Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s New in WSM 10 and Fireware 10

Similar presentations


Presentation on theme: "What’s New in WSM 10 and Fireware 10"— Presentation transcript:

1 What’s New in WSM 10 and Fireware 10
Presenter Date

2 What’s New in WSM/Fireware 10 WSM 10 Overview
New SQL-based logging and reporting architecture WatchGuard Management Server enhancements Firebox System Manager enhancements New help system with search and Table of Contents

3 What’s New in WSM/Fireware 10 Fireware 10 Overview
New in Fireware 10 Mobile VPN with SSL New proxies for VoIP support New TCP/UDP proxy for multiple protocol detection Enhancements to security subscriptions Single Sign-On More integration with LiveSecurity BOVPN and Mobile VPN with IPSec enhancements New notifications Networking enhancements

4 New in WSM 10

5 New Logging and Reporting Architecture

6 New Logging and Reporting Architecture Overview
The new logging and reporting architecture includes: New SQL-based Log Server Totally redesigned LogViewer application New Report Server New Report Manager (replaces Historical Reports) One change to the WatchGuard Toolbar: The red dot on the icon means that the service is not running. Either the service is stopped, or the server is not yet configured. New Report Server icon

7 New Logging and Reporting Architecture About the SQL Database
Uses PostgreSQL Postgres is installed during either: Log Server Setup Wizard Report Server Setup Wizard The server you set up first (Report Server or Log Server) installs Postgres Because Postgres does not install over an RDP session, do not run the Log Server or Report Server Setup Wizard over RDP PostgreSQL installation creates the data directory and its structure There is no UI option to change the location of the data directory after Postgres is installed Installs a non-admin user account watchguard_pg_user Do not alter this account; it is for the Postgres service In this release, you must use command line for: Importing old XML log files into the database Restoring a backup of the database Do not run Postgres install over an RDP connection unless it is a console-based RDP connection: Start  Run  mstsc –v:Servername[:Port] /console

8 New Log Server SQL-based
Advantages to using SQL database for logs Much more scalable Logs from multiple appliances now stored in one database No more discrete XML log files Faster and more powerful log file search Faster report generation Report can be run on data stored in different Log Servers Automatic maintenance jobs are user-configurable: Automatic daily deletion of old logs Automatic daily backup If a Firebox has two Log Servers configured and one goes down, the Firebox could send log messages to two different servers. One Report Server can pull data from the two different Log Servers to make reports on the one Firebox.

9 New Log Server Log Server Setup Wizard
Click once on the Log Server icon to start the Log Server Setup Wizard The red dot on these icons means that either the service is stopped, or the server is not yet configured. If the server is not yet configured, left-click once on the icon to start the setup wizard. If the server is configured but the service is stopped, left-click once on the icon to start the service.

10 New Log Server Setup Wizard
PostgreSQL is installed and the database directory is created when you run either: The Log Server Setup Wizard or The Report Server Setup Wizard The PostgreSQL install creates a new user for Postgres to use for connections to the database. The name of the account is watchguard_pg_user; it is a non-administrator account. Do not change the password for this user or delete the user; the postgres process runs under this account’s credentials. Do not run the Log Server Setup Wizard over a Terminal Server or RDP connection to the log server computer; PostgreSQL does not install correctly over a terminal session.

11 New Log Server Setup Wizard
Pay close attention to this screen of the Setup Wizard To change the log data directory after PostgreSQL is installed, you must run the Setup Wizard again. To change the data directory after the server is configured: Stop the Log Server service and the Report Server service. (Right-click the appropriate icon in the WatchGuard Toolbar and select Stop Service.) Uninstall PostgreSQL from the Windows Add/Remove Programs applet. The log database is not deleted. Copy the original \data directory, for example C:\Documents and Settings\WatchGuard\logs\data (and all files and folders within), to the new location. Run the Log Server Setup Wizard again. Select the new directory, without the \data part of the path, as the data directory, on this screen of the wizard. Specify the location for the database on the first screen of the wizard. The setup wizard reinstalls PostgreSQL using the new location for the database directory.

12 New Log Server - Admin User Interface Configure the Log Server
To configure the Log Server, left-click once on the Log Server icon in the WatchGuard toolbar. Or, right-click and select Configure

13 New Log Server - Log Server Configuration Server Settings Tab
The Log Server can send notifications about itself to this address. Firebox Event Notifications also go to this address

14 New Log Server - Log Server Configuration Expiration Settings Tab
Automatically purge old logs Automatically back up logs All notifications are sent by the Log Server, not by the appliance. The backup directory must be on the same PC as the Log Server. The format of the backup is a comma-separated vale (CSV) file with .txt file extension. To restore the backup: Use the wlconvert command-line utility in \Program Files\WatchGuard\WSM10.0\wlcollector\bin to convert to XML format. Use the wlimport utility (in the same directory) to import the XML files into the database. Send appliance notifications

15 All Firebox appliances that send logs show here
New Log Server - Log Server Configuration Logging/Monitoring Settings tab All Firebox appliances that send logs show here Send log messages about the Log Server itself to: The Windows Event Viewer A text file

16 New LogViewer Total Redesign for Maximum Usability
All-new enhanced LogViewer gives powerful new features The LogViewer connects to the Log Server over TCP port 4121

17 New LogViewer Launch and Connect to a Log Server
Start LogViewer from the WatchGuard System Manager. Then, connect to a Log Server. The Log Viewer connects to the Log Server over TCP port 4121. You can create a rule in Policy Manager to allow connections to your Log Server from specified locations.

18 New Log Viewer Select the appliance or server to view logs
Select one or more devices to see their logs All devices logging to this Log Server (including other servers) show here Report Server and Management Server can also send logs to Log Server!

19 New LogViewer Arrange the windows for the different devices’ logs
Cascade the windows Or tile them

20 New Log Viewer Category View
All logs Only traffic logs Only alarms Only events Only debug logs Only bandwidth statistics messages Fireware sends bandwidth statistics messages only when you turn it on in Policy Manager at Setup > Logging > Performance Statistic. Devices running WFS and Edge devices cannot send these messages.

21 New LogViewer Date Range View
Select a preconfigured range Or make a custom time filter

22 New LogViewer – Search String Search
Simple string search is very useful Search for: An IP address Blocked sites / blocked ports All messages with a key word, for example: IKE Type of or HTTP header A username

23 New Log Viewer – Search Put context to the message
When Search finds an interesting log message, you can show the log messages before and after it. Right-click the message and select Show Log Excerpt Or press F5 You see 50 messages before and after the target log message

24 New LogViewer Preferences
Store general preferences Your primary Log Server How many messages before and after the target in Log Excerpt How many searches to remember

25 New LogViewer Preferences
Store viewing preferences Default log type Font size Which columns to display for the different log types

26 New LogViewer Search Manager
Tools  Search Manager Create powerful searches and save them for later use Advanced Search shows why a SQL database is better

27 New LogViewer Multiple export options
Export logs as: CSV (comma-separated value) file HTML page PDF XML file Instantly logs as: CSV file Select and copy as plain text

28 New Report Server - Overview What it does
Collects and presents log data Periodic collection from Log Server Periodic generation of reports Provides reports to Report Manager via XMLRPC Reports are immediately viewable and automatically refresh If you run the Report Server Setup Wizard before you run the Log Server Setup Wizard, the Report Server installs PostgreSQL. Whichever one you run first (Report Server Setup Wizard or Log Server Setup Wizard) installs postgres.

29 New Report Server - Overview What It Does
Log Data Consolidated Log Data Log Server Reports

30 New Report Server – Configuration Expiration Settings tab
Server Settings tab is identical to same tab in Log Server Expiration Settings tab: Automatically delete old reports Turn on notification of events about the Report Server itself

31 New Report Server – Configuration Report Generation tab
Tell the Report Server where to get data This is the server management passphrase, not the log encryption key!

32 New Report Manager Overview
Report Manager is the client application that connects to the Report Server Replaces old Historical Reports The left-hand pane shows the available reports The right-hand pane is a browser (based on Internet Explorer) showing the selected report The Report Manager connects to the Report Server over TCP port 4122. You can create a rule in Policy Manager to allow connections to your Report Server from specified locations. You must have Internet Explorer installed on the Windows PC to run Report Manager.

33 New Report Manager Launch and Connect to a Report Server
Start Report Manager from WSM. Then, connect to a Report Server. Getting Reports for a managed Firebox: If you: Use WSM to connect to a Management Server managing WatchGuard appliances Select a managed device before launching Report Manager Then Report Manager should automatically connect to the Report Server that generates reports for that device, and automatically show Reports for that device. This works best when the Report Server and the Management Server are on the same computer, and that will be the case for most customers. If the Report Server making reports for the device and the Management Server managing the device are on different computers, then in order for this to work (Report Manager automatically connects to Report Server and shows logs for the selected managed device) you must use the “Monitored Report Servers” option in WSM to add the Report Server information. If you do not do that, you can still use Report Manager to connect to a Report Server and see reports; the difference is that Report Manager will not automatically launch “in the context of” the managed device – you must use the “Connect to Report Server” dialog box to connect to the correct Report Server.

34 Report Server Available Reports
Reports carried forward from earlier Historical Reports: Denied Packet Summary Denied Packet Detail Incoming Outgoing SMTP Summary SMTP Server Summary SMTP Detail SPAM Summary Firebox Statistics POP3 Summary POP3 Detail Alarms Packet Filter Host Summary Proxy Host Summary HTTP Most Popular Domain HTTP Summary HTTP URL Detail IPS Packet IPS Summary and its detail subreports: Protocol Severity Source Signature AV Summary and its detail subreports: Host Virus Sender WebBlocker Detail Reports Carried Forward From Earlier Reporting: HTTP Most Popular Domain HTTP Summary HTTP URL Detail IPS Packet IPS Summary and its detail subreports: Protocol Severity Source Signature AV Summary and its detail subreports: Host Virus Sender Web Blocker Detail Denied Packet Summary Denied Packet Detail Incoming Outgoing SMTP Summary SMTP Server Summary SMTP Detail SPAM Summary Firebox Statistics POP3 Summary POP3 Detail Alarms Packet Filter Host Summary Proxy Host Summary BUM ß “Boxes Under Management” for those of you who didn’t work with our legacy MSS product J New Reports: HTTP Most Active Client Web Surfing External Interface Bandwidth Report Management Server Audit Trail Management Server Audit Trail Detail Management Server Authentication

35 Report Server Available Reports
New Reports in 10: HTTP Most Active Client Web Surfing External Interface Bandwidth Report Management Server Audit Trail Management Server Audit Trail Detail Management Server Authentication BUM “Boxes Under Management” External interface bandwidth report can work only if you turn on “Performance Statistics” in Policy Manager at Setup > Logging > Performance Statistics.

36 Management Server Enhancements

37 What’s New in WSM/Fireware 10 Management Server Enhancements - Overview
Multi-user support Record locking Configuration passphrase caching Force comments on Config Change Folders with lockout Notification enhancements LiveSecurity Alerts

38 Management Server Enhancements Multi-user support
Add users on new Users tab of Management Server Configuration

39 Management Server Enhancements Multi-user support
Management Server user accounts: Admin privileges Can create new user accounts on the Management Server Can administer all devices under management with WSM connection to Management Server Read-Write privileges Read-Only privileges Can view all devices under management This user connects to the Management Server in Monitoring Mode

40 Management Server Enhancements Multi-user support
Users must now provide username and passphrase when connecting Provides audit trail in Management Server report Default account is admin This account uses the server management passphrase This is the same password you used before to connect to your Management Server from WSM

41 Management Server Enhancements Record locking and caching passphrases
When you bring up Policy Manager for a managed device: WSM prevents others from using Policy Manager for that device when they connect to the Management Server Reduces the chance that conflicting edits are made at the same time by different users Policy Manager automatically enters the device’s configuration passphrase when you save the configuration back to the Firebox No need to remember the configuration passphrases for all your managed devices No need to share managed devices’ configuration passphrases with others There is no way to prevent others from using Policy Manager to edit a device’s configuration by connecting directly to the device. Do not share the configuration passphrases of your managed devices if you want to prevent this. When users have accounts on the management server, there is no need for them to know configuration passphrases for the managed devices. For this to work: Firebox you manage must be running Fireware 10 You must launch Policy Manager via a connection to the Management Server (not a connection to the device itself)

42 Management Server Enhancements Record locking
Connect to Management Server using WSM  Launch Policy Manager for an appliance The device record is locked When a different user connects to the Management Server at the same time: A “Maintenance Alert” shows for that device Policy Manager is not available for that device

43 Management Server Enhancements Configuration passphrase caching
When you use that instance of Policy Manager to save the configuration, Policy Manager automatically puts the appliance’s configuration passphrase into the entry field When you close Policy Manager (or use it to File > Open a different Firebox) the lock is released

44 Management Server Enhancements Force comments
Force comments on config change Turn this on in Management Server Configuration Users must add comment when saving config via a connection to Management Server These comments will show in the Management Server Report you can run from Report Manager.

45 Management Server Enhancements Folders with lockout
Right-click Management Server and select Add New Folder

46 Management Server Enhancements Folders with lockout
You can make a VPN between two devices inside the same locked folder You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder Prevent “mistake” VPNs Those can cost the managed security provider $$ and reputation Locks can also apply to nested folders (folders within folders). The same rules apply: You can make a VPN between two devices inside the same locked folder You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder Locked folder has a padlock on the folder’s icon

47 Management Server Enhancements Notification enhancements
Get notified if a managed device does not contact the Management Server when its DVCP lease expires From: Subject: Notice from Management Server Host: dc01 Time: Fri Feb 08 09:15: Process: 3848:3900 Message: Information (8249), no contact from device with name Miami_X6500e, id , and IP address

48 Management Server Enhancements LiveSecurity Alerts
WSM displays LiveSecurity broadcasts when you select the Management Server Alerts that will appear: New software updates available WatchGuard vulnerabilities

49 Quarantine Server Enhancements

50 Quarantine Server Enhancements Quarantine email based on virus classification
You can now send SMTP mail to the Quarantine Server based on whether Gateway AntiVirus detected a virus

51 Quarantine Server Enhancements Quarantine mail based on virus classification
You can send SMTP mail to the Quarantine Server based on whether spamBlocker’s Virus Outbreak Detection detected a virus

52 Firebox System Manager Enhancements

53 What’s New in WSM/Fireware 10 Firebox System Manager Enhancements - Overview
Front Panel tab updated for Mobile VPN with SSL Search Traffic Monitor Display logs by type of message Multiple-line select (ctrl-click or shift-click) and copy Select notifications from entire event catalog Service Watch graph by bandwidth

54 Firebox System Manager Enhancements Front Panel Tab
Mobile VPN with SSL sessions displayed on Front Panel tab

55 Firebox System Manager Enhancements Front Panel Tab
Log off remote users from Front Panel tab

56 Firebox System Manager Enhancements Traffic Monitor Tab
Search Traffic Monitor

57 Firebox System Manager Enhancements Traffic Monitor Tab
View: All logs Only traffic logs Only alarms Only events Only debug logs Only bandwidth statistics messages

58 Firebox System Manager Enhancements Traffic Monitor Tab
Multiple-line select (ctrl-click or shift-click) and copy

59 Firebox System Manager Enhancements Traffic Monitor Tab
Select Notifications from Event Catalog Right-click an event in Traffic Monitor Instantly set up notification for the next time that event happens

60 Firebox System Manager Enhancements Service Watch Tab
Use Service Watch to: Graph the traffic going through each policy by bandwidth See the number of sessions going through each policy

61 New Help System

62 New Help System Searchable, with Table of Contents

63 New in Fireware 10

64 Mobile VPN with SSL

65 Mobile VPN with SSL Overview
PC and Mac compatible – one download page for both

66 Mobile VPN with SSL URL for users to get the software
URL to authenticate and get the client software: https://[firebox.ip.address]:4100/sslvpn.html Note the /sslvpn.html at the end URL to authenticate only remains the same https://[firebox.ip.address]:4100

67 Mobile VPN with SSL Configuration in Policy Manager
Simple straightforward configuration Policy Manager: VPN  Mobile VPN  SSL Use any authentication server Specify which WAN users connect to first and second (failover) Allow granular access or access to all connected networks

68 New Proxies for VoIP Support

69 New Proxies for VoIP H.323 and SIP
These proxies work to allow some VoIP/Videoconferencing through the Firebox: SIP Proxy H.323 Proxy H.323 proxy supports NAT-traversal for voice and video traffic H.323 Gatekeeper (“PBX” hosting/trunking) and T.120 multimedia support not in this release. H.323 support is limited to point-to-point connections SIP proxy supports NAT-traversal for voice and video traffic Does not provide the PBX registration capabilities of a typical standalone SIP Registrar-Proxy Must have your own Registrar-Proxy server to route these connections SIP proxy has only been tested with PBX’s located on the external segment of the Firebox (hosted scenario, no trunking).

70 New Proxies for VoIP H.323 and SIP
Simple to configure H323 SIP

71 New Proxies for VoIP TFTP
Typically for: Sending updates to VoIP devices under management Sending configuration files Sending ROM images or firmware updates Trivial File Transfer Protocol For more than just VoIP TFTP Proxy lets you allow or deny content by matching file name patterns for: Downloads Uploads

72 New TCP-UDP Proxy Multiple Protocol Detection
TCP-UDP Proxy detects what protocol the traffic is: HTTP HTTPS SIP FTP

73 New HTTPS Proxy What it can do
Block objectionable HTTPS sites using WebBlocker Allow or deny access to web sites based on Domain Names Fireware matches Domain Name patterns against the Subject field in the web site’s SSL certificate Every HTTPS connection to a web site involves an exchange of certificates. The HTTPS proxy reads the certificate that the web site sends and finds the certificate’s Subject field. Fireware matches the value of the Subject field against the Domain Name area of the HTTPS proxy to allow or deny access.

74 Enhancements to Security Subscriptions

75 What’s New in WSM/Fireware 10 Enhancements to Security Subscriptions
Intrusion Prevention (IPS) Enhancements New signature set Broader range of signatures Botnet protection for servers Updated signature scanning engine Approximately 40% increase in IPS performance Simpler IPS Configuration P2P and IM now integral part of Fireware (no IPS license required) WebBlocker Enhancements Expanded Category List WebBlocker for HTTPS spamBlocker Enhancements Virus Outbreak Detection

76 WebBlocker Enhancements 40 Category to 54 Category Mapping
40-Category List name 54-Category List name Arts & Entertainment Arts Entertainment Drugs, Alcohol, Tobacco Illegal Drugs Alcohol & Tobacco Violence Tasteless & Offensive Hacking Spyware Computing & Internet Downloads Ringtones / Mobile Phone Downloads Criminal Skills Criminal Activity Phishing & Fraud Glamour & Intimate Apparel Intimate Apparel & Swimwear Fashion & Beauty Government & Politics Government Politics Lifestyle & Culture Society & Culture Philanthropic & Professional Organizations Remote Proxies Proxies & Translators Peer-to-Peer NOT REPRESENTED Spam URLs Infrastructure Business

77 Single Sign-On

78 Single Sign-On Requirements
Only for Active Directory domains Install WatchGuard Authentication Gateway software on a domain computer This computer called the SSO Agent The domain account under which the agent software runs must: Have “Log on as a service” permission granted (for the service to run automatically) Be a member of Domain Admins group (to query PCs running Vista) All domain PCs must allow connections over 139 and 445 Add exceptions to Windows Firewall for File and Printer Sharing, or turn off Windows Firewall

79 Single Sign-On Settings
Policy Manager: Setup  Authentication  Authentication Settings IP address of the PC running WatchGuard Authentication Gateway software (the SSO agent) How long the SSO agent should cache responses it gets from PCs it queries IP addresses that the Firebox will not ask about

80 Single Sign-On How it works 1
Firebox sees traffic come from a trusted or optional or VLAN interface SSO does not work for traffic coming from an external interface Firebox sends query to SSO agent (PC running WatchGuard Authentication Gateway software) This is a port 4114 connection. Command is get user <ip.address> SSO agent checks its cache. If it has an entry for this IP address, it returns an answer to the Firebox If not in cache, SSO agent queries that IP address Uses Windows NetWkstaUserEnum() call Windows Networking connection over port 139 and/or 445 Computers can still authenticate by bringing up a browser and making an HTTPS connection to the Firebox over port 4100, just as in previous Fireware versions. If SSO agent PC gets no reply, send error message to Firebox The IP address is not added to authentication list

81 Single Sign-On How it works 2
PC returns answer to SSO agent. There can be more than one answer SSO agent uses only the first answer it gets from the PC SSO agent sends query to Active Directory server to find what groups the user is a member of Active Directory returns all values of memberOf attribute tied to that user object SSO agent PC returns answer to Firebox User name logged in to that PC and groups of which the user is a member Firebox puts <IP address>, <user name>, and <groups of which the user is a member> in its internal list of authenticated users Authentication List tab of Firebox System Manager displays the IP address and user name of authenticated users

82 Single Sign-On How it works 3
Use user names and Active Directory groups in your policies to restrict access

83 BOVPN and Mobile VPN with IPSec Enhancements

84 What’s New in WSM/Fireware 10 VPN Enhancements
Selective Auto-start of BOVPN Tunnels Dead Peer Detection Mobile VPN with IPSec Policies More Configurable Notification of BOVPN Events

85 VPN Enhancements Selective auto-start of BOVPN tunnels
At the bottom of the General Settings tab of the Gateway

86 VPN Enhancements Mobile VPN with IPSec more configurable
You can now edit the Mobile VPN/IPSec policy to change the allowed access. The policy is no longer tied to the “allowed resources” assigned to the Mobile VPN/IPSec Group

87 VPN Enhancements Dead Peer Detection
On the Phase 1 Settings tab of the Gateway

88 VPN Enhancements Notification of BOVPN events
VPN > VPN Settings > BOVPN Notification button

89 New Notification Options

90 New Logging and Reporting Architecture Notification enhancements
SNMPv3 Support New WebBlocker Alarm Options The Firebox can now send notifications for: Multi-WAN Events BOVPN Down Lost contact with WebBlocker Server SNMP v3 provides message integrity, authentication, and encryption. Fireware 10 supports single user authentication only. The SNMP v3 server that receives traps must know the Engine ID. Engine ID is the serial number of the Firebox appliance.

91 Networking Enhancements

92 What’s New in WSM/Fireware 10 Networking Enhancements
Static MAC/IP Address Binding Edit an interface  Advanced tab Select Only allow traffic sent from or to these MAC/IP Addresses to lock out all other traffic on this interface Keep the box cleared to add only Static ARP entries If you turn on “Only allow traffic sent from or to these MAC/IP addresses”, then the Firebox does not learn new ARP entries. If you do not turn on this option, then the Firebox ARP function continues to learn new addresses, including entries that may not be valid (spoofed ARP).

93 More Integration with LiveSecurity®

94 What’s New in WSM/Fireware 10 LiveSecurity Integration
Quick Setup Wizard pulls feature key from LiveSecurity Appliance must be registered before you can use the QSW to get the Feature Key If the appliance is not registered, you can get to the Internet during the Quick Setup Wizard to register it You can skip this step of the Wizard if you have not registered the device yet If there is no Feature Key, one user can get to the Internet after it is configured

95 What’s New in WSM/Fireware 10 LiveSecurity Integration
Updated feature key display Easier to understand Easier to see when features expire Old

96 Thank You!


Download ppt "What’s New in WSM 10 and Fireware 10"

Similar presentations


Ads by Google