1. What’s New in Fireware v11.9.5
WatchGuard Training
©2015 WatchGuard Technologies, Inc.

2. What’s New in v11.9.5
Fireware now supports a maximum of 255 Active Directory user groups for authentication. [82846]
AP device firmware update — AP firmware v B [84203]
Gateway Wireless Controller shows the AP firmware build number on the AP device [83289]
Global setting to enable support for TCP MTU probing. [77129]
For Management Tunnels over SSL, managed Firebox devices can reconnect to the first Distribution IP Address for the Management Server [81377]
IPSec VPN Client Updates
WatchGuard Training

3. Increased Maximum Number of AD User Groups
Fireware now supports a maximum of 255 Active Directory user groups for authentication.
Supported for Firebox-DB authentication, Single Sign-On, and Terminal Services authentication.
Previously, the maximum number of supported Active Directory user groups was 64.
WatchGuard Training

4. AP Firmware & Gateway Wireless Controller Updates
A new version of AP firmware is now available for WatchGuard AP devices: version B
The AP firmware version and build number that runs on each AP device now appears in the Gateway Wireless Controller.
WatchGuard Training

5. TCP MTU Probing
In the Global Settings for your Firebox, there is a new Networking setting to enable support for TCP MTU probing.
You can now enable TCP MTU Probing to allow VPN traffic to pass through proxy policies on a central site when traffic was generated from a remote site through a zero route VPN tunnel, even when your Firebox has received an ICMP unreachable packet for the traffic sent through the BOVPN tunnel.
From Fireware XTM Web UI and Policy Manager, you can configure this feature to always be enabled or to be enabled automatically when ICMP fails.
WatchGuard Training

6. TCP MTU Probing
WatchGuard Training

7. TCP MTU Probing
From the Fireware Command Line Interface, you can configure this feature to always be enabled or to be enabled automatically.
global-setting tcp-mtu-probing (dynamic-enable | enable)
You cannot disable this feature from the CLI.
WatchGuard Training

8. Management Tunnel Enhancements
If more than one IP address is specified for the Management Server for a Firebox at the end of a Management Tunnel over SSL, and the Firebox has connected to an IP address other than the first IP address in the Distribution IP Address list, the Firebox can now reconnect to the Management Server with the first IP address in the list.
The Firebox reconnection occurs when the Lease Time on the Firebox expires.
This restores full management capabilities through a Management Tunnel over SSL when communication to the private IP address (first address in the list) in the tunnel is lost.
WatchGuard Training

9. IPSec VPN Client Updates
Shrew Soft VPN Client 2.2.2
WatchGuard IPSec VPN Client v12.00
Windows XP is not supported.
The new client has separate installers for Windows 32-bit and 64-bit platforms.
You must uninstall the older client, before you install the new one.
When you uninstall, do not select the option to remove personal data. This preserves the existing client profile so the new client can use it.
There is no update to the WatchGuard IPSec VPN Client for Mac OS X.
WatchGuard Training

10. WatchGuard IPSec VPN Client Updates
WatchGuard IPSec VPN Client v12.00 has these updates:
The updated client uses OpenSSL 1.0.1j, which resolves security deficiencies in prior versions of OpenSSL.
The client firewall settings include a new option: “Reject Outgoing Traffic”. When you select this check box, the client rejects outgoing traffic and returns an acknowledgement message to the sending application.
WatchGuard Training

11. Thank You!
WatchGuard Training