2. What’s New in v11.10What’s New in v11.10
New Feature
• Bandwidth and time user quotas
Monitoring Enhancements
• Review and reset user quota data
• VPN diagnostic messages and report enhancements
• Gateway Wireless Controller shows and filters on rogue AP devices, and shows
client signal strength
• Full Screen mode in FireWatch in Fireware XTM Web UI
Subscription Services Enhancement
• Setup wizards for services now available in the Web UI
VPN Enhancements
• Mobile VPN with SSL v10.11 clients for Windows and Mac OS X
Certificate Management Enhancements
• Manage certificates from the Web UI
• Automatic CA certificate updates
WatchGuard Training 22
3. What’s New in v11.10What’s New in v11.10
Wireless Access Point Enhancements
• Wireless traffic shaping
• Time-based SSID Activation
• Scheduled restarts of AP devices
• Multiple AP device selection for AP actions
• Enable rogue access point detection
SSO Enhancements
• Exchange Monitor (EM) Exchange Server 2013 support
• Clientless SSO for RDP logins
• Traffic through BOVPN tunnels can use SSO
• Support for switching between multiple users of the SSO Client
RapidDeploy Enhancements
• Improvements for CSV files on a USB drive
System Enhancements
• NTP server
WatchGuard Training 33
4. What’s New in v11.10What’s New in v11.10
Networking Enhancements
• Improved routing tables
• Multiple servers for DHCP relay
• DHCPv6 prefix delegation
• ARP limit updates
• XTM Configuration Report updates
Logging & Reporting Enhancements
• Simultaneously send log messages to two Log Servers
• Expanded information included in Device Feedback
Management Tunnel Enhancement
• Managed devices use the first distribution IP address for the Management Server
What Else is New?
• The first iteration of a comprehensive Help system for Fireware with integrated
instructions for all Fireware management UIs.
WatchGuard Training 44
5. New Feature — QuotasNew Feature — Quotas
WatchGuard Training 55
6. Bandwidth and Time QuotasBandwidth and Time Quotas
WatchGuard Training 66
You can enable bandwidth and time usage quotas for users on your
network for access to external sites.
Apply a daily limit to user Internet usage to enforce corporate acceptable
use policies.
When users exceed the quota limit, a notification message appears in
their web browsers and further access attempts are denied.
7. Bandwidth and Time QuotasBandwidth and Time Quotas
You can set these types of quotas:
• Bandwidth — The bandwidth quota
is set in MB per day, and is
enforced for all TCP and UDP
traffic in both directions.
• Time — The time quota is set in
minutes per day.
Both bandwidth and time quotas
can be enabled at the same time,
and the limit that is reached first is
enforced.
WatchGuard Training 77
8. Bandwidth and Time QuotasBandwidth and Time Quotas
Quota limits are applied to users
and groups based on
authentication to the Firebox.
For a quota to take effect, a user
must be authenticated and match a
configured policy defined with
Firebox users and groups.
WatchGuard Training 88
9. Bandwidth and Time QuotasBandwidth and Time Quotas
WatchGuard Training 99
To enable bandwidth and time quotas, you must:
• Enable quotas and create quota rules
• Apply a quota action to a rule
• Enable the quota rule in a policy
10. Enable time and bandwidth quotas
Add a quota rule that defines applicable users and groups, and the quota
action to apply.
Bandwidth and Time QuotasBandwidth and Time Quotas
WatchGuard Training 1010
11. A quota action defines the bandwidth and time restrictions to apply to a
quota rule.
Bandwidth and Time QuotasBandwidth and Time Quotas
WatchGuard Training 1111
12. Bandwidth and Time QuotasBandwidth and Time Quotas
To enforce a quota, a quota rule
must be enabled for a specific
policy.
The policy must be defined with
users or groups to be able to apply
a quota rule.
WatchGuard Training 1212
13. You can create exceptions to quotas so that any traffic to a specific
destination address is not counted towards the usage quota.
Create exemptions for your company's own domains, or software and
antivirus signature update sites.
Bandwidth and Time QuotasBandwidth and Time Quotas
WatchGuard Training 1313
14. Bandwidth and Time QuotasBandwidth and Time Quotas
Options to reset user quota data include:
• Quota daily limits are automatically reset the next day (starting at 00:00)
• Configuration changes automatically reset quotas for users and groups that use
the updated quota action
• Reboot the Firebox
• Manually reset quota data for specific users from the Web UI and FSM
WatchGuard Training 1414
16. Review & Reset Bandwidth and Time QuotasReview & Reset Bandwidth and Time Quotas
WatchGuard Training 1616
Monitor user quota usage data in Fireware XTM Web UI and Firebox
System Manager.
• Fireware XTM Web UI — System Status > Quotas page
• Firebox System Manager — Quotas tab
Quota data includes these details for each connected user:
Quotas Page (Web UI) User Quotas Tab (FSM) Description
User User The user name of the connected user.
Auth Domain N/A
The authentication domain through which the user is
authenticated.
Quota Action Quota Action
The quota action defined on your Firebox that
applies to the user.
Used/Configured
Bandwidth (per day)
Bandwidth Usage
(per day)
The amount of bandwidth the user has already used
and is allowed to use (used/allowed), for each day.
Used/Configured Time
(per day)
Time Usage (per day)
The amount of time the user has already used and is
allowed to use (used/allowed), for each day.
17. Review & Reset Bandwidth and Time QuotasReview & Reset Bandwidth and Time Quotas
WatchGuard Training 1717
Manually reset user quota data for specific users:
1. Select one or more users.
2. Click Reset Quota.
18. Gateway Wireless Controller — See Rogue Access PointsGateway Wireless Controller — See Rogue Access Points
Use the Gateway Wireless
Controller Wireless Deployment
Maps to scan for foreign wireless
access points
See a list of rogue access points
on the Foreign BSSIDs page
A rogue access point is any
wireless access point within range
of your network that is not
recognized as an authorized
access point.
Rogue access point can be
installed by a malicious user, but
could also be a device installed by
someone inside your organization
without consent.
WatchGuard Training 1818
19. Gateway Wireless Controller — Client Signal StrengthGateway Wireless Controller — Client Signal Strength
The Gateway Wireless Controller in Fireware XTM Web UI and Firebox
System Manager now includes an indicator to show the wireless client signal
strength.
WatchGuard Training 1919
20. Enhanced VPN Diagnostic ToolsEnhanced VPN Diagnostic Tools
VPN diagnostic messages
• New VPN messages now indicate why a branch office VPN gateway or tunnel
failed, and can include information about what action to take to resolve the error.
• VPN diagnostic messages appear in three places in the UI:
Firebox System Manager — Front Panel tab
WatchGuard System Manager — Device Status tab
Fireware XTM Web UI — System Status > VPN Statistics page
Enhanced VPN Diagnostic Report
• Performs more checks to identify many of the most common VPN issues
• Provides more actionable information
WatchGuard Training 2020
21. VPN Diagnostic MessagesVPN Diagnostic Messages
VPN diagnostic
messages appear
below the gateway in
the Web UI and FSM.
• Messages can be for a
specific tunnel or
gateway endpoint.
Errors
• Error status — Web UI
• Red text — FSM and
WSM.
Warnings
• Warning status —
Web UI.
• Orange text — FSM
and WSM.
WatchGuard Training 2121
22. VPN Diagnostic Report EnhancementsVPN Diagnostic Report Enhancements
Improved VPN Diagnostic Report
• The VPN Diagnostic Report now does more extensive diagnostics checks, and
provides more information.
• The report includes three new sections:
[Conclusion] — This section at the top summarizes what was observed, lists any
detected errors, and includes suggestions of next steps to troubleshoot the VPN.
[Address Pairs in Firewalld] — This section shows the address pairs and the traffic
direction (IN, OUT, or BOTH).
[Policy checker result] — This section shows policy checker results for policies that
manage traffic for each tunnel route.
The VPN Diagnostic Report is now available in the Fireware XTM Web UI
on the System Status > VPN Statistics page, as well as on the System
Status > Diagnostics page.
WatchGuard Training 2222
23. Branch Office VPN Troubleshooting TipsBranch Office VPN Troubleshooting Tips
For any branch office VPN, you can run reports and monitor error messages
on both endpoint devices—the initiator and the responder.
• The initiator is the endpoint that starts the tunnel negotiation
• The responder receives the proposal and accepts or rejects the proposed tunnel
settings from the initiator
For troubleshooting VPN negotiation, run the VPN Diagnostic Report or look
at the VPN diagnostic messages on the responder.
• The responder has more information about settings that do not match.
On the responder, VPN diagnostic errors include more detailed information about what
setting the initiator proposed, and what setting was expected.
• The initiator does not know what settings were expected.
WatchGuard Training 2323
24. VPN Troubleshooting in Firebox System ManagerVPN Troubleshooting in Firebox System Manager
Example — VPN diagnostic message for a mismatched Phase 2 proposal
• VPN diagnostic message on
the initiator:
“Received ‘No Proposal Chosen’
message. Check VPN IKE diagnostic
log messages on the remote gateway
endpoint for more information.”
• The VPN diagnostic message
on the responder is more
informative:
“Received ESP encryption 3DES,
expecting AES”
The same messages appear
in the VPN Diagnostic Report.
• To run the report, right-click
the gateway and select
VPN Diagnostic Report.
WatchGuard Training 2424
Initiator
Responder
25. VPN Diagnostic Messages in the Web UIVPN Diagnostic Messages in the Web UI
VPN diagnostic messages appear in the System Status > VPN
Statistics page.
WatchGuard Training 2525
26. VPN Diagnostic Report in the Web UIVPN Diagnostic Report in the Web UI
To run the VPN
Diagnostic Report from
the System Status >
VPN Statistics page:
• On the Branch Office
VPN tab, click Debug
for a Gateway.
• Or, select the Debug
tab, select the
gateway, and click
Start Report.
WatchGuard Training 2626
27. Routes Table UpdatesRoutes Table Updates
In Fireware XTM Web UI, the Routes table in System Status > Routes
includes these updates:
• Filter routes by:
IP address type (IPv4, IPv6, or both — IPv6 is new)
Route Type (Connected, Static, Dynamic, VPN)
Interface (Select the interface)
Destination (Type a valid IPv4 network address)
The Routes table shows the first 100 routes that match the filter criteria.
WatchGuard Training 2727
28. Routes Table UpdatesRoutes Table Updates
The Firebox System Manager Status Report tab now includes two route
tables.
• IPv4 Routes — Shows the first 100 IPv4 routes (all routes, including static,
dynamic, and VPN routes).
• IPv6 Routes — Shows the first 100 IPv6 routes (all routes, including static,
dynamic, and VPN routes).
Route table includes the same
information as the output of the
CLI “show ip route” and
“show v6 ip route” commands.
These two route tables replace
the four route tables that previously
appeared in the Status Report
(main, ethx.out, any.out, and zebra).
WatchGuard Training 2828
29. FireWatch EnhancementsFireWatch Enhancements
FireWatch can now be viewed in Full Screen mode in Fireware XTM Web UI
Full Screen mode options include:
• Select to include one or more groups in the display
• Specify the information refresh rate
• The settings controls are hidden after a period of time
• Select all standard filters
• See information in bytes for all groups except WebBlocker, which appears in
number of connections
WatchGuard Training 2929
31. FireWatch EnhancementsFireWatch Enhancements
Select which group information appears:
• Source
• Destination
• Applications
• Policies
• Interface (In)
• Interface (Out)
Select the type of data that appears:
• Rate
• Bytes
• Connection
• Duration
WatchGuard Training 3131
33. Subscription Services Setup WizardsSubscription Services Setup Wizards
New Web UI activation wizards that guide you through the steps to enable
these Subscription Services and create a basic configuration:
• spamBlocker
• WebBlocker
• Gateway AntiVirus
• Intrusion Prevention
WatchGuard Training 3333
34. Signature Update WarningsSignature Update Warnings
New warnings displayed for
services when automatic signature
updates are disabled.
• IPS
• Gateway AntiVirus
• Application Control
• DLP
WatchGuard Training 3434
36. Updates to Mobile VPN with SSL ClientsUpdates to Mobile VPN with SSL Clients
Updated WatchGuard Mobile VPN with SSL clients for Windows and Mac
OS X
• Both clients now use OpenVPN 2.3.6
• Both clients now support more than 24 routes
• The Windows client now includes the TAP driver for Windows 8.1
WatchGuard Training 3636
38. Manage Certificates from the Web UIManage Certificates from the Web UI
You can now perform all
the same certificate
management tasks from
the Web UI that are
available in Firebox
System Manager.
• Delete, Install, and
export certificates
• View certificate details
• Import CRLs
• Create CSRs
(certificate signing
requests)
WatchGuard Training 3838
39. Automatic CA Certificate UpdatesAutomatic CA Certificate Updates
Automatically get new
versions of the trusted
CA certificates stored on the
device and automatically
install the new certificates.
Ensures all trusted CA
certificates on your device
are the latest version.
Expired certificates are
updated, and new trusted
CA certificates are added to
your device.
Updated certificates are
downloaded from a secure
WatchGuard server.
WatchGuard Training 3939
40. Wireless Access Point EnhancementsWireless Access Point Enhancements
WatchGuard Training 4040
41. Wireless AP EnhancementsWireless AP Enhancements
WatchGuard Training 4141
Wireless traffic shaping
Time-based SSID Activation
Scheduled restarts of AP devices
Multiple AP device selection for AP actions
Enable rogue access point detection
42. Wireless Traffic ShapingWireless Traffic Shaping
Configure traffic rate shaping for
each wireless SSID.
Traffic shaping is for wireless
download traffic only.
• Base rate — The base throughput
rate for the SSID. Not allowed to
exceed this limit except for burst
activity.
• Ceiling rate — The hard limit
throughput rate for the SSID.
This limit includes burst activity.
• Burst — The maximum number of
kilobytes allowed beyond the base
rate.
WatchGuard Training 4242
43. Time-based SSID ActivationTime-based SSID Activation
Enable SSIDs for specific time
periods.
Limits access to the SSID based
on the start and end times you
configure.
WatchGuard Training 4343
44. Scheduled Restarts of AP DevicesScheduled Restarts of AP Devices
Restart wireless services or reboot
all of your AP devices at scheduled
times on a daily or weekly basis.
Refreshes the AP device and
makes sure the device
configuration and all access control
lists are up to date.
Automatically updates wireless
channel selection.
AP devices are restarted in 90
second intervals to make sure they
are not all restarted at the same
time.
WatchGuard Training 4444
45. Multiple AP Device Selection for AP ActionsMultiple AP Device Selection for AP Actions
You can select multiple
AP devices to complete
reboot, upgrade, and
restart wireless actions.
WatchGuard Training 4545
46. Enable Rogue Access Point DetectionEnable Rogue Access Point Detection
Enable rogue access
point detection for each
SSID.
Add known device MAC
addresses to the
exceptions list so they
are not considered a
rogue access point.
WatchGuard Training 4646
48. Single Sign-On EnhancementsSingle Sign-On Enhancements
Single Sign-On Enhancements include:
• Support for Microsoft Exchange Server 2013 for the SSO Exchange Monitor
.NET Framework v3.5 required on Exchange Server 2013 server
• Clientless SSO for RDP logins
Event Log Monitor now recognizes both logon and logoff events for RDP connections
and reports this information to the SSO Agent, which sends the events to the Firebox.
The Firebox opens and closes user sessions based on the logon and logoff event
reports from the Event Log Monitor.
• Traffic through BOVPN tunnels can now use Single Sign-On
• Support for switching between multiple users of the SSO Client on Windows
2008, 7, and Vista
WatchGuard Training 4848
49. Single Sign-On EnhancementsSingle Sign-On Enhancements
New Enable SSO through BOVPN tunnels option allows users of BOVPN
tunnels to use SSO for network connections
WatchGuard Training 4949
51. RapidDeploy CSV File — Change External InterfaceRapidDeploy CSV File — Change External Interface
You can now use a CSV file to change the external interface number.
A device that starts with factory-default settings can automatically configure
the external interface from settings in a CSV file on a connected USB drive.
• Previously, the only valid interface you could specify in the CSV file was 0.
• A device that uses Fireware v11.10 now supports interface numbers other than 0.
• The format of the CSV file did not change.
• This is most often used for RapidDeploy.
Example line in a CSV file to configure interface 2 as the external interface:
70XX00777X777,2,ext,Static,203.0.113.20/24,203.0.113.1,198.51.100.20
WatchGuard Training 5151
53. NTP ServerNTP Server
After you enable a Firebox to use
NTP, you can enable the device as
an NTP server.
• When you enable the device as an
NTP server, the NTP Server policy
is automatically created.
• The NTP Server policy allows
connections to the NTP server from
clients on the trusted and optional
networks.
Configure NTP clients to get the
date and time from the interface IP
address or domain name of the
Firebox.
WatchGuard Training 5353
55. Multiple Servers for DHCP RelayMultiple Servers for DHCP Relay
In the DHCP Relay settings, you
can now add the IP addresses of
up to three DHCP servers.
• Previously you could configure only
one IP address for DHCP Relay.
The Firebox relays DHCP requests
to the IP addresses of all DHCP
servers.
WatchGuard Training 5555
56. DHCPv6 Prefix DelegationDHCPv6 Prefix Delegation
You can enable DHCPv6 Client Prefix Delegation on an external interface.
• The device requests an IPv6
prefix from a DHCPv6 server.
• You can use the delegated
prefix when you configure
IPv6 addresses on trusted,
optional, and custom
interfaces.
DHCP prefix delegation is
described in RFC 3633.
WatchGuard Training 5656
57. DHCPv6 Prefix DelegationDHCPv6 Prefix Delegation
The delegated prefix appears on the Front Panel tab of Firebox System
Manager.
WatchGuard Training 5757
58. DHCPv6 Prefix DelegationDHCPv6 Prefix Delegation
You can use the delegated prefix for a trusted, optional or custom interface.
• Static IPv6 interface IP address
• IPv6 prefix advertisement
• DHCPv6 address pool
• DHCPv6 reserved addresses
Select Use delegated prefix.
• The delegated prefix name appears
as the first part of the IPv6 address.
• The prefix name includes the external
interface device name, followed by
“_prefix”. For example “eth0_prefix”.
• Type the subnet in the adjacent text box.
WatchGuard Training 5858
Delegated prefix in the DHCPv6 address pool
Delegated prefix in a static IPv6 address
59. DHCPv6 Prefix DelegationDHCPv6 Prefix Delegation
WatchGuard Training 5959
You can also enable the DHCPv6
server on an interface to delegate
prefixes to DHCPv6 clients.
• Add prefixes to the Prefix Pool.
• To reserve a specific prefix for a
client, add the prefix to the
Reserved Addresses and
Prefixes list.
60. Improved Route Tables — Command Line InterfaceImproved Route Tables — Command Line Interface
To see the first 100 IPv4 routes, use the “show ip route” command
• Replaces the “show route” command
• Output is easier to read than the output of the old show route command
WG>show ip route
Kernel IP routing table
Destination Gateway Genmask Interface Flags Metric
0.0.0.0 203.0.113.1 0.0.0.0 eth0 UG 5
10.0.70.0 0.0.0.0 255.255.255.0 eth1 U 0
10.0.71.0 0.0.0.0 255.255.255.0 eth1 U 0
10.0.78.0 0.0.0.0 255.255.255.0 vlan10 U 0
10.0.79.0 0.0.0.0 255.255.255.0 br0 U 0
10.10.10.0 0.0.0.0 255.255.255.0 ath1 U 0
127.0.0.0 0.0.0.0 255.0.0.0 lo U 0
192.168.113.0 0.0.0.0 255.255.255.0 tun0 U 0
203.0.113.0 0.0.0.0 255.255.255.0 eth0 U 0
• Use command options to filter the route table (same filters as in the Web UI)
WG>show ip route ?
<cr> Carriage return
<net> IP subnet for the destination <A.B.C.D/(1-32)>
connected Connected routes
dynamic Dynamic routes
ifname Interface device name
static Static routes
vpn VPN routes
WatchGuard Training 6060
61. Improved Route Tables — Command Line InterfaceImproved Route Tables — Command Line Interface
To see the first 100 IPv6 routes use “show v6 ip route”
• Output — no change from 11.9.x
WG>show v6 ip route
Kernel IPv6 routing table
Destination Next Hop Interface Flags Metric
2001::/64 :: vlan10 U 256
fe80::/64 :: vlan10 U 256
• New command options to filter the route table (same filters as in the Web UI)
WG>show v6 ip route ?
<cr> Carriage return
<netipv6> IPv6 subnet for the destination <A:B:C:D:E:F:G:H/I>
<A::G:H/I>
<::H/I>
connected Connected routes
dynamic Dynamic routes
ifname Interface device name
static Static routes
vpn VPN routes
WatchGuard Training 6161
62. Route Diagnostics — Command Line InterfaceRoute Diagnostics — Command Line Interface
For Support Only (RFE65096)
CLI “diagnose” command has a new “ip” option
• Supports the same arguments as the linux ip-route command
WG#diagnose ip help
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-f[amily] { inet | inet6 | ipx | dnet | link } |
-o[neline] | -t[imestamp] | -b[atch] [filename] |
-rc[vbuf] [size]}
• Syntax: diagnose ip ‘<arguments>’ — arguments must be in quotes
diagnose ip 'route list'
diagnose ip 'route list dev eth1'
diagnose ip 'route get 1.2.3.4'
Primarily intended for use by WatchGuard for troubleshooting
• Caution: Do not use this command to add or remove routes.
WatchGuard Training 6262
63. Updated ARP Limits Per ModelUpdated ARP Limits Per Model
For Support Only (RFE83400)
New ARP limits per model based on system memory size
ARP limits have three threshold values:
• The lowest threshold is when garbage collection starts.
• The middle value is when garbage collection becomes more aggressive.
• The top value is the maximum number of ARP entries.
Previously, ARP limits were set based on the model, and had a maximum of
either 4096 or 8192
WatchGuard Training 6363
System Memory Size GC threshold values
Less than or equal to 128M 128 512 1024
Between 128MB and 1G (including 1G) 512 2048 4096
Between 1G and 4G (including 4G) 1024 4096 8192
More than 4G 1536 6144 12288
64. Updated XTM Configuration ReportUpdated XTM Configuration Report
The XTM Configuration Report available from the Fireware Web UI now
includes information about Default Packet Handling and FireCluster
configuration settings.
WatchGuard Training 6464
66. Logging EnhancementsLogging Enhancements
Simultaneously send Log Messages to two WatchGuard Log Servers
• Two different WatchGuard Log Servers — Dimension or WSM Log Servers
• Configure two sets of Log Servers
• Add primary and backup servers for each Log Server set
WatchGuard Training 6666
69. Device Feedback Report EnhancementsDevice Feedback Report Enhancements
New information in the Device Feedback sent to WatchGuard includes:
• Start and end time stamps for the feedback data sent to WatchGuard
• Peak proxy connection limit usage
• Number of proxy actions with Subscription Services enabled in the configuration
• Subscription Services details include:
Whether the service is enabled
Counts of the number of events for each service enabled on the Firebox
A list of the events triggered on the Firebox for each service (includes the source
IP address, protocol, and threat level of the event).
WatchGuard Training 6969
71. Management Tunnel EnhancementsManagement Tunnel Enhancements
For a Management Tunnel over SSL, if the tunnel goes down, the Firebox
can now reconnect to the first IP address in the list specified for the
Management Server and rebuild the tunnel.
In the Firebox Managed Device settings:
• Specify the private IP address for the Management Server as the first IP address
in the list.
• Specify the public IP address for the Management Server as the second IP
address in the list.
WatchGuard Training 7171
72. What Else is New?What Else is New?
WatchGuard Training 7272
73. Integrated Fireware HelpIntegrated Fireware Help
The v11.10 release includes the first iteration of a comprehensive Help
system for Fireware with integrated instructions for all Fireware
management UIs.
Includes context-sensitive help topics for these management and monitoring
tools:
• Fireware XTM Web UI
• WatchGuard System Manager & all WSM tools
• WatchGuard Dimension
• WatchGuard WebCenter
• WatchGuard Server Center & WatchGuard servers
• WatchGuard Deployment Center (RapidDeploy)
WatchGuard Training 7373
75. Additional ResourcesAdditional Resources
Information about the new and enhanced features included in this release is
available from these resources on the Product Documentation pages of
the WatchGuard website:
• From the Help systems:
Fireware Help — What’s New in This Release
• From the What’s New presentation:
What’s New in Fireware v11.10
WatchGuard Training 7575