What’s New in v11.9.1 Web UI Feature Key Alert and Feature Key Wizard [80913, 80914] Improved XTM Configuration Report Mobile VPN with SSL Mac client Remember password option  Additional supported 3G/4G USB modem — Sprint u301  Support for default gateway on different subnet  IPSec VPN License Limit Warnings  Fireware XTM OS version includes the build number (WSM & FSM)  SSO Agent and Event Log Monitor run as a domain user  Branch Office VPN enhancement  Bug fixes New RapidDeploy Methods (does not require Fireware XTM v11.9.1) WatchGuard Training 2
Feature Key Alert and Feature Key Wizard Fireware XTM Web UI now shows a warning if the device does not have a feature key. Click Add a feature key now to start the Feature Key Wizard. WatchGuard Training 3
Feature Key Wizard The Feature Key Wizard has three options. WatchGuard Training 4
Feature Key Wizard Select one of these options to install your feature key: Yes, download and install the feature key now Select this option if the device has already been activated. If the device has Internet access, the wizard downloads and installs the feature key. Yes, I have a local copy of the feature key Select this option if the device has already been activated, and you have a copy of the feature key in a text file. Paste the feature key text into the wizard. The wizard validates the feature key and installs it on the device. No, I have not activated the device yet Select this option if your device has not yet been activated. If the device has Internet access, the wizard helps you activate it and downloads the feature key. The online activation steps are the same as in the Web Setup Wizard. To activate your device, you must type the credentials you use to log in to the WatchGuard web site. If you do not already have an account, the wizard help you create one. WatchGuard Training 5
Improved XTM Configuration Report The XTM Configuration Report, available in the Web UI, now contains more complete information about the device configuration, including: QoS and Traffic Management actions Multi-WAN Global settings — TCP SYN checking Bridge interface settings VLAN interface settings Dynamic routing Policy details Secondary interface IP addresses IPv6 interface settings MAC access control To run the XTM Configuration Report in the Fireware XTM Web UI. Select System > Configuration File. Click XTM Configuration Report. WatchGuard Training 6
Mobile VPN with SSL Client Password Option WatchGuard Training 7 The Mobile VPN with SSL client for Mac now has the Remember password option. Previously this option was available only in the Windows client. When Remember password is selected, the client remembers the password used for the previous connection. This option is available in the client only if the Allow the Mobile SSL with VPN client to remember the password option is selected in the Mobile VPN with SSL settings on the Firebox or XTM device.
3G/4G USB Modem Support Sprint u301 3G/4G USB modem is now supported For a full list of supported 3G/4G modems, see the Knowledge Base http://customers.watchguard.com/articles/Article/Supported-3G-4G-USB-devices/ WatchGuard Training 8
Configure the Default Gateway on a Different Subnet On an external interface, you can now specify the default gateway on a different subnet than the interface IP address. This applies only to physical external interfaces. It is not allowed on VLAN or other external interfaces. In most networks, the default gateway is on the same subnet as the external interface. If the default gateway is on a different subnet than the interface IP address, you must confirm that this is what you want to do. When you click Yes, the default route is added. WatchGuard Training 9
IPSec VPN License Limit Warnings Firebox System Manager and Fireware XTM Web UI now display warning messages when the active Branch Office VPN tunnel count or current Mobile VPN with IPSec user count reach the licensed maximum. In Firebox System Manager, the warnings appear on the Front Panel. In the Web UI, the warnings appear on the VPN Statistics System Status page. License limit warning text * The maximum allowed number of active BOVPN tunnels has been reached (Maximum: nn) The maximum allowed number of active MUVPN user connections has been reached (Maximum: nn) * Default VPN tunnel license maximums vary by Firebox or XTM device model You can also select VPN > VPN Settings > BOVPN Notifications to get notifications about BOVPN license limit events. (This is not new.) WatchGuard Training 10
Fireware XTM OS Version with Build Number WatchGuard Training 11 In WSM and FSM, when you connect to a device, the build number is appended to the Fireware XTM OS version. In WSM, select the Device Status tab. In FSM, select the Front Panel tab.
SSO Agent and Event Log Monitor Run as Domain User You can now run the SSO Agent and Event Log Monitor as a user account that is a member of either the Domain Users or Domain Admin group. WatchGuard Training 12
Branch Office VPN Enhancement A branch office VPN tunnel no longer appears to be down after a Phase 1 rekey until traffic is sent through the tunnel  After a Phase 1 security association (SA) rekey, the device now automatically triggers a Phase 2 SA rekey instead of deleting the Phase 2 SA. Tunnel status now remains active after a rekey, even if there is no traffic through the tunnel since the rekey. WatchGuard Training 13
Resolved Issues This release resolves a number of issues reported in previous releases. See the Fireware XTM v11.9.1 Release Notes for details. WatchGuard Training 14
New RapidDeploy Methods RapidDeploy was updated on 8 July 2014, shortly after the release of v11.9.1. This is a change to the Product Details page on the WatchGuard website. It does not involve any change to Fireware XTM OS or the management software. You do not need Fireware XTM v11.9.1 to use RapidDeploy. RapidDeploy enables you to configure a remote Firebox or XTM device. When a device that supports RapidDeploy starts with factory-default settings, it automatically contacts the WatchGuard website to download a configuration file, if one is available. Summary of changes: A new RapidDeploy QuickStart method is available for Firebox T10 devices. The deployment method previously called RemoteConfig is being rebranded as a RapidDeploy method. The existing RapidDeploy from the Management Server is unchanged. WatchGuard Training 16
New RapidDeploy Methods With this change, there are three RapidDeploy methods: RapidDeploy QuickStart For Firebox T10 devices only Uses a configuration file created by WatchGuard. –Enables the HTTP and HTTPS proxies with recommended settings. –Enables WebBlocker, Gateway AV, and RED, if services are licensed to the device. Enable it when you activate the device, or on the Product Details page. Upload a configuration file to the website for RapidDeploy For Firebox and XTM devices manufactured with Fireware XTM v11.6.3 or higher. Upload the configuration file for RapidDeploy to the Product Details page. This method was previously called RemoteConfig. Any configuration file previously uploaded for RemoteConfig is now used for RapidDeploy. Configure RapidDeploy on your Management Server For Firebox and XTM devices manufactured with Fireware XTM v11.6.3 or higher. Enable this RapidDeploy method on your Management Server. WatchGuard Training 17
RapidDeploy QuickStart in the Activation Wizard WatchGuard Training 18 Firebox T10 Activation Wizard steps: Type the device serial number. Assign a device friendly name. Select free trials (if the device does not already have services as part of a UTM bundle). Accept the End-User License Agreement. Select the RapidDeploy configuration option.
RapidDeploy QuickStart in the Activation Wizard WatchGuard Training 19 RapidDeploy QuickStart This option is selected by default. Set the Device Management passphrases for this device. WatchGuard creates a configuration file with recommended settings. If the device has licensed services or trials, the RapidDeploy configuration enables some services. If the device does not have licensed services, services are not enabled. Classic Activation Select this option if you want to use the Web Setup Wizard to create the initial device configuration.
After Activation After the Firebox T10 activation is complete, the Product Details page shows that RapidDeploy QuickStart is enabled. It also shows whether the device has contacted WatchGuard to request the configuration file. Product details page includes link to online Help for products portion of website WatchGuard Training 20
RapidDeploy Status The RapidDeploy section of the Product Details page shows the status. Line 1 shows whether RapidDeploy is configured. Line 2 shows which RapidDeploy option is configured. –RapidDeploy QuickStart enabled on — for RapidDeploy QuickStart on a T10 –Configuration uploaded on — for a configuration file uploaded to the website –RapidDeploy from the Management Server enabled on Line 3 shows whether the device contacted the server to request the configuration file, when the device requested the file, and the device IP address. WatchGuard Training 21 1 2 3
RapidDeploy — Change Configuration Click Change Configuration on the Product Details page to select a RapidDeploy option: Do not use RapidDeploy Disable all RapidDeploy methods, including RapidDeploy from the Management Server. RapidDeploy QuickStart (for T10 only) Use a configuration file created by WatchGuard with recommended settings. Upload a configuration file to the website for RapidDeploy Upload a configuration file that you created.. If you select Do not use RapidDeploy on the Product Details page, and later enable RapidDeploy on the Management Server, RapidDeploy is enabled again. WatchGuard Training 22