSM v9.1 for Firebox configuration, monitoring, and management • Windows Vista not supported yet for MUVPN • Vista-compatible MUVPN client scheduled for Fall
Policy Manager EnhancementsFind Policy (Edit Find) Finds policies that match the search criteria
Policy Manager EnhancementPolicy-Based Routing (PBR) Column • If a policy uses PBR: Interface number used for PBR listed in new column Multiple interface numbers indicate that the PBR uses failover
Fireware 9.1Feature Enhancements • Management Server • HTTP proxy • SMTP proxy • FTP proxy • GatewayAV/IPS • spamBlocker • WebBlocker • Branch Office VPN • IPSec Pass-through • Firebox certificates • DHCP • HostWatch • PMTU
Management Server Enhancements • Better efficiency • Compiling and deploying policies is faster • Better scalability • New “Hub” VPN resource • For default-route VPNs (send all traffic through VPN) • Turn off logging of DVCP-generated VPN policies • Custom VPN policies only • Phase 1 now configurable • Still uses Aggressive Mode; no Main Mode tunnels • Several defects fixed
Management Server EnhancementsNew Hub Network VPN Resource VPN sends all traffic through the Firebox that has “Hub Network” as the local resource. Warning tells you that a dynamic NAT rule may be necessary to let traffic from branch office out to Internet.
HTTP Proxy EnhancementsWebDAV Support • All WebDAV methods now supported • What is WebDAV? • Stands for Web-based Distributed Authoring and Versioning • A set of extensions to the HTTP 1.1 specifications • Adds new HTTP request methods to the familiar GET, HEAD, POST, etc. • Used for collaborative authoring of documents and versioning control: • Outlook Web Access • SubVersion (popular open-source version control system) • Wherever you see team authoring and version control
SMTP Proxy EnhancementsBenefits and limitations • Turn off ESMTP altogether with one box • Turn off logging of denied ESMTP verbs • Auto-detect MIME types
FTP Proxy EnhancementsBenefits and limitations • Full data channel inspection • Gateway AntiVirus • Intrusion Prevention • New option for maximum number of failed logins • Auto-block the source if number is exceeded • Protects against dictionary attacks on your FTP server
AV/IPS EnhancementsBenefits and limitations • All inline scanning engine now • Same inline scanning engine that has always been used in the HTTP proxy • This means we no longer use the Clam AV scanning engine for the SMTP • No limit to the size of attachments we can scan • We do, however, still use Clam AV signatures
spamBlocker EnhancementsBenefits and limitations • Proactive Patterns • spamBlocker downloads small (no more than 20MB) database of patterns • For quicker detection of patterns no longer in the wild • Works only on legacy Peak, any e-Series • Trusted email forwarders • Bulk import/export spamBlocker exceptions (white/blacklists) • Set Allow or Deny when spamBlocker server is unavailable
WebBlocker EnhancementsBenefits and limitations • New organization for categories in UI • New UI option to change listening port of WebBlocker Server • Right-click WebBlocker Server icon in Windows taskbar • Stop service, then right-click again:
Branch Office VPN EnhancementsBetter explanation of SA creation • Phase 2 SA creation options expanded, more user-friendly Old New
Branch Office VPN EnhancementsRekey BOVPNs • Rekey All • Tools menu in FSM • Rekey Selected • Right-click the active tunnel in the Front Panel tab
IPSec Pass-through EnhancementsCode Overhauled • IPSec pass-through code totally overhauled • Multiple IPSec clients behind Firebox can make outbound VPN sessions to concentrators on the external network at the same time, with fewer problems • Enable IPSec Pass-through at VPN > VPN Settings