Fireware XTM v11.4.1 Release Notes
Introduction
WatchGuard is excited to release Fireware XTM v11.4.1. Fireware XTM v11.4.1 demonstrates a continuing commitment to quality to WatchGuard customers, with a significant number of bug fixes and enhancements.
Application Control
- You can now configure an action for an application category. Actions set by category are automatically updated to include any new applications that are added to a category as part of regular signature updates.
- You can now apply an Application Control action to several policies at one time.
VPN Enhancements
- Mobile VPN with IPSec — New support for the Shrew Soft VPN IPSec client. See the Mobile VPN with IPSec section below for more information.
- Mobile VPN with SSL — support for multiple authentication users and groups.
- New branch office VPN gateway settings to specify whether the device tries to resolve the domain name in the remote gateway ID.
Other Enhancements
- Safe Search Enforcement — The HTTP-Client proxy action now has an option to enforce the safe search filtering included in major search engines to make sure that users, especially children, do not see adult content in their search results. All major search engines are covered, including Google, Bing, Yahoo, and Ask.com. The safe search feature also enforces safety mode on YouTube to filter out and remove any objectionable content or comments. By setting this option at the gateway, administrators override whatever preference their users set in their browsers.
- Numerous SNMP MIBs have been added to Fireware XTM with this release.
- New option in Policy Manager to automatically save a time-stamped backup copy of the configuration file each time you save to a file.
- You can now enable or disable IPS for several policies at one time.
- New pre-defined packet filter policy to open the correct ports for LogViewer and Report Manager.
- You can now edit SNAT objects from the Policy Properties dialog box in Policy Manager.
- If LDAPS is enabled for your Active Directory or LDAP server, and the default port for LDAPS is not selected, you are prompted to change the port to the default LDAPS port.
- WSM Filtered View now includes Management Groups for templates and devices.
- You can now specify which authentication server appears first in the authentication portal Authentication Server list.
- You can now release or renew a DHCP lease for an external VLAN in the Web UI.
- Firebox System Manager now includes an option to hide warnings for expired trial periods when a valid license for the feature exists.
- You can now specify the IP address of devices that can connect to the SSO Agent.
- When the SSO Client is installed, port 4116 is automatically enabled on Windows firewall.
You can install Fireware XTM OS v11.4 software on any WatchGuard XTM device, including 2 Series, 5 Series, 8 Series, and the XTM 1050. Although WatchGuard System Manager/Policy Manager v11.4.1 has been designed to manage Fireware XTM v11.3 and Fireware XTM v11.4 devices seamlessly, it is not possible to install Fireware XTM OS v11.4.x on WatchGuard e-Series appliances.
For more information about the feature enhancements included in Fireware XTM v11.4.1, see What's New in Fireware XTM v11.4.1.
Before You Begin
Before you install Fireware XTM v11.4.1, make sure that you have:
- A WatchGuard XTM 2 Series, 5 Series, 8 Series, or XTM 1050 device.
- The required hardware and software components as shown below.
- Feature key for your XTM device — If you upgrade your XTM device from an earlier version of Fireware XTM OS, you can use your existing feature key.
- Application Control is included in the UTM Security Subscription bundles for XTM appliances. There is no new charge for existing XTM appliance customers with security subscription bundles, but, you must download an updated feature key to be able to use the new Application Control service when you first upgrade to Fireware XTM v11.4.x. You can do this using the Synchronize Feature Key option available in FSM or the Get Feature Key option in the Web UI.
The user interfaces (WSM and Web UI) are not localized for the Fireware XTM v11.4.1 release. The user interfaces are available in English only.
Note that you can install and use WatchGuard System Manager v11.4.1 and all WSM server components with devices running earlier versions of Fireware XTM v11. In this case, we recommend that you use the product documentation that matches your Fireware XTM OS version.
Documentation for this product is available on the WatchGuard web site at www.watchguard.com/help/documentation.
Fireware XTM and WSM v11.4 Operating System Compatibility
* Microsoft Windows Server 2008 32-bit and 64-bit support; Windows Server 2008 R2 64-bit support.
** Mac OS X support for the SSL VPN client is for 32-bit mode only.
System Requirements
Downloading Software
- Go to the LiveSecurity web site Software Downloads page at http://www.watchguard.com/archive/softwarecenter.asp.
- Log in to the LiveSecurity web site. Then, select the product line you use and look for the Fireware XTM software download section.
There are several software files available for download. See the descriptions below so you know what software packages you will need for your upgrade.
WatchGuard System Manager
All users can now download the WatchGuard System Manager software. With this software package you can install WSM and the WatchGuard Server Center software:
WSM11_4_1s.exe — Use this file to upgrade WatchGuard System Manager from v10.2.x or v11.x to WSM v11.4.1.
Fireware XTM OS
Select the correct Fireware XTM OS image for your hardware. Download the .exe file if you will install the OS from a computer running a Microsoft Windows OS. Use the .zip file if you will install the OS from a computer that runs a non-Windows OS.
Single Sign-On Software
There are two files available for download if you use Single Sign-On:
- WG-Authentication-Gateway_11_4_1.exe (SSO Agent software — Required for Single Sign-On)
- WG-Authentication-Client_11_4_1.msi (SSO Client software — Optional)
For information about how to install and set up Single Sign-On, see the product documentation.
Terminal Services Authentication Software
- TO_AGENT_32_11_4_1.exe (32-bit support)
- TO_AGENT_64_11_4_1.exe (64-bit support)
Mobile VPN with SSL Client for Windows and Mac
There are two files available for download if you use Mobile VPN with SSL:
- WG-MVPN-SSL_11_4_1.exe (Client software for Windows)
- WG-MVPN-SSL_11_4_1.dmg (Client software for Mac)
Mobile VPN with IPSec client for Windows
You can download the new Shrew Soft VPN client for Windows from our web site. For more information about the Shrew Soft VPN client, see the help or visit the Shrew Soft, Inc. web site.
Upgrade from Fireware XTM v11.x to v11.4.1
Before you upgrade from Fireware XTM v11.x to Fireware XTM v11.4.1, go to the Software Downloads page. Download and save the file that matches the WatchGuard device you want to upgrade. You can use Policy Manager or the Web UI to complete the upgrade procedure. We strongly recommend that you back up your device configuration AND your WatchGuard Management Server configuration before you upgrade. It is not possible to downgrade without these two backup files.
Back up your WatchGuard Management Server Configuration
From the computer where you installed the Management Server:
- From WatchGuard Server Center, select File > Backup/Restore.
The WatchGuard Server Center Backup/Restore Wizard starts.
- Click Next.
The Select an action screen appears.
- Select Back up settings.
- Click Next.
The Specify a backup file screen appears.
- Click Browse to select a location for the backup file. Make sure you save the configuration file to a location you can access later to restore the configuration.
- Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete screen appears.
- Click Finish to exit the wizard.
Back Up your Log Server, Report Server, Quarantine Server
When you upgrade from WSM v11.3.x or earlier to v11.4.1, it is important to back up your v11.3.x Log and Report Server data in case you want to go back to WSM v11.3.2. You may also want to back up your Quarantine Server, if you use one. These steps are not necessary when you upgrade from Fireware XTM v11.4 to v11.4.1.
- From WatchGuard Server Center, note the directory path in which your Log and Report Server database is installed. Then, stop all servers.
- From Control Panel > Administrative Tools > Services, stop the PostgreSQL-8.2 Server.
- Back up or make a copy of the contents of the directory containing your Log Server and Report Server configuration.
On Windows XP SP2 or Windows Server 2003, if you accepted the default installation, the Log and Report Server database will be in this location:
%SYSTEMDRIVE%\Documents and Settings\WatchGuard
On Windows Vista, Windows, 7, Windows Server 2008, or Windows Server 2008 R2, if you accepted the default installation, the Log Server and Report Server database will be in this location:
%SYSTEMDRIVE%\ProgramData\WatchGuard
- Back up the Log Server and Report Server database directory, if they were changed from the default. You can find the database locations in WatchGuard Server Center on the Log Server and Report Server Database Maintenance tabs. By default, the database is located in the directory listed in Step 3 and this step is not necessary.
- Back up the Log Server directory where the database backup files are stored, if it was changed from the default. The Log Server Database Maintenance tab shows this directory path.
- Back up the Report Server directory where the XML files for the Available Reports are stored, if it was changed from the default. The Report Server Server Settings tab shows this directory path.
Upgrade to Fireware XTM v11.4.1 from Web UI
- Go to System > Backup Image or use the USB Backup feature to back up your current configuration file.
- On your management computer, launch the OS software file you downloaded from the WatchGuard Software Downloads Center.
If you use the Windows-based installer, this installation extracts an upgrade file called xtm_[model].sysa-dl to the default location of C:\Program Files\Common files\WatchGuard\resources\FirewareXTM\11.4.1\[model].
- Connect to your XTM device with the Web UI and select System > Upgrade OS.
- Browse to the location of the xtm_[model].sysa-dl file from Step 2 and click Upgrade.
Upgrade to Fireware XTM v11.4.1 from WSM/Policy Manager v11.4.1
- Select File > Backup or use the USB Backup feature to back up your current configuration file.
- On your management computer, launch the OS executable file you downloaded from the WatchGuard Software Downloads Center. This installation extracts an upgrade file called xtm_[model].sysa-dl to the default location of C:\Program Files\Common files\WatchGuard\resources\FirewareXTM\11.4.1\[model].
- Install and open WatchGuard System Manager v11.4.1. Connect to your XTM device and launch Policy Manager.
- From Policy Manager, select File > Upgrade. When prompted, browse to and select the xtm_[model].sysa-dl file from Step 2.
Upgrade WatchGuard Server Software
It is not necessary to uninstall your v11.0.x server or client software when you update from v11.0.1 or higher to WSM v11.4.1. You can install the v11.4.1 server and client software on top of your existing installation to upgrade your WatchGuard software components.
Upgrade FireCluster from Fireware XTM v11.x to v11.4.x
To upgrade your FireCluster from Fireware XTM v11.3.x, or from an earlier v11.4 release, you must perform a manual upgrade.
- From WatchGuard System Manager, select File > Connect to device and connect to the management IP address of the master device in your FireCluster.
- From WatchGuard System Manager, select File > Connect to device and connect to the management IP address of the backup master device in your FireCluster.
- From WatchGuard System Manager, select the backup master device on the Device Status tab and launch Firebox System Manager.
- From Firebox System Manager, select Tools > Cluster > Leave. Type your admin password.
The device reboots into standby state. The master shows the device as inactive, but the standby device shows its status as standby.
- From WatchGuard System Manager, select the backup master device that you just removed from the cluster, and launch Policy Manager.
- From Policy Manager, select File > Upgrade. Use the management IP address of the backup master device currently in standby state.
The device upgrades and reboots. When this is complete, the device remains in standby state.
- From WatchGuard System Manager, select the master device and launch Policy Manager.
- From Policy Manager, select File > Upgrade. Use the management IP address of the master device. When Policy Manager prompts you to select the devices you want to upgrade, select only the master device.
The master device upgrades and reboots. Policy Manager shows you a message when the upgrade is complete.
- From Firebox System Manager, connected to the device currently in the standby state, select Tools > Cluster > Join
The standby device reboots. The cluster builds again, running Fireware XTM v11.4.1.
Downgrade Instructions
Downgrade from WSM v11.4.x to WSM v11.x
If you want to revert from v11.4.1 to an earlier version of WSM, you must uninstall WSM v11.4.1. When you uninstall, choose Yes when the uninstaller asks if you want to delete server configuration and data files. After the server configuration and data files are deleted, you must restore the data and server configuration files you backed up before you upgraded to WSM v11.4.1.
Next, install the same version of WSM that you used before you upgraded to WSM v11.4.1. The installer should detect your existing server configuration and try to restart your servers from the Finish dialog box. If you use a WatchGuard Management Server, use WatchGuard Server Center to restore the backup Management Server configuration you created before you first upgraded to WSM v11.4.1. Verify that all WatchGuard servers are running.
Downgrade from Fireware XTM v11.4.x to Fireware XTM v11.3 or earlier
If you want to downgrade from Fireware XTM v11.4.1 to an earlier version of Fireware XTM, you either:
- Restore the full backup image you created when you upgraded to Fireware XTM v11.4.1 to complete the downgrade; or
- Use the USB backup file you created before the upgrade as your auto-restore image, and then boot into recovery mode with the USB drive plugged in to your device.
To start a WatchGuard XTM 5 Series, 8 Series, or XTM 1050 device in recovery mode:
- Power off the XTM device.
- Press the up arrow on the device front panel while you turn the power on.
- Keep the button depressed until "Recovery Mode starting" appears on the LCD display.
To start a WatchGuard XTM 2 Series device in recovery mode:
- Disconnect the power.
- Press and hold the Reset button on the back while you connect the power to the device.
- Keep the button depressed until the Attn light on the front turns solid orange.
Mobile VPN with IPSec
As of April 20, 2011, WatchGuard will no longer distribute the WatchGuard Mobile VPN with IPSec client. WatchGuard Technical Support will continue to support any customers that currently have the client, and these customers can continue to install and use the client software. With Fireware XTM v11.4.1, we have added support for a new IPSec VPN client from Shrew Soft, Inc. You can configure your XTM device to use the Shrew Soft VPN client much the same way you did for the WatchGuard Mobile VPN client and you'll find complete documentation for both clients in the product documentation.
You can download the Shrew Soft VPN Client for Windows v2.1.7 directly from the WatchGuard Software Downloads Center, or from the Shrew Soft web site. Also available on the Shrew Soft web site are a user forum and list of known issues associated with the client. For your convenience, we include here several Shrew Soft bugs that could affect WatchGuard users:
- IPSec tunnels do not support re-key based on byte limits.
- The Shrew Soft VPN client allows you to import more than one profile of the same name, but when a duplicate profile is imported, the first profile is corrupted.
- The Shrew Soft VPN client does not operate correctly when you import more than one certificate with the same file name.
- If the Shrew Soft trace utility is open and you select "Stop," the negotiated connection is dropped.
Application Control
With the new Application Control security service (introduced with Fireware XTM v11.4), you can exercise fine-grained control over more than 1,800 applications, organized by category. Application Control uses a frequently-updated set of signatures to stay current with the latest applications and application versions. We recommend that you enable the automatic signature update feature or, to manually update the signatures on your XTM device, connect to your device with Firebox System Manager and select the Security Subscriptions tab. When you update signatures, both your IPS and Application Control signatures are updated.
When you configure Application Control, or when you look at Application Control reports, you might see application names you are not familiar with. To get information about any application that Application Control can identify, you can look up the application at http://www.watchguard.com/SecurityPortal/AppDB.aspx. We recommend that you review the online help and refer to the Getting Started with Application Control guide to learn more about the features of Application Control.
Manage applications through SSL
Many web-based applications are accessible through SSL (HTTPS), as well as HTTP. Organizations offer SSL connections to provide more security to users by encrypting communications. SSL encryption can also make applications more difficult to detect for Application Control. When you block applications, you may also need to specifically block the SSL login for that application to make sure that you block all access to that application.
For example, when you select to block the application Google Finance, this blocks users from using Google’s financial applications. It does not, however, block them from using Google Finance over SSL. To block that, you must also select the option for Google Authentication over SSL. It is important to understand that, once you block Google Authentication over SSL, all Google applications over SSL are blocked. For example, access to Google Docs and Gmail over SSL is also blocked.
Similar behavior may occur for some Microsoft and Yahoo applications when they are accessed over SSL. There are corresponding signatures for Authentication over SSL for Microsoft and Yahoo and many other applications in the Application Control application list. Companies may want to block SSL access to applications and then configure granular controls over the HTTP access that is allowed.
For a complete list of Known Issues related to Application Control, see the Known Issues/Security Subscriptions section below.
IPS
Our implementation of IPS improved significantly in the Fireware XTM v11.4 release. We have implemented a new signature set with greater performance and efficiency. IPS is no longer restricted to only those ports and protocols used with proxies. It can now also be applied to packet filter policies. Signatures have been broken into 5 threat levels that are simpler to understand. You can find more information about each signature directly from the UI, and you can right click to simply add a signature to an exception list.
With Fireware XTM v11.4.x, you now create a global IPS action, which applies to traffic on all ports. You have the ability to enable or disable IPS at a per-policy level to meet your organizational needs. All policies for which IPS is enabled use the same IPS action. It is not possible to use more than one IPS action in your configuration at the same time.
This table is a useful summary of the differences between IPS in Fireware XTM v11.4.x and IPS in earlier Fireware XTM releases.
* For those customers that use HTTPS with DPI, it is important to note that IPS scanning occurs before decryption of the HTTPS stream so IPS is not an effective tool for blocking possible intrusion attempts that pass through your XTM device as part of an encrypted HTTPS stream.
When you upgrade to Fireware XTM v11.4 or v11.4.1, your IPS configuration is upgraded to match the v11.4 configuration options. During the upgrade:
- If IPS is not enabled in the pre-v11.4 configuration, Global IPS is not enabled in the converted v11.4 configuration. If IPS is enabled in a policy in the pre-v11.4 configuration, Global IPS is enabled in the v11.4 configuration.
- If a proxy policy from the pre-v11.4 configuration has IPS enabled, that policy will have IPS enabled in the converted configuration.
- All other policies have IPS disabled in the v11.4 configuration.
- When IPS is enabled for a policy, during the upgrade the threat levels are set to default levels:
- Allow for Information (lowest threat) level (do not log)
- Drop for all higher threat levels (and log)
- Since this is a new signature set, previously configured exceptions do not apply.
Centralized Management
WSM v11.4 introduced a new workflow related to the use of templates. While the new workflow gives you an unprecedented level of control and flexibility over the Firebox and XTM devices you manage, it is important that you understand this new workflow before you upgrade.
With WSM v11.4 and higher, devices no longer subscribe to configuration templates. Instead, you can create and apply multiple templates to your devices. When you apply a template to a device, the template content is merged with the most recent configuration file stored for the device on the Management Server and saved as a configuration file revision. The device always checks for and downloads its latest configuration file when it contacts the Management Server.
You can create multiple templates and apply them to a device or a group of devices in a set order, one at a time. To apply a template to a group of devices, you simply create a folder of devices and drag and drop your template into that folder.
Another powerful template feature new to WSM v11.4 is template inheritance. With this feature you, can determine if you want the value of a configuration setting in the template to override the value of the same setting in the device configuration file when the template is applied. If two templates have no configuration settings in common, you can apply them in any order. If two templates contain common configuration settings, you must apply them carefully in the desired order to make sure that any updates do not inadvertently override the settings already applied to the device, or use the new inheritance settings to control which policies are updated on your devices.
It is important to understand that changes to a template are no longer automatically applied to managed devices. You must now manually select which devices to apply a template change to. This gives you increased control over configuration updates for your managed devices.
If you used Centralized Management with devices subscribed to templates in earlier versions of WSM, when you upgrade from WSM 11.x to v11.4.x, these templates are updated and the devices are no longer subscribed (though you can continue to update the devices using the same template, subject to the workflow changes identified above). Each device retains its template configuration. Existing templates are updated to use “T_” in their object names (to match the object names in the devices that used to subscribe to them). After you upgrade, you’ll see the template upgrade that occurs during upgrade in your revision history.
Resolved Issues
The Fireware XTM v11.4.1 release resolves a number of problems found in earlier Fireware XTM v11.x releases.
General
- The OpenSSL version used on XTM devices has been upgraded to 0.9.8o to resolve several reported vulnerabilities in the previous OpenSSL version used by WatchGuard. [41353, 58447]
- This release resolves an issue that caused policy-based routing to fail when the LiveSecurity license expires. [43515, 55695]
- It no longer takes 15 to 20 minutes for PPPoE to reconnect after you reboot your XTM device or your WAN link is disconnected. [56351,58900,44781]
- Excessive log messages with the message "sessiond Management user status from xxx.xxx.xxx. logged in " are no longer sent to the log file. [56161]
- WebBlocker override now works with PPTP and SSLVPN mobile users. [56467]
- The addition or removal of a VLAN from an external interface configured to use PPPoE no longer causes a reboot. [56918]
- A problem that caused the certd process to leak memory has been resolved. [57673]
- Debug or Information level diagnostics logging now works correctly for PPTP with RADIUS authentication. [58864]
- The Arm/Disarm LED now shows solid green on both devices in a FireCluster configuration. [59406]
- This release resolves an issue that caused the oss daemon to crash. [59582]
- A problem that caused the loggerd process to use excessive CPU has been resolved. [59762]
- Several problems that caused kernel crashes have been resolved. [60065, 60090]
Networking
- DNS forwarding, enabled with the CLI configuration command “ip dns forwarding enable”, now operates correctly. [59664]
- The XTM device no longer forwards DHCP requests to the external interface when the device is configured as a DHCP client and a DHCP relay server is configured on the trusted or optional network. [56624]
- In mixed routing mode, file transfers between computers connected to bridged interfaces no longer cause high CPU load. [44024]
- DHCP relay no longer listens on all active interfaces when it is configured for only one interface. [59121]
- The XTM device now correctly creates log messages for Multi-WAN events. [59148]
- For XTM 5 Series devices, the default ARP table sizes have been increased. This resolves an issue that appeared as a “Neighbor table overflow” log message. [60027]
FireCluster
- A problem that caused interface link status to be reported incorrectly for a XTM 1050 active/passive FireCluster has been corrected. [59812]
- After an active/passive FireCluster OS upgrade, the cluster master is no longer incorrectly shown as idle in Policy Manager, WSM, and the CLI. [56507]
- After a FireCluster failover, Mobile VPN with SSL users no longer see a certificate warning message when they reconnect. [60038]
- FireCluster active/passive failover now works correctly when you have more than 8 VLANs configured on an interface. [58612]
- A problem that caused an active/passive FireCluster to unexpectedly fail over and lock up has been fixed. [60339]
- An issue that caused a FireCluster to fail to form if one of the cluster devices was set in a standby state has been resolved. [59524]
Mobile VPN with SSL
- You can now configure multiple users and groups for Mobile VPN with SSL authentication. [59313, 35669]
- The Mobile VPN with SSL client now releases its IP address after it disconnects on Windows 2003. [59158]
- Proxy ARP now works correctly for Mobile VPN with SSL when the SSL virtual IP address is from a virtual IP address pool on a trusted VLAN network. [59071]
- A Mobile VPN with SSL virtual IP address configured on a subnet of the trusted network can now get access to devices on the trusted network. [59200]
- The Mobile VPN with SSL client for the Mac can now connect to an XTM device that uses Fireware XTM v11.4.1. [60218]
Mobile VPN with IPSec
- The log message for Mobile VPN with IPSec user authentication now includes the virtual IP address. [57130]
- The Mobile VPN with IPSec profile can now be generated successfully on all Windows 7 and Windows Server 2008 computers. [57262]
Mobile VPN with PPTP
- Proxy ARP now works correctly for Mobile VPN with PPTP when the PPTP virtual IP address is from a virtual IP address pool on a trusted VLAN network. [59070]
Branch Office VPN
- The XTM device now automatically rebuilds VPN tunnels between two dynamic peers after a public IP address change, if the new Attempt to Resolve option is selected in the gateway endpoint settings. [56125]
- Dynamic routing OSPF failover to a branch office VPN tunnel on the same physical interface now operates correctly. [58255]
Proxies and Subscription Services
- You can now configure an Application Control action to block applications by category. [59039]
- SSL compatibility has been improved when you use the HTTPS proxy with deep inspection. [58833]
- An issue has been resolved that caused some web sites to not load on first request. [59793]
- When you configure your XTM device in Bridge mode, MSS adjustment now works correctly when with proxy policies. [58837]
- A problem that caused the DNS proxy to crash has been resolved. [58073]
- A problem has been resolved that caused some file downloads through the HTTP proxy to fail when Gateway AV is enabled. [58212]
- A snom320 hold no longer breaks the call session when you use the SIP ALG. [59369]
- A hairpin call between dual-login clients no longer causes session instability. [59371]
- OPTIONS before 200 no longer prevents VoIP registrations. [59472]
Authentication
- You can no longer connect to the SSO Agent with Telnet without a login. The login is set in the SSO Configuration Tool. [31137]
- A computer on which the SSO client is used together with certain third party software no longer causes a high CPU spike. [59672]
- The SSO Client installer now automatically enables port 4116 on the Windows firewall. [59627]
- An issue has been resolved that caused the SSO Client to not retrieve all of the groups for an authenticated user. [59949]
- An issue has been resolved that caused authentication to fail when using the SSO Agent if a user was a member of a large number of groups. [60298]
- Single Sign-On authentication has been improved to allow faster recognition of initial traffic from a user. [58497]
- When the Authentication auto-redirect feature is enabled together with Terminal Services, traffic from the Terminal Server IP address is not automatically redirected to the authentication portal. [59542]
- Single Sign-On no longer fails when the Active Directory domain name contains a dash or underscore character ( - or_ ). [59644]
Management
- A new pre-defined packet filter policy WG-LogViewer-ReportMgr allows you to use LogViewer and Report Manager from a computer that is external to your XTM device when your Report Server and Log Server are behind the XTM device. [45554]
- You can now configure Policy Manager to automatically save a backup copy of the configuration file each time you save changes to a file. The backup copy includes a timestamp in the file name. In Policy Manager, select File > Save > Always create a backup to enable this option. [57490]
- If you configure an external VLAN interface to get an IP address through DHCP, you can now release or renew the VLAN interface IP address in the Fireware XTM Web UI on the System Status > Interfaces page. [58042]
- You can now edit an SNAT action from the Policy Properties dialog box in Policy Manager. [58627]
- Fully managed XTM 11.4.1 devices now send information about the current Application Control and IPS signature version to the Management Server when a signature update occurs. [58734]
- When you disable broadcast routing in a branch office VPN tunnel configuration, the helper addresses are now correctly removed from the configuration. [58841]
- If you disable LDAPS in the LDAP authentication server settings, the LDAP server port is automatically reset to port 389. [59228]
- Role-based administration users can no longer see information in the Management Server about managed VPN tunnels between devices that the user role does not have rights to see. [59556]
- Policy Manager v11.3.x can no longer save a configuration to a device that uses Fireware XTM v11.4.x. [59693]
- Policy Manager can now successfully create a backup image of a Firebox X Edge device. [59944]
- When you delete the Outgoing policy from a configuration template, devices that use that template now correctly deny outgoing traffic not allowed by another policy. [59984]
- WatchGuard System Manager no longer runs low on memory after you monitor several devices in the Device Management tab for many hours. [60124]
- The WatchGuard System Manager Device Management page no longer shows the Configuration History section for a device that is configured in Basic Managed Mode. [60271]
- WatchGuard System Manager now correctly applies aliases in a configuration template to a device when the template is applied to the device. [60318]
WatchGuard Report Server
- The intervals displayed on the X/Y axis of a generated report now adjust depending on the timespan the report data includes. [39231]
- Weekly scheduled reports for the Management Server now generate correctly. [58413]
- Reports generated from the Reporting Web UI now use the correct “From” and “To” times. [59190]
- Reports no longer fail to generate with a stack trace memory error. [59320]
- The WebBlocker and Web Audit reports now generate more quickly. [59391]
- The Top Clients by Application Usage report now shows data in the Authenticated User column. [59448]
- The User Authentication report for PPTP and Firebox DB users no longer fails after you upgrade to WSM v11.4.x. [59735]
WatchGuard Log Server
- A problem that caused the Log Server to fail with “ap_collector” error messages has been resolved. [57615]
- The Log Server no longer tries to resolve domain names for all log messages. With this release, the Log Server tries to resolve domain names only for HTTP proxy log messages. This improves performance of the Log Server. [60215]
Firebox System Manager
- The Status Report now shows negotiated link speed and duplex settings for interfaces set to auto negotiate link speed. [42625]
- The Authentication List tab now shows a summary of the number of authenticated users, by authentication type. [59037]
- The Status Report tab now consistently shows both members of a FireCluster. [58809]
WebUI
- The Status user can no longer delete a firewall policy from the Web UI. [59789]
- Users in a Mobile VPN with IPSec authentication group are no longer removed when the Mobile VPN with IPSec configuration is edited in the Web UI. [59842]
Known Issues
These are known issues for Fireware XTM v11.4.1 and all management applications. Where available, we include a way to work around the issue.
General
- To power off an XTM 5 Series device, you must press and hold the rear power switch for 4–5 seconds. [42459]
- On an XTM 5 Series device, the link light for network interface 0 remains lit when the device is powered off using the rear power switch. [42388]
- For XTM 5 Series devices, Interface 0 does not support Auto-MDIX and does not automatically sense cable polarity.
- An XTM 2 Series device can take up to 5 minutes to reboot.
- When you use the Policy Manager > File > Backup or Restore features, the process can take a long time but does complete successfully. [35450]
- Amazon Web Services (AWS) requires the use of BGP over an IPSec tunnel. The operations outlined by Amazon.com to support Amazon Web Services are not currently supported by WatchGuard products. [41534]
WatchGuard System Manager
- There can be problems when you add, update, or delete a server installation from WatchGuard Server Center if WatchGuard System Manager is installed on a Windows 7 computer that has XP Compatibility Mode enabled. [56355]
Workaround
Make sure that Windows XP compatibility mode is not enabled on the WSM v11.x executable file. To verify, locate the wsm.exe file in Windows Explorer. Right-click on the executable file, select Properties, and click the Compatibility tab.
- Remote managed Firebox devices configured in Drop-in Mode may not be able to connect to a Management Server that is behind a gateway Firebox also configured in Drop-in Mode. [33056]
- If you restore a backup image to a managed client device managed by a Management Server, it is possible that the shared secret becomes out of sync.
Workaround
Connect to the Management Server from WSM. Select the managed device and select Update Device. Select the radio button Reset server configuration (IP address/ Hostname, shared secret).
- You cannot uninstall WatchGuard System Manager successfully when the WatchGuard Server Center is running on a computer using 64-bit Windows Vista. [39078]
Workaround
Exit the WatchGuard Server Center before you start the uninstall WSM. You can then uninstall WatchGuard System Manager successfully.
- When you run the WSM v11.3.x or v11.4.x installer (either the WSM client component only or any selected WSM server components) on Microsoft SBS (Small Business Server) 2008 and 2011 on a computer installed with a 64-bit operating system, you see a Microsoft Windows error "IssProc.x64 has stopped working". When you close the error dialog box, the installation completes. [57133]
Web UI
- The Fireware XTM Web UI does not support the configuration of some features. These features include:
- FireCluster
- Certificate export
- You cannot turn on or off notification of BOVPN events
- You cannot add or remove static ARP entries to the device ARP table
- You cannot get the encrypted Mobile VPN with IPSec end-user configuration profile, known as the .wgx file. The Web UI generates only a plain-text version of the end-user configuration profile, with file extension .ini.
- You cannot edit the name of a policy, use a custom address in a policy, or use Host Name (DNS lookup) to add an IP address to a policy.
- If you configure a policy in the Web UI with a status of Disabled, then open Policy Manager and make a change to the same policy, the action assigned to the policy when it denies packets is changed to Send TCP RST. [34118]
- If you use the Web UI to edit an existing proxy policy that has alarm settings enabled, the alarm settings may be disabled when you save your configuration. [38585]
- You cannot create read-only Mobile VPN with IPSec configuration files with the Web UI. [39176]
WatchGuard Server Center
- If the WatchGuard Server Center is open when you uninstall WSM, you see multiple warning messages to close the application, instead of just a single warning. [36901]
Command Line Interface (CLI)
- The CLI does not support the configuration of some features:
- You cannot add or edit a proxy action.
- You cannot get the encrypted Mobile VPN with IPSec end-user configuration profile, known as the .wgx file. The CLI generates only a plain-text version of the end-user configuration profile, with file extension .ini.
- The CLI performs minimal input validation for many commands.
Proxies
- The ability to use an HTTP caching proxy server is not available in conjunction with the TCP-UDP Proxy. [44260]
- You cannot make a SIP-based call from Polycom PVX softphone behind a Firebox to a Polycom PVX on the external network. [38567]
Workaround
You can use the H.323 protocol instead of SIP.
- When you try to stream YouTube videos from an Apple device running iOS, you may see this error message: "The server is not correctly configured."
Workaround
1. Edit your HTTP proxy policy.
2. Click View/Edit proxy.
3. Select the Allow range requests through unmodified check box.
4. Save this change to your XTM device.
- The SIP-ALG does not send the Contact header correctly when the Contact header contains a domain name. It only sends an empty string of: Contact: < >. If the Contact header contains an IP address, the SIP-ALG sends the Contact header correctly: Contact: <sip:10.1.1.2:5060>. [59622]
Workaround
Configure the PBX to send the Contact header with an IP address, not a domain name.
Security Subscriptions
- Some IPS signature information, such as the CVE number, is not available in Firebox System Manager. We provide search capabilities and CVE information for IPS signatures on a web security portal for IPS on the WatchGuard web site, which you can access at http://www.watchguard.com/SecurityPortal/ThreatDB.aspx
- The Application Blocker feature has been removed from the product and has been replaced with the much more robust Application Control service. If you had Application Blocker enabled in a previous Fireware XTM v11.x build, no configuration settings are carried forward to Fireware XTM v11.4.
- There is no notification given to a user who tries to get access to an application or application feature and is blocked by Application Control. For example, if a user tries to use a blocked web application, the application does not load and the user sees only a message that the web page could not load. [59305]
- The number of applications supported by Application Control on a WatchGuard XTM 2 Series device is approximately 300, which is smaller than the full set of applications supported by other XTM devices.
- The number of IPS signatures included on the XTM 2 Series is less than on the 5 and 8 Series devices, or the XTM 1050. Only signatures classified at the critical and high levels are available on the XTM 2 Series.
- Skype detection blocks only new Skype sessions. If a user is already logged in to Skype and a Skype session is already started when Application Control is enabled, Application Control may not detect the activity.
- For XTM 2 Series devices only, Application Control is temporarily disabled during an upgrade, back up, or restore. When the operation is complete, Application Control starts to work again.
- It is not possible to assign a role for Application Control management from the WatchGuard System Manager role-based administration feature. [59204]
- You cannot use a WebBlocker Server through a branch office VPN tunnel. [56319]
Networking
- You cannot configure traffic management actions or use QoS marking on VLANs. [56971, 42093]
- You cannot bridge a wireless interface to a VLAN interface. [41977]
- The Web Setup Wizard can fail if your computer is directly connected to an XTM 2 Series device as a DHCP client when you start the Web Setup Wizard. This can occur because the computer cannot get an IP address quickly enough after the device reboots during the wizard. [42550]
Workaround
1. If your computer is directly connected to the XTM 2 Series device during the Web Setup Wizard, use a static IP address on your computer.
2. Use a switch or hub between your computer and the XTM 2 Series device when you run the Web Setup Wizard.
- When a secondary network is configured for an XTM 2 Series device configured in Drop-In Mode, it can sometimes take a few minutes for computers that connect to the secondary network to appear in the ARP list of the XTM 2 Series. [42731]
- After you enable the MAC access control list or add a new MAC address, you must reboot your XTM device before the change takes effect. [39987]
- You must make sure that any disabled network interfaces do not have the same IP address as any active network interface or routing problems can occur. [37807]
- If you enable the MAC/IP binding with the Only allow traffic sent from or to these MAC/IP addresses check box, but do not add any entries to the table, the MAC/IP binding feature does not become active. This is to help make sure administrators do not accidentally block themselves from their own XTM device. [36934]
- Any network interfaces that are part of a bridge configuration disconnect and re-connect automatically when you save a configuration from a computer on the bridge network that includes configuration changes to a network interface. [39474]
- When you change the IP address of a VLAN configured on an external interface from static to PPPoE and the Firebox cannot get a PPPoE address, Firebox System Manager and the Web UI may continue to show the previously used static IP address. [39374]
- When you configure your XTM device with a Mixed Routing Mode configuration, any bridged interfaces show their interface and default gateway IP address as 0.0.0.0 in the Web UI. [39389]
- When you configure your XTM device in Bridge Mode, the LCD display on your XTM device shows the IP address of the bridged interfaces as 0.0.0.0. [39324]
- When you configure your XTM device in Bridge Mode, the HTTP redirect feature is configurable from the user interface but does not work in this release. [38870]
- Static MAC/IP address binding does not work when your XTM device is configured in Bridge mode. [36900]
- When your XTM device is configured to use Bridge mode, the physical interface of the XTM device does not appear correctly in log messages. Instead, the interface is represented as tbrX. [36783]
- When you change your configuration mode from Mixed Routing to Bridge or from Bridge to Mixed Routing, the CLI and Web UI may continue to show the previous configuration mode. [38896]
- The dynamic routing of RIPv1 does not work. [40880]
- When an IP address is added to the Temporary Blocked Site list by the administrator through the Firebox System Manager > Blocked Sites tab, the expiration time is constantly reset when traffic is received from the IP address. [42089]
Multi-WAN
- When you enable the Multi-WAN Immediate failback option for WAN failover, some traffic may fail over gradually. [42363]
- When you enable Multi-WAN in round-robin mode, you cannot use the HTTP Proxy Caching Server option. [57561]
Authentication
- If you use Terminal Service authentication, you must reboot your server after you install the TO_AGENT software.
- If you use Terminal Services authentication, no authentication verification is done against traffic of any protocol that is not TCP or UDP. This includes DNS, NetBIOS, and ICMP traffic.
- Terminal Services authentication support does not work with single sign-on.
- It is not possible to use the Auto redirect users to authentication page for authentication option together with Terminal Services authentication.
- To enable your XTM device to correctly process system-related traffic from your Terminal or Citrix server, the Terminal Services Agent uses a special user account named Backend-Service. Because of this, you may need to add policies to allow traffic from this user account through your XTM device. You can learn more about how Backend-Service operates in the product help system.
- For the Authentication Redirect feature to operate correctly, HTTP or HTTPS traffic cannot be allowed through an outgoing policy based on IP addresses or aliases that contain IP addresses. The Authentication Redirect feature operates only when policies for port 80 and 443 are configured for user or user group authentication. [37241]
Centralized Management
- If you used Centralized Management with devices subscribed to templates in earlier versions of WSM, when you upgrade from WSM 11.x to v11.4, these templates are updated and the devices are no longer subscribed. Each device retains its template configuration. Existing templates are updated to use “T_” in their object names (to match the object names in the devices that used to subscribe to them). After you upgrade, you’ll see the template upgrade that occurs during upgrade in your revision history.
- When a XTM template is applied to a managed device, the Management Server creates a new configuration revision for the device only if the new revision is going to be different from the current revision. There is also no feedback about why a new configuration revision was not created. [57934]
FireCluster
- If the monitored link fails on both FireCluster members, the non-master member is switched into passive mode and consequently does not process any traffic. A multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.
- Each XTM device has a set of default IP addresses assigned to the device interfaces in the range 10.0.0.1—10.0.11.1. The highest default IP address depends on the number of interfaces. If you set the IP address of the Primary or Backup cluster interface to one of the default IP addresses, both devices restart, and the backup master becomes inactive. [57663]
Workaround
Do not use any of the default IP addresses as the Primary or Backup cluster interface IP address.
- When you have an active/active FireCluster and use the WebBlocker Override feature, you may be prompted to enter your override password twice. [39263]
- Every network interface enabled in a FireCluster is automatically monitored by FireCluster. You must make sure that all enabled interfaces are physically connected to a network device.
- If you use HP ProCurve switches, you may not be able to configure your FireCluster in active/active mode because these switches may not support the addition of static ARP entries. [41396]
- If you use the Mobile VPN with IPSec client from the same network as the external network address configured on your FireCluster, some traffic may not go through the VPN tunnel. [38672]
- Mobile VPN with PPTP users do not appear in Firebox System Manager when you are connected to a passive FireCluster member. PPTP is only connected to the active Firebox when using an active/passive FireCluster. [36467]
- FireCluster does not support dynamic routing. [39442]
Logging and Reporting
- The new flexible report scheduling options changes the way groups are represented in the Reporting user interface. If you have groups configured on your Report Server in WSM v11.0 - 11.3, when you upgrade to WSM v11.4, each existing group is converted and will appear as a Scheduled Task in your Report Server user interface. No information is lost in this conversion.
- Any configured daily or weekly “Archived Reports” you have in your v11.3 configuration are automatically converted to scheduled reports after you upgrade to WSM v11.4.
- When you uninstall an existing WatchGuard Log Server and then install WatchGuard System Manager v11.4 software and also install the Log Server, you may see an error: "Error: C:\Program Files\Common Files\WatchGuard\wsm11\lib\nls\en_US\logging_res.logAn error occurred while trying to replace the existing file: DeleteFile failed; code 5. Access is denied."
Workaround
Open Windows Task Manager and kill the process. From the WatchGuard System Manager installation dialog, click Retry. The installation should continue successfully. You may need to manually start the C:\WINDOWS\system32\wbem\wmiprvse.exe later.
- LogViewer may respond very slowly when you use the search functionality against a very large log database.
- You cannot use a v11.x Report Server with a v10.x Log Server. You must upgrade both servers for reporting to work correctly. You can, however, use v11.x Report Manager with a v10.x Report Server.
- LogViewer always generates PDFs in English, regardless of the language you view LogViewer in. Also, Unicode characters that cannot be displayed in the default font may not appear correctly in the PDF. [41244]
Mobile VPN
- You cannot ping the IP address of the XTM device interface to which a Shrew Soft VPN client established a VPN tunnel. You can ping computers on that network, but not the interface IP address itself. [60988]
- Shrew Soft VPN client connections can drop if there are multiple cilents connected to an XTM device at the same time issuing Phase 2 rekeys. [60261]
- Phase 1 rekeys initiated by the Shrew Soft VPN client cause the client to be disconnected, if connected more than 24 hours. In this case, we recommend that you set the rekey on your XTM device to 23 hours -- one hour shorter than the rekey hard-coded in the Shrew Soft client configuration. This forces the XTM device to initiate the rekey, and gives the client a notification that the tunnel must be re-established. [60260, 60259]
- A continuous FTP session over a Mobile VPN with IPSec connection could get terminated if an IPSec rekey occurs during the FTP transfer. [32769]
Workaround
Increase the rekey byte count.
- When you use the Web UI or CLI to configure Mobile VPN with IPSec user profiles, user groups with extended authentication may show incorrectly as Firebox Local Authentication groups. [39695]
- Users who try to upgrade their Mobile VPN with SSL client from Fireware XTM v11.2.1 to a later version of Fireware XTM will fail. The failure does not damage the v11.2.1 client installation. [43970]
Workaround
To upgrade your Mobile VPN with SSL client from v11.2.1 to v11.3, use your web browser to connect to https://<IP address of a Firebox or XTM device>/sslvpn.html. You can then download and install the new client software. Or, you can download the client software from the Software Downloads page and email it your users to install on their computer.
- The Macintosh SSL VPN client may not be able to connect to a Firebox when the authentication algorithm is set to SHA 256. [35724]
- When the Macintosh SSL VPN client disconnects or is stopped manually, the client disables the AirPort wireless adapter on the Mac. [39914]
Branch Office VPN
- When you configure your XTM device in multi-WAN mode, you must select which interfaces to include in your multi-WAN configuration. If there are any interfaces that you choose not to include in your multi-WAN configuration (i.e. you clear the check box for that interface), the system does not create a route for that network. This can cause a problem if you have a branch office VPN configured to include that same interface. In this case, the VPN tunnel can fail to negotiate with its remote peer. [57153]
Workaround
If you use multi-WAN and have problems with your branch office VPN tunnels failing to negotiate with their remote peers, you must open your multi-WAN configuration and select Configure adjacent to your chosen multi-WAN configuration mode. Make sure that the appropriate interfaces are included in your multi-WAN configuration.
- A branch office VPN tunnel does not pass traffic if an inbound static NAT policy that includes IP 50 and IP 51 protocols exists for the external IP address of the XTM device. [41822]
- Managed branch office VPN tunnels cannot be established if the CRL distribution point (for example, the WatchGuard Management Server or a third-party CRL distribution site you use) is offline. [55946]
- The use of Any in a BOVPN tunnel route is changed in Fireware XTM. If a branch office VPN tunnel uses Any for the Local part of a tunnel route, Fireware XTM interprets this to mean network 0.0.0.0 and subnet mask 0.0.0.0 (in slash notation, 0.0.0.0/0). If the remote IPSec peer does not send 0.0.0.0/0 as its Phase 2 ID, Phase 2 negotiations fail. [40098]
Workaround
Do not use Any for the Local or the Remote part of the tunnel route. Change the Local part of your tunnel route. Type the IP addresses of computers behind the Firebox that actually participate in the tunnel routing. Contact the administrator of the remote IPSec peer to determine what that device uses for the Remote part of its tunnel route (or the Remote part of its Phase 2 ID).
- If you have a large number of branch office VPN tunnels in your configuration, the tunnels may take a long time to appear in Policy Manager. [35919]
- When you set the Phase 2 SA expiration to zero by setting both the Life-time and Life-size values to 0, the XTM device changes the rekey life-time to 8 hours. [37209]
Updates to the Web Services API
If you use the Web Services API for logging and reporting, you must update the schema version to be able to use the new report types available with WSM v11.4 and supported by the Web Services API. Note that there are no additional changes to the schema for XTM v11.4.1; if you have already updated the schema for XTM v11.4, there is no additional work required.
The new reports in WSM v11.4 include:
- Application Usage Summary
- Blocked Application Summary
- Top Clients by Application Usage
- Top Clients by Blocked Application
- Top Clients by Blocked Category
- DHCP Lease Activity
- WIDS Summary
- HTTP Most Popular by Bytes
- HTTP Most Active Client by Bytes
To be compatible with Fireware XTM v11.4, Web Service clients must re-generate the stub code from the LogsService.wsdl file and update any references to the schema version in their user code. For example, in the code below, you must update "2010/04" to "2010/11".
Example WSM v11.3 Java code use
javax.xml.namespace.QName qName = new javax.xml.namespace.QName(
"http://www.watchguard.com/schema/xsd/LogsService/2010/04",
"AuthCredentials"
);
Updated for WSM v11.4 Java code use
javax.xml.namespace.QName qName = new javax.xml.namespace.QName(
"http://www.watchguard.com/schema/xsd/LogsService/2010/11",
"AuthCredentials"
);
Using the CLI
The Fireware XTM CLI (Command Line Interface) is fully supported for v11.x releases. For information on how to start and use the CLI, see the CLI Command Reference Guide, which has been updated for this release. You can download the CLI guide from the documentation web site at http://www.watchguard.com/help/documentation/xtm.asp.Technical Assistance
For technical assistance, contact WatchGuard Technical Support by telephone or on the Web at http://www.watchguard.com/support. When you contact Technical Support, you must supply your registered Product Serial Number, LiveSecurity key or Partner ID.