Presentation on theme: "What’s New in WSM 10 and Fireware 10"— Presentation transcript:
1What’s New in WSM 10 and Fireware 10 PresenterDate
2What’s New in WSM/Fireware 10 WSM 10 Overview New SQL-based logging and reporting architectureWatchGuard Management Server enhancementsFirebox System Manager enhancementsNew help system with search and Table of Contents
3What’s New in WSM/Fireware 10 Fireware 10 Overview New in Fireware 10Mobile VPN with SSLNew proxies for VoIP supportNew TCP/UDP proxy for multiple protocol detectionEnhancements to security subscriptionsSingle Sign-OnMore integration with LiveSecurityBOVPN and Mobile VPN with IPSec enhancementsNew notificationsNetworking enhancements
6New Logging and Reporting Architecture Overview The new logging and reporting architecture includes:New SQL-based Log ServerTotally redesigned LogViewer applicationNew Report ServerNew Report Manager (replaces Historical Reports)One change to the WatchGuard Toolbar:The red dot on the icon means that the service is not running. Either the service is stopped, or the server is not yet configured.New Report Server icon
7New Logging and Reporting Architecture About the SQL Database Uses PostgreSQLPostgres is installed during either:Log Server Setup WizardReport Server Setup WizardThe server you set up first (Report Server or Log Server) installs PostgresBecause Postgres does not install over an RDP session, do not run the Log Server or Report Server Setup Wizard over RDPPostgreSQL installation creates the data directory and its structureThere is no UI option to change the location of the data directory after Postgres is installedInstalls a non-admin user account watchguard_pg_userDo not alter this account; it is for the Postgres serviceIn this release, you must use command line for:Importing old XML log files into the databaseRestoring a backup of the databaseDo not run Postgres install over an RDP connection unless it is a console-based RDP connection:Start Run mstsc –v:Servername[:Port] /console
8New Log Server SQL-based Advantages to using SQL database for logsMuch more scalableLogs from multiple appliances now stored in one databaseNo more discrete XML log filesFaster and more powerful log file searchFaster report generationReport can be run on data stored in different Log ServersAutomatic maintenance jobs are user-configurable:Automatic daily deletion of old logsAutomatic daily backupIf a Firebox has two Log Servers configured and one goes down, the Firebox could send log messages to two different servers. One Report Server can pull data from the two different Log Servers to make reports on the one Firebox.
9New Log Server Log Server Setup Wizard Click once on the Log Server icon to start the Log Server Setup WizardThe red dot on these icons means that either the service is stopped, or the server is not yet configured.If the server is not yet configured, left-click once on the icon to start the setup wizard.If the server is configured but the service is stopped, left-click once on the icon to start the service.
10New Log Server Setup Wizard PostgreSQL is installed and the database directory is created when you run either:The Log Server Setup WizardorThe Report Server Setup WizardThe PostgreSQL install creates a new user for Postgres to use for connections to the database.The name of the account is watchguard_pg_user; it is a non-administrator account.Do not change the password for this user or delete the user; the postgres process runs under this account’s credentials.Do not run the Log Server Setup Wizard over a Terminal Server or RDP connection to the log server computer; PostgreSQL does not install correctly over a terminal session.
11New Log Server Setup Wizard Pay close attention to this screen of the Setup WizardTo change the log data directory after PostgreSQL is installed, you must run the Setup Wizard again.To change the data directory after the server is configured:Stop the Log Server service and the Report Server service. (Right-click the appropriate icon in the WatchGuard Toolbar and select Stop Service.)Uninstall PostgreSQL from the Windows Add/Remove Programs applet. The log database is not deleted.Copy the original \data directory, for example C:\Documents and Settings\WatchGuard\logs\data (and all files and folders within), to the new location.Run the Log Server Setup Wizard again.Select the new directory, without the \data part of the path, as the data directory, on this screen of the wizard.Specify the location for the database on the first screen of the wizard. The setup wizard reinstalls PostgreSQL using the new location for the database directory.
12New Log Server - Admin User Interface Configure the Log Server To configure the Log Server, left-click once on the Log Server icon in the WatchGuard toolbar.Or, right-click and select Configure
13New Log Server - Log Server Configuration Server Settings Tab The Log Server can send notifications about itself to this address.Firebox Event Notifications also go to this address
14New Log Server - Log Server Configuration Expiration Settings Tab Automatically purge old logsAutomatically back up logsAll notifications are sent by the Log Server, not by the appliance.The backup directory must be on the same PC as the Log Server.The format of the backup is a comma-separated vale (CSV) file with .txt file extension.To restore the backup:Use the wlconvert command-line utility in \Program Files\WatchGuard\WSM10.0\wlcollector\bin to convert to XML format.Use the wlimport utility (in the same directory) to import the XML files into the database.Send appliance notifications
15All Firebox appliances that send logs show here New Log Server - Log Server Configuration Logging/Monitoring Settings tabAll Firebox appliances that send logs show hereSend log messages about the Log Server itself to:The Windows Event ViewerA text file
16New LogViewer Total Redesign for Maximum Usability All-new enhanced LogViewer gives powerful new featuresThe LogViewer connects to the Log Server over TCP port 4121
17New LogViewer Launch and Connect to a Log Server Start LogViewer from the WatchGuard System Manager.Then, connect to a Log Server.The Log Viewer connects to the Log Server over TCP port 4121.You can create a rule in Policy Manager to allow connections to your Log Server from specified locations.
18New Log Viewer Select the appliance or server to view logs Select one or more devices to see their logsAll devices logging to this Log Server (including other servers) show hereReport Server and Management Server can also send logs to Log Server!
19New LogViewer Arrange the windows for the different devices’ logs Cascade the windowsOr tile them
20New Log Viewer Category View All logsOnly traffic logsOnly alarmsOnly eventsOnly debug logsOnly bandwidth statistics messagesFireware sends bandwidth statistics messages only when you turn it on in Policy Manager at Setup > Logging > Performance Statistic. Devices running WFS and Edge devices cannot send these messages.
21New LogViewer Date Range View Select a preconfigured rangeOr make a custom time filter
22New LogViewer – Search String Search Simple string search is very usefulSearch for:An IP addressBlocked sites / blocked portsAll messages with a key word, for example:IKEType of or HTTP headerA username
23New Log Viewer – Search Put context to the message When Search finds an interesting log message, you can show the log messages before and after it.Right-click the message and select Show Log ExcerptOr press F5You see 50 messages before and after the target log message
24New LogViewer Preferences Store general preferencesYour primary Log ServerHow many messages before and after the target in Log ExcerptHow many searches to remember
25New LogViewer Preferences Store viewing preferencesDefault log typeFont sizeWhich columns to display for the different log types
26New LogViewer Search Manager Tools Search ManagerCreate powerful searches and save them for later useAdvanced Search shows why a SQL database is better
27New LogViewer Multiple export options Export logs as:CSV (comma-separated value) fileHTML pagePDFXML fileInstantly logs as:CSV fileSelect and copy as plain text
28New Report Server - Overview What it does Collects and presents log dataPeriodic collection from Log ServerPeriodic generation of reportsProvides reports to Report Manager via XMLRPCReports are immediately viewable and automatically refreshIf you run the Report Server Setup Wizard before you run the Log Server Setup Wizard, the Report Server installs PostgreSQL.Whichever one you run first (Report Server Setup Wizard or Log Server Setup Wizard) installs postgres.
29New Report Server - Overview What It Does Log DataConsolidated Log DataLog ServerReports
30New Report Server – Configuration Expiration Settings tab Server Settings tab is identical to same tab in Log ServerExpiration Settings tab:Automatically delete old reportsTurn on notification of events about the Report Server itself
31New Report Server – Configuration Report Generation tab Tell the Report Server where to get dataThis is the server management passphrase, not the log encryption key!
32New Report Manager Overview Report Manager is the client application that connects to the Report ServerReplaces old Historical ReportsThe left-hand pane shows the available reportsThe right-hand pane is a browser (based on Internet Explorer) showing the selected reportThe Report Manager connects to the Report Server over TCP port 4122.You can create a rule in Policy Manager to allow connections to your Report Server from specified locations.You must have Internet Explorer installed on the Windows PC to run Report Manager.
33New Report Manager Launch and Connect to a Report Server Start Report Manager from WSM.Then, connect to a Report Server.Getting Reports for a managed Firebox:If you:Use WSM to connect to a Management Server managing WatchGuard appliancesSelect a managed device before launching Report ManagerThen Report Manager should automatically connect to the Report Server that generates reports for that device, and automatically show Reports for that device.This works best when the Report Server and the Management Server are on the same computer, and that will be the case for most customers.If the Report Server making reports for the device and the Management Server managing the device are on different computers, then in order for this to work (Report Manager automatically connects to Report Server and shows logs for the selected managed device) you must use the “Monitored Report Servers” option in WSM to add the Report Server information. If you do not do that, you can still use Report Manager to connect to a Report Server and see reports; the difference is that Report Manager will not automatically launch “in the context of” the managed device – you must use the “Connect to Report Server” dialog box to connect to the correct Report Server.
34Report Server Available Reports Reports carried forward from earlier Historical Reports:Denied Packet SummaryDenied Packet DetailIncomingOutgoingSMTP SummarySMTP Server SummarySMTP DetailSPAM SummaryFirebox StatisticsPOP3 SummaryPOP3 DetailAlarmsPacket Filter Host SummaryProxy Host SummaryHTTP Most Popular DomainHTTP SummaryHTTP URL DetailIPS PacketIPS Summary and its detail subreports:ProtocolSeveritySourceSignatureAV Summary and its detail subreports:HostVirusSenderWebBlocker DetailReports Carried Forward From Earlier Reporting:HTTP Most Popular DomainHTTP SummaryHTTP URL DetailIPS PacketIPS Summary and its detail subreports:ProtocolSeveritySourceSignatureAV Summary and its detail subreports:HostVirusSenderWeb Blocker DetailDenied Packet SummaryDenied Packet DetailIncomingOutgoingSMTP SummarySMTP Server SummarySMTP DetailSPAM SummaryFirebox StatisticsPOP3 SummaryPOP3 DetailAlarmsPacket Filter Host SummaryProxy Host SummaryBUM ß “Boxes Under Management” for those of you who didn’t work with our legacy MSS product JNew Reports:HTTP Most Active ClientWeb SurfingExternal Interface Bandwidth ReportManagement Server Audit TrailManagement Server Audit Trail DetailManagement Server Authentication
35Report Server Available Reports New Reports in 10:HTTP Most Active ClientWeb SurfingExternal Interface Bandwidth ReportManagement Server Audit TrailManagement Server Audit Trail DetailManagement Server AuthenticationBUM “Boxes Under Management”External interface bandwidth report can work only if you turn on “Performance Statistics” in Policy Manager at Setup > Logging > Performance Statistics.
37What’s New in WSM/Fireware 10 Management Server Enhancements - Overview Multi-user supportRecord lockingConfiguration passphrase cachingForce comments on Config ChangeFolders with lockoutNotification enhancementsLiveSecurity Alerts
38Management Server Enhancements Multi-user support Add users on new Users tab of Management Server Configuration
39Management Server Enhancements Multi-user support Management Server user accounts:Admin privilegesCan create new user accounts on the Management ServerCan administer all devices under management with WSM connection to Management ServerRead-Write privilegesRead-Only privilegesCan view all devices under managementThis user connects to the Management Server in Monitoring Mode
40Management Server Enhancements Multi-user support Users must now provide username and passphrase when connectingProvides audit trail in Management Server reportDefault account is adminThis account uses the server management passphraseThis is the same password you used before to connect to your Management Server from WSM
41Management Server Enhancements Record locking and caching passphrases When you bring up Policy Manager for a managed device:WSM prevents others from using Policy Manager for that device when they connect to the Management ServerReduces the chance that conflicting edits are made at the same time by different usersPolicy Manager automatically enters the device’s configuration passphrase when you save the configuration back to the FireboxNo need to remember the configuration passphrases for all your managed devicesNo need to share managed devices’ configuration passphrases with othersThere is no way to prevent others from using Policy Manager to edit a device’s configuration by connecting directly to the device.Do not share the configuration passphrases of your managed devices if you want to prevent this. When users have accounts on the management server, there is no need for them to know configuration passphrases for the managed devices.For this to work:Firebox you manage must be running Fireware 10You must launch Policy Manager via a connection to the Management Server (not a connection to the device itself)
42Management Server Enhancements Record locking Connect to Management Server using WSM Launch Policy Manager for an applianceThe device record is lockedWhen a different user connects to the Management Server at the same time:A “Maintenance Alert” shows for that devicePolicy Manager is not available for that device
43Management Server Enhancements Configuration passphrase caching When you use that instance of Policy Manager to save the configuration, Policy Manager automatically puts the appliance’s configuration passphrase into the entry fieldWhen you close Policy Manager (or use it to File > Open a different Firebox) the lock is released
44Management Server Enhancements Force comments Force comments on config changeTurn this on in Management Server ConfigurationUsers must add comment when saving config via a connection to Management ServerThese comments will show in the Management Server Report you can run from Report Manager.
45Management Server Enhancements Folders with lockout Right-click Management Server and select Add New Folder
46Management Server Enhancements Folders with lockout You can make a VPN between two devices inside the same locked folderYou cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folderPrevent “mistake” VPNsThose can cost the managed security provider $$ and reputationLocks can also apply to nested folders (folders within folders). The same rules apply:You can make a VPN between two devices inside the same locked folderYou cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folderLocked folder has a padlock on the folder’s icon
47Management Server Enhancements Notification enhancements Get notified if a managed device does not contact the Management Server when its DVCP lease expiresFrom:Subject: Notice from Management ServerHost: dc01Time: Fri Feb 08 09:15:Process: 3848:3900Message:Information (8249), no contact from device with name Miami_X6500e, id , and IP address
48Management Server Enhancements LiveSecurity Alerts WSM displays LiveSecurity broadcasts when you select the Management ServerAlerts that will appear:New software updates availableWatchGuard vulnerabilities
53What’s New in WSM/Fireware 10 Firebox System Manager Enhancements - Overview Front Panel tab updated for Mobile VPN with SSLSearch Traffic MonitorDisplay logs by type of messageMultiple-line select (ctrl-click or shift-click) and copySelect notifications from entire event catalogService Watch graph by bandwidth
54Firebox System Manager Enhancements Front Panel Tab Mobile VPN with SSL sessions displayed on Front Panel tab
55Firebox System Manager Enhancements Front Panel Tab Log off remote users from Front Panel tab
56Firebox System Manager Enhancements Traffic Monitor Tab Search Traffic Monitor
58Firebox System Manager Enhancements Traffic Monitor Tab Multiple-line select (ctrl-click or shift-click) and copy
59Firebox System Manager Enhancements Traffic Monitor Tab Select Notifications from Event CatalogRight-click an event in Traffic MonitorInstantly set up notification for the next time that event happens
60Firebox System Manager Enhancements Service Watch Tab Use Service Watch to:Graph the traffic going through each policy by bandwidthSee the number of sessions going through each policy
65Mobile VPN with SSL Overview PC and Mac compatible – one download page for both
66Mobile VPN with SSL URL for users to get the software URL to authenticate and get the client software:https://[firebox.ip.address]:4100/sslvpn.htmlNote the /sslvpn.html at the endURL to authenticate only remains the samehttps://[firebox.ip.address]:4100
67Mobile VPN with SSL Configuration in Policy Manager Simple straightforward configurationPolicy Manager: VPN Mobile VPN SSLUse any authentication serverSpecify which WAN users connect to first and second (failover)Allow granular access or access to all connected networks
69New Proxies for VoIP H.323 and SIP These proxies work to allow some VoIP/Videoconferencing through the Firebox:SIP ProxyH.323 ProxyH.323 proxy supports NAT-traversal for voice and video trafficH.323 Gatekeeper (“PBX” hosting/trunking) and T.120 multimedia support not in this release.H.323 support is limited to point-to-point connectionsSIP proxy supports NAT-traversal for voice and video trafficDoes not provide the PBX registration capabilities of a typical standalone SIP Registrar-ProxyMust have your own Registrar-Proxy server to route these connectionsSIP proxy has only been tested with PBX’s located on the external segment of the Firebox (hosted scenario, no trunking).
70New Proxies for VoIP H.323 and SIP Simple to configureH323SIP
71New Proxies for VoIP TFTP Typically for:Sending updates to VoIP devices under managementSending configuration filesSending ROM images or firmware updatesTrivial File Transfer ProtocolFor more than just VoIPTFTP Proxy lets you allow or deny content by matching file name patterns for:DownloadsUploads
72New TCP-UDP Proxy Multiple Protocol Detection TCP-UDP Proxy detects what protocol the traffic is:HTTPHTTPSSIPFTP
73New HTTPS Proxy What it can do Block objectionable HTTPS sites using WebBlockerAllow or deny access to web sites based on Domain NamesFireware matches Domain Name patterns against the Subject field in the web site’s SSL certificateEvery HTTPS connection to a web site involves an exchange of certificates. The HTTPS proxy reads the certificate that the web site sends and finds the certificate’s Subject field.Fireware matches the value of the Subject field against the Domain Name area of the HTTPS proxy to allow or deny access.
75What’s New in WSM/Fireware 10 Enhancements to Security Subscriptions Intrusion Prevention (IPS) EnhancementsNew signature setBroader range of signaturesBotnet protection for serversUpdated signature scanning engineApproximately 40% increase in IPS performanceSimpler IPS ConfigurationP2P and IM now integral part of Fireware (no IPS license required)WebBlocker EnhancementsExpanded Category ListWebBlocker for HTTPSspamBlocker EnhancementsVirus Outbreak Detection
78Single Sign-On Requirements Only for Active Directory domainsInstall WatchGuard Authentication Gateway software on a domain computerThis computer called the SSO AgentThe domain account under which the agent software runs must:Have “Log on as a service” permission granted (for the service to run automatically)Be a member of Domain Admins group (to query PCs running Vista)All domain PCs must allow connections over 139 and 445Add exceptions to Windows Firewall for File and Printer Sharing, or turn off Windows Firewall
79Single Sign-On Settings Policy Manager:Setup Authentication Authentication SettingsIP address of the PC running WatchGuard Authentication Gateway software (the SSO agent)How long the SSO agent should cache responses it gets from PCs it queriesIP addresses that the Firebox will not ask about
80Single Sign-On How it works 1 Firebox sees traffic come from a trusted or optional or VLAN interfaceSSO does not work for traffic coming from an external interfaceFirebox sends query to SSO agent (PC running WatchGuard Authentication Gateway software)This is a port 4114 connection. Command is get user <ip.address>SSO agent checks its cache.If it has an entry for this IP address, it returns an answer to the FireboxIf not in cache, SSO agent queries that IP addressUses Windows NetWkstaUserEnum() callWindows Networking connection over port 139 and/or 445Computers can still authenticate by bringing up a browser and making an HTTPS connection to the Firebox over port 4100, just as in previous Fireware versions.If SSO agent PC gets no reply, send error message to FireboxThe IP address is not added to authentication list
81Single Sign-On How it works 2 PC returns answer to SSO agent. There can be more than one answerSSO agent uses only the first answer it gets from the PCSSO agent sends query to Active Directory server to find what groups the user is a member ofActive Directory returns all values of memberOf attribute tied to that user objectSSO agent PC returns answer to FireboxUser name logged in to that PC and groups of which the user is a memberFirebox puts <IP address>, <user name>, and <groups of which the user is a member> in its internal list of authenticated usersAuthentication List tab of Firebox System Manager displays the IP address and user name of authenticated users
82Single Sign-On How it works 3 Use user names and Active Directory groups in your policies to restrict access
84What’s New in WSM/Fireware 10 VPN Enhancements Selective Auto-start of BOVPN TunnelsDead Peer DetectionMobile VPN with IPSec Policies More ConfigurableNotification of BOVPN Events
85VPN Enhancements Selective auto-start of BOVPN tunnels At the bottom of the General Settings tab of the Gateway
86VPN Enhancements Mobile VPN with IPSec more configurable You can now edit the Mobile VPN/IPSec policy to change the allowed access.The policy is no longer tied to the “allowed resources” assigned to the Mobile VPN/IPSec Group
87VPN Enhancements Dead Peer Detection On the Phase 1 Settings tab of the Gateway
90New Logging and Reporting Architecture Notification enhancements SNMPv3 SupportNew WebBlocker Alarm OptionsThe Firebox can now send notifications for:Multi-WAN EventsBOVPN DownLost contact with WebBlocker ServerSNMP v3 provides message integrity, authentication, and encryption.Fireware 10 supports single user authentication only.The SNMP v3 server that receives traps must know the Engine ID. Engine ID is the serial number of the Firebox appliance.
92What’s New in WSM/Fireware 10 Networking Enhancements Static MAC/IP Address BindingEdit an interface Advanced tabSelect Only allow traffic sent from or to these MAC/IP Addresses to lock out all other traffic on this interfaceKeep the box cleared to add only Static ARP entriesIf you turn on “Only allow traffic sent from or to these MAC/IP addresses”, then the Firebox does not learn new ARP entries.If you do not turn on this option, then the Firebox ARP function continues to learn new addresses, including entries that may not be valid (spoofed ARP).
94What’s New in WSM/Fireware 10 LiveSecurity Integration Quick Setup Wizard pulls feature key from LiveSecurityAppliance must be registered before you can use the QSW to get the Feature KeyIf the appliance is not registered, you can get to the Internet during the Quick Setup Wizard to register itYou can skip this step of the Wizard if you have not registered the device yetIf there is no Feature Key, one user can get to the Internet after it is configured
95What’s New in WSM/Fireware 10 LiveSecurity Integration Updated feature key displayEasier to understandEasier to see when features expireOld