Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v  All HTTP Request and Response header rules now allowed in predefined HTTP and Explicit Proxy actions  SSLv2 support removed from HTTPS/SMTP proxies and other proxy enhancements  See passphrases set for managed devices from the Management Server  New ciphers for managed security templates  Dashboard > Interfaces Enhancements 2

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v  See Application Control statistics in Fireware Web UI and Firebox System Manager  See status of rogue AP detection in Policy Manager 3

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training HTTP Request & Response Rules Allowed  In previous versions of Fireware OS, the default HTTP proxy action would only allow a limited list of HTTP headers in HTTP Request and HTTP Response messages  Any header not present in this list would be stripped by the HTTP proxy  Stripping unknown headers was designed to limit the amount of information leaked by a client or a server protected by the HTTP proxy, such as the operating system or software versions  Many modern websites use custom HTTP “X-” headers, and the default action stripped these custom headers from an HTTP Request or Response message affecting the usability of these websites 4

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training HTTP Request & Response Rules Allowed  All HTTP Request and Response header rules in the predefined HTTP-Client.Standard and Explicit-Web.Standard proxy actions are now disabled and the If matched and None matched actions are both set to Allow  This configuration enables you to choose what headers you want to block or allow and prevents the default configuration from blocking legitimate traffic 5

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training HTTP Request & Response Rules Allowed 6

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training SSLv2 Removed from HTTPS/SMTP Proxies  In previous versions of Fireware OS, to maintain compatibility with legacy systems, you could enable SSLv2 support when you configured an HTTPS or SMTP proxy action with content inspection enabled  SSLv2 is an older protocol that contains several known security vulnerabilities  To maintain the best security standards, as of Fireware OS v , you can no longer select SSLv2 in the HTTPS and SMTP proxies when you enable content inspection  If you still need to enable SSLv2 support in the HTTPS proxy for legacy systems, you must use Polices by Domain Name (FQDN) to bypass the HTTPS Proxy with a separate HTTPS policy 7

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Other Proxy Enhancements  The FTP Proxy now sends an error response to the client when the action is Block, Drop, or Deny In previous versions, a response was only sent for a Deny action  In Policy Manager, the If Matched action menu now appears in the Simple View of the Mail From and Rcpt To sections of the SMTP Proxy Action settings 8

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Passphrases for Managed Devices  Users with Device Administrator credentials can select to see the passphrases configured for managed devices, when they log in to the WSM Management Server  Connect to the Management Server, view the properties for a managed device, and select the Show Passphrase check box 9

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Passphrases for Managed Devices  The Status Passphrase, Configuration Passphrase, and Shared Secret are unmasked 10

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training New Managed Security Template Ciphers  In previous versions of WSM, the Management Server included three pre-defined Security Templates for Managed VPN tunnels  WSM v adds two new default Security Templates to provide stronger security options for Managed VPN tunnels  Both new templates provide stronger encryption and authentication, with these ciphers: Encryption — AES-256 Authentication — SHA-1 or SHA-256 Perfect Forward Secrecy (PFS) — Diffie-Hellman group 5 11

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training New Managed Security Template Ciphers  The Phase 1 & Phase 2 Ciphers for managed Security Templates have been updated to use the SHA1-AES256-DH5 and SHA2-AES256-DH5 encryption algorithms  New installations of the WSM Management Server include these encryption algorithms in these new Security Templates: SHA1-AES256-DH5 (Predefined) SHA2-AES256-DH5 (Predefined) The Medium, Medium with Authentication, Strong with Authentication templates are not included in new installations  Upgraded installations of the Management Server keep all existing Security Templates and include the new templates after the upgrade process completes 12

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training New Managed Security Template Ciphers  New Management Server installations include only the new Security Templates, which have a red key icon in the Security Templates tree 13

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training New Managed Security Template Ciphers  Upgraded Management Server installations include both the new and old Security Templates New templates have a red key icon in the Security Templates tree Previous version templates have a gold key icon in the Security Templates tree 14

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training New Managed Security Template Ciphers 15

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Dashboard > Interfaces Enhancements  The Fireware Web UI System Status > Interfaces > Detail page includes these changes: New Link Speed column The IPv4 Address column now includes both the IPv4 address and the network mask in this format: For example, /20 The order of the columns on the Interfaces page has been changed to: Link Status, Enabled, Multi-Wan, Alias, Name, Zone, IPv4 Address, Gateway, MAC Address, Link Speed 16

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Dashboard > Interfaces Enhancements 17

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Dashboard > Interfaces Enhancements The details dialog box for each interface now includes the Link Speed information, as well as the IPv4 address in this format: 18

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Dashboard > Interfaces Enhancements  The Multi-WAN status appears on the Interfaces > Detail page when more than one External interface is configured on your Firebox 19

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Application Control Statistics  You can now see these statistics for Application Control in Fireware Web UI and Firebox System Manager: Installed version of Application Control signatures Date that Application Control signatures were last updated Latest available version of Application Control signatures Number of scans performed Number of applications detected by Application Control scans Number of applications blocked by Application Control scans  Statistics are reset when the Firebox restarts 20

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Application Control Statistics  Fireware Web UI Application Control statistics appear in the Application Control widget on the Dashboard > Subscription Services page Application Control signatures can be updated from the widget 21

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Application Control Statistics  Firebox System Manager Application Control statistics appear in the Application Control Service section of the Subscription Services tab Application Control signatures can be updated from the section 22

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Application Control Statistics You can also see the Application Control and IPS signature update history and the list of signatures on your Firebox 23

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training See Status of Rogue AP Detection in PM  In Policy Manager, you can now see the status of rogue AP device detection on the Gateway Wireless Controller SSIDs tab 24

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training Thank You! 25

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training