Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fireware Pro 9.1 What’s New. 2 What’s New in Fireware 9.1 Overview This presentation has three categories: New Features in 9.1 Enhancements to existing.

Similar presentations

Presentation on theme: "Fireware Pro 9.1 What’s New. 2 What’s New in Fireware 9.1 Overview This presentation has three categories: New Features in 9.1 Enhancements to existing."— Presentation transcript:

1 Fireware Pro 9.1 What’s New

2 2 What’s New in Fireware 9.1 Overview This presentation has three categories: New Features in 9.1 Enhancements to existing features Miscellaneous changes

3 3 Factory Shipped User Area New power-on mode New steps for Quick Setup Wizard Quarantine Server HTTP proxy exceptions POP3 proxy Automatic redirect after firewall authentication New authentication web server certificate Server load balancing Import/export proxy actions and rulesets Support for jumbo frames Support for Windows Vista Find Policy feature Fireware 9.1 New Features

4 4 Benefits: Improved out-of-box experience Faster, easier deployment One computer can get to the Internet during QSW Register box with LSS and get feature key during QSW No need to disconnect from Firebox, connect to live Internet connection, get feature key, reconnect to Firebox, continue Wizard User can still finish QSW if user forgot to (or did not know to) install Fireware on the management station Not sure yet when manufacturing cutover happens Factory Shipped User Area Fireware pre-loaded from factory

5 5 Safe Mode (New boot method) Power-on + down arrow button ◦ Hold button until LCD shows WatchGuard Technologies Available only if 9.1 image is installed on box Allows one computer out to the Internet Saves time: Loads new Fireware image only if image on computer is newer Recovery Mode (Same as current method) Power-on + up arrow button Used to be called Safe Mode No Internet access until QSW is done Must have feature key to finish New Fireware image is always loaded Power-on options Safe Mode & Recovery Mode

6 6 Skip instructional steps if user knows that the box is in a discoverable state Quick Setup Wizard New and different steps Next step, discovery At least four more steps until discovery

7 7 Quick Setup Wizard New and changed steps Set external IP address information during QSW External interface settings are saved to Firebox immediately Lets user out to Internet before or during feature key step DNS information The Firebox must have DNS information for spamBlocker to work, and to get Gateway AV/IPS updates Feature key step of QSW: “Click to go to LiveSecurity site” Works only if 9.1 installed Works only if booted using down arrow Detects and displays current license if user ran the QSW previously Remote management step Adds an external IP address to the From: field of WatchGuard policy

8 8 Quarantine Server Quarantine spam Works with spamBlocker only Does not quarantine based on virus signature or content types SMTP proxy yes; quarantine spam, bulk, or suspect email POP3 proxy no; cannot quarantine POP3 email New icon in WatchGuard toolbar Install with server components during WSM install

9 9 Quarantine Server New “Quarantine” action in spamBlocker Quarantine based on spam classification Quarantine based on Exception

10 10 Quarantine Server Server Settings Set maximum database size Admin notification when database gets close to capacity SMTP server settings

11 11 Quarantine Server Expiration Settings How long to keep messages For which domains the Quarantine Server will keep email

12 12 Quarantine Server User notification Customize body text for notification emails sent to users

13 13 Quarantine Server Rules Automatically remove messages based on: From specific domains From specific senders With specific text in the Subject

14 14 Quarantine Server Statistics Export data to: Excel CSV Filter report by: Date Spam classification View data by: Month Week Day

15 15 Quarantine Server User notification

16 16 Quarantine Server Simple for user to delete or release emails

17 17 HTTP Proxy Exceptions Bypass rule checking An easy way to allow content from: Windows Updates Symantec Updates Other friendly sites Proxy sets all rules to Allow for these sites Allows all content from hosts that match this list

18 18 POP3 Proxy Server and Client POP3 proxies

19 19 POP3 Proxy Benefits Content Type filtering Strip or lock attachments based on declared MIME type Filename filtering Strip or lock attachments based on filename pattern AV scanning Strip or lock attachments if virus found IPS scanning Strip or lock attachments if signature matches spamBlocker Allow or tag based on categorization No quarantine for spam with POP3 email (only SMTP email can be quarantined)

20 20 POP3 Proxy Benefits Simpler, easier-to- understand defaults

21 21 POP3 Proxy Limitations POP3 proxy cannot block POP3 emails: In POP3 transaction, client gets message count first Client keeps trying until number of messages received matches count We must deliver the correct number of messages Attachment scanning Inline engine – not store-and-forward Client may get truncated attachment along with the deny message spamBlocker cannot quarantine POP3 messages For the same reasons we cannot block POP3 mail spamBlocker can [Allow] or [Add Subject Tab] only

22 22 Firewall Authentication Automatic redirect after authentication Setup > Authentication > Authentication Settings Authentication settings moved here from Setup > Global settings New Redirect option: User’s browser is redirected to this URL five seconds after successful authentication

23 23 No more security warnings! Why does the user get warnings from the browser? 1. The name on the certificate does not match the URL in the browser Fixed with new Fireware web server certificate Uses subject alternative names to match several possible URLs Three different options for Fireware’s web server certificate Firewall Authentication Customizable Web Server Certificate 2. Certificate is not trusted User still must import the CA cert from the issuing authority or the (web server certificate itself) Import to trusted root store

24 24 Firewall Authentication Customizable web server certificate Three options: Default certificate Uses each trusted interface IP address as subject alt names Third party certificate Must import using FSM Mark purpose as “web server” when generating Certificate Signing Request (CSR) Custom Certificate Signed by Firebox Option to add more subject alt name fields: IP addresses or domain names

25 25 Server Load Balancing Balances incoming traffic to server clusters Add it in a familiar, intuitive way. In the To: field, select Add > Add NAT New drop-down list to select Server Load Sharing instead of Static NAT Sticky Connections makes sure new connections from the same client use the same server for the specified time.

26 26 Supports up to 10 servers per object Algorithms: Weighted Round-robin Weighted Least Connections Server Load Balancing Algorithms

27 27 Policy Manager Enhancements Import and Export from Policy Manager Useful for managing many boxes Copy back and forth between XML configurations Must be from the same version of WSM/Policy Manager Cannot import 9.0 object into 9.1 Policy Manager, for example Convert older configuration before exporting for use in newer version Objects you can import/export: Proxy actions Individual rulesets within proxy actions Custom policies WebBlocker exceptions spamBlocker exceptions Schedules

28 28 Proxy actions Import/export Objects you can import/export

29 29 Individual rulesets within proxy actions SMTP: greeting rules; authentication schemes, content types, filenames, mail from, mail to, headers HTTP: request methods, URL paths, headers, authentication schemes, content types, cookies, body content types DNS: OPCodes, query types, query names FTP: commands, downloads, uploads POP3: authentication schemes, content types, filenames, headers Import/export Objects you can import/export Must be in Advanced View to see Import/Export buttons

30 30 Custom policies Import/export Objects you can import/export

31 31 WebBlocker Exceptions Import/export Objects you can import/export

32 32 spamBlocker Exceptions Import/export Objects you can import/export

33 33 Schedules Import/export Objects you can import/export

34 34 Ethernet Driver Updates Support for Jumbo Frames You can now set MTU on Firebox interfaces up to 9000 Previous limit was 1500 1500 is normal maximum MTU for Ethernet

35 35 WSM Enhancement Support for Windows Vista All variants of Windows Vista are supported in WSM v9.1 for Firebox configuration, monitoring, and management Windows Vista not supported yet for MUVPN Vista-compatible MUVPN client scheduled for Fall

36 36 Policy Manager Enhancements Find Policy (Edit  Find) Finds policies that match the search criteria

37 37 If a policy uses PBR: Policy Manager Enhancement Policy-Based Routing (PBR) Column Interface number used for PBR listed in new column Multiple interface numbers indicate that the PBR uses failover

38 38 Management Server HTTP proxy SMTP proxy FTP proxy GatewayAV/IPS spamBlocker WebBlocker Branch Office VPN IPSec Pass-through Firebox certificates DHCP HostWatch PMTU Fireware 9.1 Feature Enhancements

39 39 Better efficiency Compiling and deploying policies is faster Better scalability New “Hub” VPN resource For default-route VPNs (send all traffic through VPN) Turn off logging of DVCP-generated VPN policies Custom VPN policies only Phase 1 now configurable Still uses Aggressive Mode; no Main Mode tunnels Several defects fixed Management Server Enhancements

40 40 Management Server Enhancements New Hub Network VPN Resource VPN sends all traffic through the Firebox that has “Hub Network” as the local resource. Warning tells you that a dynamic NAT rule may be necessary to let traffic from branch office out to Internet.

41 41 All WebDAV methods now supported What is WebDAV? Stands for Web-based Distributed Authoring and Versioning A set of extensions to the HTTP 1.1 specifications Adds new HTTP request methods to the familiar GET, HEAD, POST, etc. Used for collaborative authoring of documents and versioning control: Outlook Web Access SubVersion (popular open-source version control system) Wherever you see team authoring and version control HTTP Proxy Enhancements WebDAV Support

42 42 HTTP Proxy Enhancements WebDAV Support

43 43 Turn off ESMTP altogether with one box Turn off logging of denied ESMTP verbs Auto-detect MIME types SMTP Proxy Enhancements Benefits and limitations

44 44 Full data channel inspection Gateway AntiVirus Intrusion Prevention New option for maximum number of failed logins Auto-block the source if number is exceeded Protects against dictionary attacks on your FTP server FTP Proxy Enhancements Benefits and limitations

45 45 All inline scanning engine now Same inline scanning engine that has always been used in the HTTP proxy This means we no longer use the Clam AV scanning engine for the SMTP No limit to the size of attachments we can scan We do, however, still use Clam AV signatures AV/IPS Enhancements Benefits and limitations

46 46 Proactive Patterns spamBlocker downloads small (no more than 20MB) database of patterns For quicker detection of patterns no longer in the wild Works only on legacy Peak, any e-Series Trusted email forwarders Bulk import/export spamBlocker exceptions (white/blacklists) Set Allow or Deny when spamBlocker server is unavailable spamBlocker Enhancements Benefits and limitations

47 47 New organization for categories in UI New UI option to change listening port of WebBlocker Server Right-click WebBlocker Server icon in Windows taskbar Stop service, then right-click again: WebBlocker Enhancements Benefits and limitations

48 48 Phase 2 SA creation options expanded, more user-friendly Branch Office VPN Enhancements Better explanation of SA creation Old New

49 49 Rekey All Tools menu in FSM Rekey Selected Right-click the active tunnel in the Front Panel tab Branch Office VPN Enhancements Rekey BOVPNs

50 50 IPSec pass-through code totally overhauled Multiple IPSec clients behind Firebox can make outbound VPN sessions to concentrators on the external network at the same time, with fewer problems Enable IPSec Pass-through at VPN > VPN Settings IPSec Pass-through Enhancements Code Overhauled

51 51 IPSec policy automatically added when IPSec pass- through enabled 1. Enable IPSec Pass-through at VPN > VPN Settings 2. Policy Manager automatically adds WatchGuard IPSec policy IPSec Pass-through Enhancements IPSec policy automatically added

52 52 Updated wizard for Certificate Signing Request (CSR) Same information; clearer presentation Firebox Certificates UI Enhancements

53 53 DNS server IP addresses DHCP Server Enhancements New DNS Settings On each Firebox interface, you can specify new information to give DHCP clients: Domain name (connection-specific DNS suffix)

54 54 External PPPoE interfaces now show properly You can now monitor VLANs, but you must manually type the name VLANs do not show in the list (right-click, select Other) Create any combination of interfaces to monitor using a regular expression HostWatch Enhancements Enhancements Type the interface name without the (ethx) part. Examples: VLAN10 VLAN called “VLAN10” [RegEx] ^Optional- All interfaces that start with name “Optional-” [RegEx] Optional-[12] First two optional interfaces

55 55 PMTU Enhancement Tune PMTU for IPSec Some Path MTU Discovery Parameters now configurable Minimum PMTU is to guard against Denial of Service attacks caused by ICMP “request to fragment” messages with trivially low MTU Aging time is to return the interface MTU value to the MTU set at top of this tab after specified number of [seconds/minutes/hours/days]

56 56 Remember my password SNMP MIBs no longer use RapidStream number VLANs show in Bandwidth Meter Terminology change Licensed Features to Feature Key Syslog – more facilities available Space allowed in interface names Fireware 9.1 Miscellaneous Changes

57 57 Firebox System Manager UI Enhancements Remember my passphrase For actions that require the configuration passphrase No need to enter read/write passphrase every time

58 58 Fireware MIBS now use WatchGuard private enterprise arc Old MIBs used RapidStream arc New MIBs use WatchGuard arc SNMP Enhancements New arc for MIBs

59 59 Setup > Licensed Features changed to Setup > Feature Keys Policy Manager Miscellaneous Changes

60 Thank You

Download ppt "Fireware Pro 9.1 What’s New. 2 What’s New in Fireware 9.1 Overview This presentation has three categories: New Features in 9.1 Enhancements to existing."

Similar presentations

Ads by Google