Presentation on theme: "Whats New in Fireware XTM v11.3.4. 2WatchGuard Training Whats New in Fireware XTM v11.3.4 Mobile VPN with IPSec Support for the Shrew Soft VPN client."— Presentation transcript:
2WatchGuard Training Whats New in Fireware XTM v11.3.4 Mobile VPN with IPSec Support for the Shrew Soft VPN client Branch Office VPN New gateway endpoint setting to specify whether the device attempts to resolve the domain name in the remote gateway ID Fireware XTM Web UI Release or renew a DHCP lease for an external VLAN in the Web UI Proxies Global setting for TCP connection idle timeout Option to enable SSLv2 for the HTTPS-proxy
4WatchGuard Training Changes to Mobile VPN with IPSec As of April 20 th, WatchGuard no longer distributes the WatchGuard Mobile VPN with IPSec client on the Software Downloads Center. Technical Support will continue to support the WatchGuard Mobile VPN with IPSec client With Fireware XTM v11.3.4, we have added support for the Shrew Soft VPN Client Supported on Windows only Download the Shrew Soft VPN Client from the Shrew Soft web site See the product documentation for a list of differences between the WatchGuard IPSec client and the Shrew Soft VPN client
5WatchGuard Training Mobile VPN with IPSec Shrew Soft VPN Client WatchGuard supports the use of the Shrew Soft VPN client for Windows as a Mobile VPN with IPSec client. Profile for the Shrew Soft VPN client has a.vpn extension..vpn file is not encrypted and cannot be set to read-only Policy Manager v11.4.1 generates the.vpn file when it generates the.wgx and.ini files In the Web UI you can choose to generate a Shrew Soft VPN (.vpn) or WatchGuard Mobile VPN (.ini) configuration file. In the CLI, use the new export muvpn client-type option to export a.vpn file.
Mobile VPN with IPSec Shrew Soft VPN Client Download the Shrew Soft VPN client from http://www.shrew.net/download or the WatchGuard Software Downloads web sitehttp://www.shrew.net/download Use Shrew Soft VPN Access Manager to configure and connect. Select File > Import to import the generated.vpn profile. Select the imported profile, and click Connect. Use Shrew Soft VPN Trace to troubleshoot your connection. 6WatchGuard Training
7 Shrew Soft VPN Client Limitations The Shrew Soft VPN client does not support some Mobile VPN with IPSec configuration settings and features: IKE keep-alive is not supported. Configuration of multiple VPN gateways for multi-WAN failover is not supported. Line management configuration settings Connection mode and Inactivity timeout are not supported. The Dead Peer Detection (DPD) Traffic idle timeout and Max retries configuration settings do not apply to the Shrew Soft VPN client. If DPD is enabled, Shrew Soft VPN supports DPD with a traffic idle timeout value of 15 seconds. RADIUS 2-factor authentication is not supported. The Shrew Soft VPN client does not support a read-only profile. The Shrew Soft VPN client does not store the user name and password. Users must type the user name and password each time they connect.
9WatchGuard Training Branch Office VPN Enhancements New gateway endpoint setting specifies whether the device attempts to resolve the domain name in the Remote Gateway ID. Select this if the remote gateway uses dynamic DNS to maintain a mapping between a dynamic IP address and a domain name.
Renew or Release a DHCP Lease Fireware XTM Web UI includes a new option to release or renew a DHCP lease for an external VLAN. Select System Status > Interfaces. Select an external interface with DHCP enabled and click DHCP Release or DHCP Renew. 11WatchGuard Training
Global TCP Connection Idle Timeout New global setting in Fireware XTM Web UI in System > Global Settings. This setting specifies the amount of time a TCP session can remain idle. Policy-based override is available on the Properties tab of a policy. Select the Specify Custom Idle Timeout check box to override the global timeout setting and select another time. The new default setting is 3600 seconds (1 hour). Pre-v11.3.4 global TCP timeout default is 43205 seconds (12 hours 5 seconds). Previously, this setting could not be modified globally, except by editing the raw XML file. It was also necessary to use a policy-based override. The shorter default timeout value frees up resources faster. 13WatchGuard Training
Set globally in Fireware XTM Web UI: System > Global Settings Global TCP Connection Idle Timeout 14WatchGuard Training Override the global timeout setting on the Properties tab
Enable SSLv2 in the HTTPS-Proxy New check box in the HTTPS- Client and HTTPS-Server proxy actions to allow connections that negotiate the SSLv2 protocol. Enables users to connect to client or server applications that only support SSLv2. 16WatchGuard Training
Summary Fireware XTM v11.3.4 is a release of the Fireware XTM OS only To connect to and manage a v11.3.4 device, you can use: Fireware XTM Web UI v11.3.4 WatchGuard System Manager v11.4.1 or v11.3.2 Fireware XTM v11.3.4 includes these new features: Support for Shrew Soft VPN client New BOVPN gateway endpoint setting to specify whether the device attempts to resolve the domain name in the remote gateway ID Release or renew a DHCP lease for an external VLAN in the Web UI Configure a global setting for TCP connection idle timeouts Allow SSLv2 connections through the HTTPS-proxy WatchGuard Training 18