Known Issues and Limitations
These are known issues for Fireware XTM v11.4.1 and all management applications. Where available, we include a way to work around the issue.
General
- To power off an XTM 5 Series device, you must press and hold the rear power switch for 4–5 seconds. [42459]
- On an XTM 5 Series device, the link light for network interface 0 remains lit when the device is powered off using the rear power switch. [42388]
- For XTM 5 Series devices, Interface 0 does not support Auto-MDIX and does not automatically sense cable polarity.
- An XTM 2 Series device can take up to 5 minutes to reboot.
- When you use the Policy Manager > File > Backup or Restore features, the process can take a long time but does complete successfully. [35450]
- Amazon Web Services (AWS) requires the use of BGP over an IPSec tunnel. The operations outlined by Amazon.com to support Amazon Web Services are not currently supported by WatchGuard products. [41534]
WatchGuard System Manager
- There can be problems when you add, update, or delete a server installation from WatchGuard Server Center if WatchGuard System Manager is installed on a Windows 7 computer that has XP Compatibility Mode enabled. [56355]
Workaround
Make sure that Windows XP compatibility mode is not enabled on the WSM v11.x executable file. To verify, locate the wsm.exe file in Windows Explorer. Right-click on the executable file, select Properties, and click the Compatibility tab.
- Remote managed Firebox devices configured in Drop-in Mode may not be able to connect to a Management Server that is behind a gateway Firebox also configured in Drop-in Mode. [33056]
- If you restore a backup image to a managed client device managed by a Management Server, it is possible that the shared secret becomes out of sync.
Workaround
Connect to the Management Server from WSM. Select the managed device and select Update Device. Select the radio button Reset server configuration (IP address/ Hostname, shared secret).
- You cannot uninstall WatchGuard System Manager successfully when the WatchGuard Server Center is running on a computer using 64-bit Windows Vista. [39078]
Workaround
Exit the WatchGuard Server Center before you start the uninstall WSM. You can then uninstall WatchGuard System Manager successfully.
- When you run the WSM v11.3.x or v11.4.x installer (either the WSM client component only or any selected WSM server components) on Microsoft SBS (Small Business Server) 2008 and 2011 on a computer installed with a 64-bit operating system, you see a Microsoft Windows error "IssProc.x64 has stopped working". When you close the error dialog box, the installation completes. [57133]
Web UI
- The Fireware XTM Web UI does not support the configuration of some features. These features include:
- FireCluster
- Certificate export
- You cannot turn on or off notification of BOVPN events
- You cannot add or remove static ARP entries to the device ARP table
- You cannot get the encrypted Mobile VPN with IPSec end-user configuration profile, known as the .wgx file. The Web UI generates only a plain-text version of the end-user configuration profile, with file extension .ini.
- You cannot edit the name of a policy, use a custom address in a policy, or use Host Name (DNS lookup) to add an IP address to a policy.
- If you configure a policy in the Web UI with a status of Disabled, then open Policy Manager and make a change to the same policy, the action assigned to the policy when it denies packets is changed to Send TCP RST. [34118]
- If you use the Web UI to edit an existing proxy policy that has alarm settings enabled, the alarm settings may be disabled when you save your configuration. [38585]
- You cannot create read-only Mobile VPN with IPSec configuration files with the Web UI. [39176]
WatchGuard Server Center
- If the WatchGuard Server Center is open when you uninstall WSM, you see multiple warning messages to close the application, instead of just a single warning. [36901]
Command Line Interface (CLI)
- The CLI does not support the configuration of some features:
- You cannot add or edit a proxy action.
- You cannot get the encrypted Mobile VPN with IPSec end-user configuration profile, known as the .wgx file. The CLI generates only a plain-text version of the end-user configuration profile, with file extension .ini.
- The CLI performs minimal input validation for many commands.
Proxies
- The ability to use an HTTP caching proxy server is not available in conjunction with the TCP-UDP Proxy. [44260]
- You cannot make a SIP-based call from Polycom PVX softphone behind a Firebox to a Polycom PVX on the external network. [38567]
Workaround
You can use the H.323 protocol instead of SIP.
- When you try to stream YouTube videos from an Apple device running iOS, you may see this error message: "The server is not correctly configured."
Workaround
1. Edit your HTTP proxy policy.
2. Click View/Edit proxy.
3. Select the Allow range requests through unmodified check box.
4. Save this change to your XTM device.
- The SIP-ALG does not send the Contact header correctly when the Contact header contains a domain name. It only sends an empty string of: Contact: < >. If the Contact header contains an IP address, the SIP-ALG sends the Contact header correctly: Contact: <sip:10.1.1.2:5060>. [59622]
Workaround
Configure the PBX to send the Contact header with an IP address, not a domain name.
Security Subscriptions
- Some IPS signature information, such as the CVE number, is not available in Firebox System Manager. We provide search capabilities and CVE information for IPS signatures on a web security portal for IPS on the WatchGuard web site, which you can access at http://www.watchguard.com/SecurityPortal/ThreatDB.aspx
- The Application Blocker feature has been removed from the product and has been replaced with the much more robust Application Control service. If you had Application Blocker enabled in a previous Fireware XTM v11.x build, no configuration settings are carried forward to Fireware XTM v11.4.
- There is no notification given to a user who tries to get access to an application or application feature and is blocked by Application Control. For example, if a user tries to use a blocked web application, the application does not load and the user sees only a message that the web page could not load. [59305]
- The number of applications supported by Application Control on a WatchGuard XTM 2 Series device is approximately 300, which is smaller than the full set of applications supported by other XTM devices.
- The number of IPS signatures included on the XTM 2 Series is less than on the 5 and 8 Series devices, or the XTM 1050. Only signatures classified at the critical and high levels are available on the XTM 2 Series.
- Skype detection blocks only new Skype sessions. If a user is already logged in to Skype and a Skype session is already started when Application Control is enabled, Application Control may not detect the activity.
- For XTM 2 Series devices only, Application Control is temporarily disabled during an upgrade, back up, or restore. When the operation is complete, Application Control starts to work again.
- It is not possible to assign a role for Application Control management from the WatchGuard System Manager role-based administration feature. [59204]
- You cannot use a WebBlocker Server through a branch office VPN tunnel. [56319]
Networking
- You cannot configure traffic management actions or use QoS marking on VLANs. [56971, 42093]
- You cannot bridge a wireless interface to a VLAN interface. [41977]
- The Web Setup Wizard can fail if your computer is directly connected to an XTM 2 Series device as a DHCP client when you start the Web Setup Wizard. This can occur because the computer cannot get an IP address quickly enough after the device reboots during the wizard. [42550]
Workaround
1. If your computer is directly connected to the XTM 2 Series device during the Web Setup Wizard, use a static IP address on your computer.
2. Use a switch or hub between your computer and the XTM 2 Series device when you run the Web Setup Wizard.
- When a secondary network is configured for an XTM 2 Series device configured in Drop-In Mode, it can sometimes take a few minutes for computers that connect to the secondary network to appear in the ARP list of the XTM 2 Series. [42731]
- After you enable the MAC access control list or add a new MAC address, you must reboot your XTM device before the change takes effect. [39987]
- You must make sure that any disabled network interfaces do not have the same IP address as any active network interface or routing problems can occur. [37807]
- If you enable the MAC/IP binding with the Only allow traffic sent from or to these MAC/IP addresses check box, but do not add any entries to the table, the MAC/IP binding feature does not become active. This is to help make sure administrators do not accidentally block themselves from their own XTM device. [36934]
- Any network interfaces that are part of a bridge configuration disconnect and re-connect automatically when you save a configuration from a computer on the bridge network that includes configuration changes to a network interface. [39474]
- When you change the IP address of a VLAN configured on an external interface from static to PPPoE and the Firebox cannot get a PPPoE address, Firebox System Manager and the Web UI may continue to show the previously used static IP address. [39374]
- When you configure your XTM device with a Mixed Routing Mode configuration, any bridged interfaces show their interface and default gateway IP address as 0.0.0.0 in the Web UI. [39389]
- When you configure your XTM device in Bridge Mode, the LCD display on your XTM device shows the IP address of the bridged interfaces as 0.0.0.0. [39324]
- When you configure your XTM device in Bridge Mode, the HTTP redirect feature is configurable from the user interface but does not work in this release. [38870]
- Static MAC/IP address binding does not work when your XTM device is configured in Bridge mode. [36900]
- When your XTM device is configured to use Bridge mode, the physical interface of the XTM device does not appear correctly in log messages. Instead, the interface is represented as tbrX. [36783]
- When you change your configuration mode from Mixed Routing to Bridge or from Bridge to Mixed Routing, the CLI and Web UI may continue to show the previous configuration mode. [38896]
- The dynamic routing of RIPv1 does not work. [40880]
- When an IP address is added to the Temporary Blocked Site list by the administrator through the Firebox System Manager > Blocked Sites tab, the expiration time is constantly reset when traffic is received from the IP address. [42089]
Multi-WAN
- When you enable the Multi-WAN Immediate failback option for WAN failover, some traffic may fail over gradually. [42363]
- When you enable Multi-WAN in round-robin mode, you cannot use the HTTP Proxy Caching Server option. [57561]
Authentication
- If you use Terminal Service authentication, you must reboot your server after you install the TO_AGENT software.
- If you use Terminal Services authentication, no authentication verification is done against traffic of any protocol that is not TCP or UDP. This includes DNS, NetBIOS, and ICMP traffic.
- Terminal Services authentication support does not work with single sign-on.
- It is not possible to use the Auto redirect users to authentication page for authentication option together with Terminal Services authentication.
- To enable your XTM device to correctly process system-related traffic from your Terminal or Citrix server, the Terminal Services Agent uses a special user account named Backend-Service. Because of this, you may need to add policies to allow traffic from this user account through your XTM device. You can learn more about how Backend-Service operates in the product help system.
- For the Authentication Redirect feature to operate correctly, HTTP or HTTPS traffic cannot be allowed through an outgoing policy based on IP addresses or aliases that contain IP addresses. The Authentication Redirect feature operates only when policies for port 80 and 443 are configured for user or user group authentication. [37241]
Centralized Management
- If you used Centralized Management with devices subscribed to templates in earlier versions of WSM, when you upgrade from WSM 11.x to v11.4, these templates are updated and the devices are no longer subscribed. Each device retains its template configuration. Existing templates are updated to use “T_” in their object names (to match the object names in the devices that used to subscribe to them). After you upgrade, you’ll see the template upgrade that occurs during upgrade in your revision history.
- When a XTM template is applied to a managed device, the Management Server creates a new configuration revision for the device only if the new revision is going to be different from the current revision. There is also no feedback about why a new configuration revision was not created. [57934]
FireCluster
- If the monitored link fails on both FireCluster members, the non-master member is switched into passive mode and consequently does not process any traffic. A multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.
- Each XTM device has a set of default IP addresses assigned to the device interfaces in the range 10.0.0.1—10.0.11.1. The highest default IP address depends on the number of interfaces. If you set the IP address of the Primary or Backup cluster interface to one of the default IP addresses, both devices restart, and the backup master becomes inactive. [57663]
Workaround
Do not use any of the default IP addresses as the Primary or Backup cluster interface IP address.
- When you have an active/active FireCluster and use the WebBlocker Override feature, you may be prompted to enter your override password twice. [39263]
- Every network interface enabled in a FireCluster is automatically monitored by FireCluster. You must make sure that all enabled interfaces are physically connected to a network device.
- If you use HP ProCurve switches, you may not be able to configure your FireCluster in active/active mode because these switches may not support the addition of static ARP entries. [41396]
- If you use the Mobile VPN with IPSec client from the same network as the external network address configured on your FireCluster, some traffic may not go through the VPN tunnel. [38672]
- Mobile VPN with PPTP users do not appear in Firebox System Manager when you are connected to a passive FireCluster member. PPTP is only connected to the active Firebox when using an active/passive FireCluster. [36467]
- FireCluster does not support dynamic routing. [39442]
Logging and Reporting
- The new flexible report scheduling options changes the way groups are represented in the Reporting user interface. If you have groups configured on your Report Server in WSM v11.0 - 11.3, when you upgrade to WSM v11.4, each existing group is converted and will appear as a Scheduled Task in your Report Server user interface. No information is lost in this conversion.
- Any configured daily or weekly “Archived Reports” you have in your v11.3 configuration are automatically converted to scheduled reports after you upgrade to WSM v11.4.
- When you uninstall an existing WatchGuard Log Server and then install WatchGuard System Manager v11.4 software and also install the Log Server, you may see an error: "Error: C:\Program Files\Common Files\WatchGuard\wsm11\lib\nls\en_US\logging_res.logAn error occurred while trying to replace the existing file: DeleteFile failed; code 5. Access is denied."
Workaround
Open Windows Task Manager and kill the process. From the WatchGuard System Manager installation dialog, click Retry. The installation should continue successfully. You may need to manually start the C:\WINDOWS\system32\wbem\wmiprvse.exe later.
- LogViewer may respond very slowly when you use the search functionality against a very large log database.
- You cannot use a v11.x Report Server with a v10.x Log Server. You must upgrade both servers for reporting to work correctly. You can, however, use v11.x Report Manager with a v10.x Report Server.
- LogViewer always generates PDFs in English, regardless of the language you view LogViewer in. Also, Unicode characters that cannot be displayed in the default font may not appear correctly in the PDF. [41244]
Mobile VPN
- You cannot ping the IP address of the XTM device interface to which a Shrew Soft VPN client established a VPN tunnel. You can ping computers on that network, but not the interface IP address itself. [60988]
- Shrew Soft VPN client connections can drop if there are multiple cilents connected to an XTM device at the same time issuing Phase 2 rekeys. [60261]
- Phase 1 rekeys initiated by the Shrew Soft VPN client cause the client to be disconnected, if connected more than 24 hours. In this case, we recommend that you set the rekey on your XTM device to 23 hours -- one hour shorter than the rekey hard-coded in the Shrew Soft client configuration. This forces the XTM device to initiate the rekey, and gives the client a notification that the tunnel must be re-established. [60260, 60259]
- A continuous FTP session over a Mobile VPN with IPSec connection could get terminated if an IPSec rekey occurs during the FTP transfer. [32769]
Workaround
Increase the rekey byte count.
- When you use the Web UI or CLI to configure Mobile VPN with IPSec user profiles, user groups with extended authentication may show incorrectly as Firebox Local Authentication groups. [39695]
- Users who try to upgrade their Mobile VPN with SSL client from Fireware XTM v11.2.1 to a later version of Fireware XTM will fail. The failure does not damage the v11.2.1 client installation. [43970]
Workaround
To upgrade your Mobile VPN with SSL client from v11.2.1 to v11.3, use your web browser to connect to https://<IP address of a Firebox or XTM device>/sslvpn.html. You can then download and install the new client software. Or, you can download the client software from the Software Downloads page and email it your users to install on their computer.
- The Macintosh SSL VPN client may not be able to connect to a Firebox when the authentication algorithm is set to SHA 256. [35724]
- When the Macintosh SSL VPN client disconnects or is stopped manually, the client disables the AirPort wireless adapter on the Mac. [39914]
Branch Office VPN
- When you configure your XTM device in multi-WAN mode, you must select which interfaces to include in your multi-WAN configuration. If there are any interfaces that you choose not to include in your multi-WAN configuration (i.e. you clear the check box for that interface), the system does not create a route for that network. This can cause a problem if you have a branch office VPN configured to include that same interface. In this case, the VPN tunnel can fail to negotiate with its remote peer. [57153]
Workaround
If you use multi-WAN and have problems with your branch office VPN tunnels failing to negotiate with their remote peers, you must open your multi-WAN configuration and select Configure adjacent to your chosen multi-WAN configuration mode. Make sure that the appropriate interfaces are included in your multi-WAN configuration.
- A branch office VPN tunnel does not pass traffic if an inbound static NAT policy that includes IP 50 and IP 51 protocols exists for the external IP address of the XTM device. [41822]
- Managed branch office VPN tunnels cannot be established if the CRL distribution point (for example, the WatchGuard Management Server or a third-party CRL distribution site you use) is offline. [55946]
- The use of Any in a BOVPN tunnel route is changed in Fireware XTM. If a branch office VPN tunnel uses Any for the Local part of a tunnel route, Fireware XTM interprets this to mean network 0.0.0.0 and subnet mask 0.0.0.0 (in slash notation, 0.0.0.0/0). If the remote IPSec peer does not send 0.0.0.0/0 as its Phase 2 ID, Phase 2 negotiations fail. [40098]
Workaround
Do not use Any for the Local or the Remote part of the tunnel route. Change the Local part of your tunnel route. Type the IP addresses of computers behind the Firebox that actually participate in the tunnel routing. Contact the administrator of the remote IPSec peer to determine what that device uses for the Remote part of its tunnel route (or the Remote part of its Phase 2 ID).
- If you have a large number of branch office VPN tunnels in your configuration, the tunnels may take a long time to appear in Policy Manager. [35919]
- When you set the Phase 2 SA expiration to zero by setting both the Life-time and Life-size values to 0, the XTM device changes the rekey life-time to 8 hours. [37209]