Embed Size (px)
Citation preview
What’s New in Fireware XTM v11.5.1
New Features in Fireware XTM v11.5.1
Major Changes • IPv6 – Network Configuration and Routing • FIPS 140-2 • Dynamic Routing Enhancements • Clientless SSO • Log and Report Manager • Log Server UTC Timestamp Conversion • ConnectWise Integration • SMTP-Proxy TLS Encryption
2 WatchGuard Training
New Features in Fireware XTM v11.5.1
Minor Changes • Debug Logging Per Proxy Action (60099)
• WSM Management Server Search (62143)
• iOS Mobile VPN with IPSec (41602)
• Export Auto-Blocked Sites (62511)
• Negotiate PPPoE Client IP Address (61930)
New Platforms
• XTM 330 • XTM 2050
3 WatchGuard Training
IPv6
IPv6 Refresher
WatchGuard IPv6 — http://www.watchguard.com/ipv6/index.asp • Hype or Reality — Video and PPT • Security Implications — Video and PPT • What to Expect — Video and PPT
IPv6 is manageable • If you impose a false minimum of a /24 on IPv4 • Subnetting IPv4 /8 ~ IPv6 /48
5 WatchGuard Training
10.0.0.254
16-bits
2561:1900:4545:0003:0200:F8FF:FE21:67CF
Interface ID Network Prefix
16-bits
IPv6 in 11.5.1
If it routes, the traffic will pass No security policies, features, or configurations are applied
Static configuration of IPv6 addresses and DNS Router Advertisement for stateless address auto-configuration Static routes
6 WatchGuard Training
IPv6 Certifications
IPv6 Ready • Phase 1, Silver Logo, was in v11.4.2 • Phase 2, Gold Logo, Core is in this release
The Phase 2 Logo is a requirement for extended test categories, including:
– IPSec – IKEv2 – MIPv6 – NEMO – DHCPv6 – SIP – SNMP-MIBs – MLDv2
7 WatchGuard Training
IPv6 Roadmap
IPv6 Planned Features
Static configuration of IPv6 addresses
Router Advertisement for stateless address auto-configuration
Static routes and DNS servers
DHCPv6 client for external interface
V6 policies
Blocked sites/ports, and auto-block
Default threat protection
BOVPN 6-in6, 6-in-4, 4-in-6
6-to-4 transition tunnel
Future Features
Authentication, SSO, Terminal Service
DHCP Server/Relay for trusted/optional interface
Transparent bridge and drop-in mode
Traffic management and QoS
4-to-6 transition tunnel
Proxy and security services (WebBloker, GAV, …)
Application Control and IPS
Mobile User VPN
Cluster
IPv6 Stage 1, (11.5.1)
IPv6 Stage 2
IPv6 Stage 3
FIPS 140-2
FIPS Support in Fireware XTM
FIPS 140-2 • Federal Information Processing Standards Publication 140-2, Security
Requirements for Cryptographic Modules • Describes the NIST requirements and standards for cryptographic modules
for use by federal government departments and agencies • Defines four security levels
WatchGuard XTM • XTM Devices and Fireware XTM are designed to meet the overall
requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner
10 WatchGuard Training
FIPS Support in Fireware XTM
FIPS Mode • You must use the CLI to enable FIPS mode on an XTM device • When the XTM device operates in FIPS mode, each time the device is
powered on, it runs a set of self-tests required by the FIPS 140-2 specification • If any of the tests fail, the XTM device writes a message to the log file and
shuts down • If you start the device in safe mode or recovery mode, the device is not in
FIPS mode Use the CLI command fips enable to enable FIPS mode operation You can use the CLI command show fips to determine if the XTM device
is configured in FIPS mode
11 WatchGuard Training
FIPS Mode Constraints
FIPS Mode does not enforce a FIPS compliant configuration • Configure the Admin and Status administrative accounts to use passwords
with a minimum of 8 characters • When you configure VPN tunnels, you must choose only FIPS-approved
authentication and encryption algorithms: SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, and AES-256.
• When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE Phase 1 negotiation
• Use a minimum of 1024-bits for all RSA keys • Do not configure FireCluster for high availability • Do not use Mobile VPN with PPTP • Do not use PPPoE • Do not use WatchGuard System Manager to manage the device • For access to Fireware XTM Web UI, the web browser must be configured to
use only TLS 1.0 and FIPS approved cipher suites • For network access to the CLI, clients must use SSH V2.0 protocol
12 WatchGuard Training
Dynamic Routing Enhancements
14 WatchGuard Training
Dynamic Routing Enhancements
FireCluster is now supported Configuration validation ensures working configuration Enhanced troubleshooting capabilities
• Enable debugging at runtime • Obtain more logs from Quagga
Enhanced output in the Firebox System Manager Status Report
Dynamic Routing – Diagnostic Logging
Change the Diagnostic Log Level setting for Dynamic Routing to the Debug level to see detailed log messages from all log levels.
15 WatchGuard Training
Clientless Single Sign-On (SSO)
Clientless SSO
Use the SSO Agent and Event Log Monitor for SSO, without the SSO Client
Support for both single domain and multiple domains Provides the same accuracy as the SSO Client solution
• Token Groups SSO Client SSO ELM Manual Authentication with samAccountName
• Group Attribute Manual Authentication and Non-Active Directory Does not return nested groups
17 WatchGuard Training
Clientless SSO Process
Install the SSO Agent on your network. Install the Event Log Monitor on each domain controller in your network. The Event Log Monitor collects user credentials when users log on to the
domain. The SSO Agent
queries the Event Log Monitor for user credentials.
18 WatchGuard Training
Clientless SSO Work Flow
19 WatchGuard Training
Clientless SSO Contact Priority
Select whether the SSO Agent first contacts the Event Log Monitor or the SSO Client for user credentials.
20 WatchGuard Training
Clientless SSO Supported OS
Use clientless SSO with these operating systems:
21 WatchGuard Training
Operating System
Windows XP SP2/SP3 (32-Bit)
Windows Vista (32-Bit)
Windows 7 (32-Bit)
Windows Server 2003 (32-Bit)
Windows Server 2003 (64-Bit)
Windows Server 2008 (32-Bit)
Windows Server 2008 & 2008 R2 (64-Bit)
SSO Agent Event Log Monitor
Log and Report Manager
Log and Report Manager
Log Viewer and Report Manager are replaced in v11.5.1 with the new Log and Report Manager web UI.
Select either the Log Viewer or Report Manager icon in WatchGuard System Manager to launch the default web browser. The user is prompted to connect to the WatchGuard Log Server or Report Server with administrative credentials.
23 WatchGuard Training
Log and Report Manager — View Logs
Select the Actions drop-down list at the right to choose a time filter for the log display, or select a Timeslice Analysis to show a summary of log types recorded over time.
24 WatchGuard Training
Log and Report Manager — View Logs
25 WatchGuard Training
Log and Report Manager — View Reports
Select REPORTS > Devices to see a list of devices with reports on the Report Server.
Select a device to see the report options.
26 WatchGuard Training
Log and Report Manager — View Reports
View Available Reports: • Select Daily or Weekly time filters, and specify a date range. • Select the tab for a report type: Dashboard, Traffic, Web, Mail, Services,
Device, and Detail. To generate Per Client and On-Demand Reports for devices, click a link
at the right side of the page.
27 WatchGuard Training
Log and Report Manager — On-Demand Reports
Select the Start and End date and time, the type of report to generate, and click Run Report to generate an On-Demand report.
28 WatchGuard Training
Log and Report Manager — On-Demand Reports
Reports include graphical and textual summary information
29 WatchGuard Training
Log Server and Report Server UTC Time Conversion
Log and Report Server Upgrade
When the Log Server or Report Server is upgraded to v11.5.1, the server database is upgraded to PostgreSQL 8.2.21.
If an external Log Server or Report Server database is used instead of the built-in database, the user must manually upgrade the server to PostgreSQL 8.2.21 before the Log Server or Report Server is upgraded.
31 WatchGuard Training
Log and Report Server UTC Conversion
Previously, the Log and Report Server database used the timestamp of the host server. In v11.5.1, the UTC time stamp is used for log messages.
When an existing server is upgraded to v11.5.1, the log message time stamps are converted from the old format to UTC format. This can take some time depending on the size of the log database.
An audit log is written when the conversion process starts and finishes. If email notification is enabled, notifications are sent when conversion
starts and when conversion is complete.
32 WatchGuard Training
ConnectWise Integration
ConnectWise Integration
Your v11.5.1 Report Server can send specific reports it generates to the third-party ConnectWise service to be included in the reports ConnectWise produces.
The Report Server must be configured with the information for a ConnectWise server and ConnectWise account.
34 WatchGuard Training
ConnectWise Integration
In the Report Server Server Settings, enable ConnectWise integration and add the information for the ConnectWise server and ConnectWise account.
Make sure to import the CA certificate for your ConnectWise server to your Report Server.
35 WatchGuard Training
ConnectWise Integration
Create a Report Schedule and specify the reports to generate and send to ConnectWise.
Reports available for ConnectWise integration include: • Firebox Statistics • Intrusion Prevention Service
Summary • WebBlocker Summary • Most Popular Domains
To send reports to ConnectWise, you must select at least one of these reports.
Reports must be scheduled to run daily
36 WatchGuard Training
SMTP-Proxy TLS Encryption
SMTP-Proxy TLS Encryption Settings
v11.5.1 includes new options for TLS encryption settings in the ESMTP category of the SMTP proxy action.
If an SMTP-proxy is used for mail traffic sent through an XTM device, TLS encryption can be applied to the traffic.
Certificates used by the HTTPS-proxy are also used by the SMTP-proxy for TLS encryption. The FSM certificate import feature is also used to import TLS encryption certificates to the XTM device.
38 WatchGuard Training
SMTP-Proxy TLS Encryption Settings
Configure rules to determine which recipient domains receive TLS encrypted email: • If Recipient Encryption is Required, the XTM device does not send email if
TLS negotiation fails. • If Recipient Encryption is Preferred, the XTM device tries to negotiate a
TLS connection, but if negotiation fails the email is sent unencrypted. • If Recipient Encryption
is Allowed, the email client can select to encrypt or not encrypt email, and the XTM device sends the email whether it is encrypted or unencrypted.
39 WatchGuard Training
SMTP-Proxy TLS Encryption Settings
If Sender Encryption is Required, an option can be enabled to encrypt not only the email data but also the sender, recipient, and body information in the message.
40 WatchGuard Training
SMTP-Proxy TLS Encryption Settings
The Authentication category of the ESMTP settings includes an option to require encryption of plain-text ESMTP authentication information.
41 WatchGuard Training
Minor Changes
Diagnostic Log Level For Proxy Actions
Set the Diagnostic Log Level for each proxy action in the General Settings category.
Diagnostic Log Levels: • Error • Warning • Information • Debug
Reduce log messages from high-traffic proxy actions. • To disable logging for a single
proxy action, you must disable logging for that proxy type globally, then enable logging for all other proxy actions.
43 WatchGuard Training
WSM Management Server Search
New Search folder for the Management Server on the Device Management tab.
Search supports: • Device display name • Device IP addresses • Device host names • Polled device name • Polled IP address • Polled serial number • Polled software version
Search does not support: • Serial number for
backup master • Secondary addresses • Polling multi-WAN
IP addresses
44 WatchGuard Training
iOS Mobile VPN with IPSec
No Profile to use, specific configuration only iOS: Setting up VPN Configure Fireware XTM
• Shared Key Only (no certificates) • Force all traffic through tunnel • Phase 1
Authentication — MD5 or SHA-1 Encryption — DES, 3DES, AES-128,
AES-256 (no AES-192) SA Life — 1 hour Key Group — DH Group 2
• Phase 2 Authentication — MD5 or SHA-1 Encryption — 3DES, AES-128, or AES-256 Key Expiration — 1 hour and 0 Kb
• Disable PFS
45 WatchGuard Training
Export Auto-Blocked Sites
To export the list of blocked sites, right-click the Blocked Sites list in Firebox System Manager
Save the list as the blocked_sites.txt file
46 WatchGuard Training
Negotiate PPPoE Client IP Address and DNS
Configure an external interface, select the IPv4 tab, select Use PPPoE, select Use IP address, and click Advanced Properties
Send the PPPoE client static IP address during PPPoE negotiation • When selected, the configured address
is requested, but other addresses will also be accepted for negotiation
• When not selected, the IP address is not negotiated in PPPoE
Negotiate DNS with PPPoE Server
47 WatchGuard Training
New Platforms
XTM 330 XTM 2050 Form Factor: Rackmount (1U) Rackmount (2U)
Network Interfaces: 7x GbE (RJ45) 16x GbE (RJ45) 2x 10G SFP+ Fiber
Other Interfaces: 2x USB 1x RJ45 serial
1x GbE RJ45 management 2x USB 1x RJ45 serial
Weight: 7.55 lbs 48.5 lbs
Power Supply: 100-240 VAC Autosensing
Dual 100-240 VAC Autosensing
49 WatchGuard Training
THANK YOU!
