Resolved Issues
The Fireware XTM v11.4.1 release resolves a number of problems found in earlier Fireware XTM v11.x releases.
General
- The OpenSSL version used on XTM devices has been upgraded to 0.9.8o to resolve several reported vulnerabilities in the previous OpenSSL version used by WatchGuard. [41353, 58447]
- This release resolves an issue that caused policy-based routing to fail when the LiveSecurity license expires. [43515, 55695]
- It no longer takes 15 to 20 minutes for PPPoE to reconnect after you reboot your XTM device or your WAN link is disconnected. [56351,58900,44781]
- Excessive log messages with the message "sessiond Management user status from xxx.xxx.xxx. logged in " are no longer sent to the log file. [56161]
- WebBlocker override now works with PPTP and SSLVPN mobile users. [56467]
- The addition or removal of a VLAN from an external interface configured to use PPPoE no longer causes a reboot. [56918]
- A problem that caused the certd process to leak memory has been resolved. [57673]
- Debug or Information level diagnostics logging now works correctly for PPTP with RADIUS authentication. [58864]
- The Arm/Disarm LED now shows solid green on both devices in a FireCluster configuration. [59406]
- This release resolves an issue that caused the oss daemon to crash. [59582]
- A problem that caused the loggerd process to use excessive CPU has been resolved. [59762]
- Several problems that caused kernel crashes have been resolved. [60065, 60090]
Networking
- DNS forwarding, enabled with the CLI configuration command “ip dns forwarding enable”, now operates correctly. [59664]
- The XTM device no longer forwards DHCP requests to the external interface when the device is configured as a DHCP client and a DHCP relay server is configured on the trusted or optional network. [56624]
- In mixed routing mode, file transfers between computers connected to bridged interfaces no longer cause high CPU load. [44024]
- DHCP relay no longer listens on all active interfaces when it is configured for only one interface. [59121]
- The XTM device now correctly creates log messages for Multi-WAN events. [59148]
- For XTM 5 Series devices, the default ARP table sizes have been increased. This resolves an issue that appeared as a “Neighbor table overflow” log message. [60027]
FireCluster
- A problem that caused interface link status to be reported incorrectly for a XTM 1050 active/passive FireCluster has been corrected. [59812]
- After an active/passive FireCluster OS upgrade, the cluster master is no longer incorrectly shown as idle in Policy Manager, WSM, and the CLI. [56507]
- After a FireCluster failover, Mobile VPN with SSL users no longer see a certificate warning message when they reconnect. [60038]
- FireCluster active/passive failover now works correctly when you have more than 8 VLANs configured on an interface. [58612]
- A problem that caused an active/passive FireCluster to unexpectedly fail over and lock up has been fixed. [60339]
- An issue that caused a FireCluster to fail to form if one of the cluster devices was set in a standby state has been resolved. [59524]
Mobile VPN with SSL
- You can now configure multiple users and groups for Mobile VPN with SSL authentication. [59313, 35669]
- The Mobile VPN with SSL client now releases its IP address after it disconnects on Windows 2003. [59158]
- Proxy ARP now works correctly for Mobile VPN with SSL when the SSL virtual IP address is from a virtual IP address pool on a trusted VLAN network. [59071]
- A Mobile VPN with SSL virtual IP address configured on a subnet of the trusted network can now get access to devices on the trusted network. [59200]
- The Mobile VPN with SSL client for the Mac can now connect to an XTM device that uses Fireware XTM v11.4.1. [60218]
Mobile VPN with IPSec
- The log message for Mobile VPN with IPSec user authentication now includes the virtual IP address. [57130]
- The Mobile VPN with IPSec profile can now be generated successfully on all Windows 7 and Windows Server 2008 computers. [57262]
Mobile VPN with PPTP
- Proxy ARP now works correctly for Mobile VPN with PPTP when the PPTP virtual IP address is from a virtual IP address pool on a trusted VLAN network. [59070]
Branch Office VPN
- The XTM device now automatically rebuilds VPN tunnels between two dynamic peers after a public IP address change, if the new Attempt to Resolve option is selected in the gateway endpoint settings. [56125]
- Dynamic routing OSPF failover to a branch office VPN tunnel on the same physical interface now operates correctly. [58255]
Proxies and Subscription Services
- You can now configure an Application Control action to block applications by category. [59039]
- SSL compatibility has been improved when you use the HTTPS proxy with deep inspection. [58833]
- An issue has been resolved that caused some web sites to not load on first request. [59793]
- When you configure your XTM device in Bridge mode, MSS adjustment now works correctly when with proxy policies. [58837]
- A problem that caused the DNS proxy to crash has been resolved. [58073]
- A problem has been resolved that caused some file downloads through the HTTP proxy to fail when Gateway AV is enabled. [58212]
- A snom320 hold no longer breaks the call session when you use the SIP ALG. [59369]
- A hairpin call between dual-login clients no longer causes session instability. [59371]
- OPTIONS before 200 no longer prevents VoIP registrations. [59472]
Authentication
- You can no longer connect to the SSO Agent with Telnet without a login. The login is set in the SSO Configuration Tool. [31137]
- A computer on which the SSO client is used together with certain third party software no longer causes a high CPU spike. [59672]
- The SSO Client installer now automatically enables port 4116 on the Windows firewall. [59627]
- An issue has been resolved that caused the SSO Client to not retrieve all of the groups for an authenticated user. [59949]
- An issue has been resolved that caused authentication to fail when using the SSO Agent if a user was a member of a large number of groups. [60298]
- Single Sign-On authentication has been improved to allow faster recognition of initial traffic from a user. [58497]
- When the Authentication auto-redirect feature is enabled together with Terminal Services, traffic from the Terminal Server IP address is not automatically redirected to the authentication portal. [59542]
- Single Sign-On no longer fails when the Active Directory domain name contains a dash or underscore character ( - or_ ). [59644]
Management
- A new pre-defined packet filter policy WG-LogViewer-ReportMgr allows you to use LogViewer and Report Manager from a computer that is external to your XTM device when your Report Server and Log Server are behind the XTM device. [45554]
- You can now configure Policy Manager to automatically save a backup copy of the configuration file each time you save changes to a file. The backup copy includes a timestamp in the file name. In Policy Manager, select File > Save > Always create a backup to enable this option. [57490]
- If you configure an external VLAN interface to get an IP address through DHCP, you can now release or renew the VLAN interface IP address in the Fireware XTM Web UI on the System Status > Interfaces page. [58042]
- You can now edit an SNAT action from the Policy Properties dialog box in Policy Manager. [58627]
- Fully managed XTM 11.4.1 devices now send information about the current Application Control and IPS signature version to the Management Server when a signature update occurs. [58734]
- When you disable broadcast routing in a branch office VPN tunnel configuration, the helper addresses are now correctly removed from the configuration. [58841]
- If you disable LDAPS in the LDAP authentication server settings, the LDAP server port is automatically reset to port 389. [59228]
- Role-based administration users can no longer see information in the Management Server about managed VPN tunnels between devices that the user role does not have rights to see. [59556]
- Policy Manager v11.3.x can no longer save a configuration to a device that uses Fireware XTM v11.4.x. [59693]
- Policy Manager can now successfully create a backup image of a Firebox X Edge device. [59944]
- When you delete the Outgoing policy from a configuration template, devices that use that template now correctly deny outgoing traffic not allowed by another policy. [59984]
- WatchGuard System Manager no longer runs low on memory after you monitor several devices in the Device Management tab for many hours. [60124]
- The WatchGuard System Manager Device Management page no longer shows the Configuration History section for a device that is configured in Basic Managed Mode. [60271]
- WatchGuard System Manager now correctly applies aliases in a configuration template to a device when the template is applied to the device. [60318]
WatchGuard Report Server
- The intervals displayed on the X/Y axis of a generated report now adjust depending on the timespan the report data includes. [39231]
- Weekly scheduled reports for the Management Server now generate correctly. [58413]
- Reports generated from the Reporting Web UI now use the correct “From” and “To” times. [59190]
- Reports no longer fail to generate with a stack trace memory error. [59320]
- The WebBlocker and Web Audit reports now generate more quickly. [59391]
- The Top Clients by Application Usage report now shows data in the Authenticated User column. [59448]
- The User Authentication report for PPTP and Firebox DB users no longer fails after you upgrade to WSM v11.4.x. [59735]
WatchGuard Log Server
- A problem that caused the Log Server to fail with “ap_collector” error messages has been resolved. [57615]
- The Log Server no longer tries to resolve domain names for all log messages. With this release, the Log Server tries to resolve domain names only for HTTP proxy log messages. This improves performance of the Log Server. [60215]
Firebox System Manager
- The Status Report now shows negotiated link speed and duplex settings for interfaces set to auto negotiate link speed. [42625]
- The Authentication List tab now shows a summary of the number of authenticated users, by authentication type. [59037]
- The Status Report tab now consistently shows both members of a FireCluster. [58809]
WebUI
- The Status user can no longer delete a firewall policy from the Web UI. [59789]
- Users in a Mobile VPN with IPSec authentication group are no longer removed when the Mobile VPN with IPSec configuration is edited in the Web UI. [59842]