1. What’s New in WSM 10 and Fireware 10
Presenter
Date

2. What’s New in WSM/Fireware 10 WSM 10 Overview
New SQL-based logging and reporting architecture
WatchGuard Management Server enhancements
Firebox System Manager enhancements
New help system with search and Table of Contents

3. What’s New in WSM/Fireware 10 Fireware 10 Overview
New in Fireware 10
Mobile VPN with SSL
New proxies for VoIP support
New TCP/UDP proxy for multiple protocol detection
Enhancements to security subscriptions
Single Sign-On
More integration with LiveSecurity
BOVPN and Mobile VPN with IPSec enhancements
New notifications
Networking enhancements

4. New in WSM 10

5. New Logging and Reporting Architecture

6. New Logging and Reporting Architecture Overview
The new logging and reporting architecture includes:
New SQL-based Log Server
Totally redesigned LogViewer application
New Report Server
New Report Manager (replaces Historical Reports)
One change to the WatchGuard Toolbar:
The red dot on the icon means that the service is not running. Either the service is stopped, or the server is not yet configured.
New Report Server icon

7. New Logging and Reporting Architecture About the SQL Database
Uses PostgreSQL
Postgres is installed during either:
Log Server Setup Wizard
Report Server Setup Wizard
The server you set up first (Report Server or Log Server) installs Postgres
Because Postgres does not install over an RDP session, do not run the Log Server or Report Server Setup Wizard over RDP
PostgreSQL installation creates the data directory and its structure
There is no UI option to change the location of the data directory after Postgres is installed
Installs a non-admin user account watchguard_pg_user
Do not alter this account; it is for the Postgres service
In this release, you must use command line for:
Importing old XML log files into the database
Restoring a backup of the database
Do not run Postgres install over an RDP connection unless it is a console-based RDP connection:
Start  Run  mstsc –v:Servername[:Port] /console

8. New Log Server SQL-based
Advantages to using SQL database for logs
Much more scalable
Logs from multiple appliances now stored in one database
No more discrete XML log files
Faster and more powerful log file search
Faster report generation
Report can be run on data stored in different Log Servers
Automatic maintenance jobs are user-configurable:
Automatic daily deletion of old logs
Automatic daily backup
If a Firebox has two Log Servers configured and one goes down, the Firebox could send log messages to two different servers. One Report Server can pull data from the two different Log Servers to make reports on the one Firebox.

9. New Log Server Log Server Setup Wizard
Click once on the Log Server icon to start the Log Server Setup Wizard
The red dot on these icons means that either the service is stopped, or the server is not yet configured.
If the server is not yet configured, left-click once on the icon to start the setup wizard.
If the server is configured but the service is stopped, left-click once on the icon to start the service.

10. New Log Server Setup Wizard
PostgreSQL is installed and the database directory is created when you run either:
The Log Server Setup Wizard or
The Report Server Setup Wizard
The PostgreSQL install creates a new user for Postgres to use for connections to the database.
The name of the account is watchguard_pg_user; it is a non-administrator account.
Do not change the password for this user or delete the user; the postgres process runs under this account’s credentials.
Do not run the Log Server Setup Wizard over a Terminal Server or RDP connection to the log server computer; PostgreSQL does not install correctly over a terminal session.

11. New Log Server Setup Wizard
Pay close attention to this screen of the Setup Wizard
To change the log data directory after PostgreSQL is installed, you must run the Setup Wizard again.
To change the data directory after the server is configured:
Stop the Log Server service and the Report Server service. (Right-click the appropriate icon in the WatchGuard Toolbar and select Stop Service.)
Uninstall PostgreSQL from the Windows Add/Remove Programs applet. The log database is not deleted.
Copy the original \data directory, for example C:\Documents and Settings\WatchGuard\logs\data (and all files and folders within), to the new location.
Run the Log Server Setup Wizard again.
Select the new directory, without the \data part of the path, as the data directory, on this screen of the wizard.
Specify the location for the database on the first screen of the wizard. The setup wizard reinstalls PostgreSQL using the new location for the database directory.

12. New Log Server - Admin User Interface Configure the Log Server
To configure the Log Server, left-click once on the Log Server icon in the WatchGuard toolbar.
Or, right-click and select Configure

13. New Log Server - Log Server Configuration Server Settings Tab
The Log Server can send notifications about itself to this address.
Firebox Event Notifications also go to this address

14. New Log Server - Log Server Configuration Expiration Settings Tab
Automatically purge old logs
Automatically back up logs
All notifications are sent by the Log Server, not by the appliance.
The backup directory must be on the same PC as the Log Server.
The format of the backup is a comma-separated vale (CSV) file with .txt file extension.
To restore the backup:
Use the wlconvert command-line utility in \Program Files\WatchGuard\WSM10.0\wlcollector\bin to convert to XML format.
Use the wlimport utility (in the same directory) to import the XML files into the database.
Send appliance notifications

15. All Firebox appliances that send logs show here
New Log Server - Log Server Configuration Logging/Monitoring Settings tab
All Firebox appliances that send logs show here
Send log messages about the Log Server itself to:
The Windows Event Viewer
A text file

16. New LogViewer Total Redesign for Maximum Usability
All-new enhanced LogViewer gives powerful new features
The LogViewer connects to the Log Server over TCP port 4121

17. New LogViewer Launch and Connect to a Log Server
Start LogViewer from the WatchGuard System Manager.
Then, connect to a Log Server.
The Log Viewer connects to the Log Server over TCP port 4121.
You can create a rule in Policy Manager to allow connections to your Log Server from specified locations.

18. New Log Viewer Select the appliance or server to view logs
Select one or more devices to see their logs
All devices logging to this Log Server (including other servers) show here
Report Server and Management Server can also send logs to Log Server!

19. New LogViewer Arrange the windows for the different devices’ logs
Cascade the windows
Or tile them

20. New Log Viewer Category View
All logs
Only traffic logs
Only alarms
Only events
Only debug logs
Only bandwidth statistics messages
Fireware sends bandwidth statistics messages only when you turn it on in Policy Manager at Setup > Logging > Performance Statistic. Devices running WFS and Edge devices cannot send these messages.

21. New LogViewer Date Range View
Select a preconfigured range
Or make a custom time filter

22. New LogViewer – Search String Search
Simple string search is very useful
Search for:
An IP address
Blocked sites / blocked ports
All messages with a key word, for example:
IKE
Type of or HTTP header
A username

23. New Log Viewer – Search Put context to the message
When Search finds an interesting log message, you can show the log messages before and after it.
Right-click the message and select Show Log Excerpt
Or press F5
You see 50 messages before and after the target log message

24. New LogViewer Preferences
Store general preferences
Your primary Log Server
How many messages before and after the target in Log Excerpt
How many searches to remember

25. New LogViewer Preferences
Store viewing preferences
Default log type
Font size
Which columns to display for the different log types

26. New LogViewer Search Manager
Tools  Search Manager
Create powerful searches and save them for later use
Advanced Search shows why a SQL database is better

27. New LogViewer Multiple export options
Export logs as:
CSV (comma-separated value) file
HTML page
PDF
XML file
Instantly logs as:
CSV file
Select and copy as plain text

28. New Report Server - Overview What it does
Collects and presents log data
Periodic collection from Log Server
Periodic generation of reports
Provides reports to Report Manager via XMLRPC
Reports are immediately viewable and automatically refresh
If you run the Report Server Setup Wizard before you run the Log Server Setup Wizard, the Report Server installs PostgreSQL.
Whichever one you run first (Report Server Setup Wizard or Log Server Setup Wizard) installs postgres.

29. New Report Server - Overview What It Does
Log Data
Consolidated Log Data
Log Server
Reports

30. New Report Server – Configuration Expiration Settings tab
Server Settings tab is identical to same tab in Log Server
Expiration Settings tab:
Automatically delete old reports
Turn on notification of events about the Report Server itself

31. New Report Server – Configuration Report Generation tab
Tell the Report Server where to get data
This is the server management passphrase, not the log encryption key!

32. New Report Manager Overview
Report Manager is the client application that connects to the Report Server
Replaces old Historical Reports
The left-hand pane shows the available reports
The right-hand pane is a browser (based on Internet Explorer) showing the selected report
The Report Manager connects to the Report Server over TCP port 4122.
You can create a rule in Policy Manager to allow connections to your Report Server from specified locations.
You must have Internet Explorer installed on the Windows PC to run Report Manager.

33. New Report Manager Launch and Connect to a Report Server
Start Report Manager from WSM.
Then, connect to a Report Server.
Getting Reports for a managed Firebox:
If you:
Use WSM to connect to a Management Server managing WatchGuard appliances
Select a managed device before launching Report Manager
Then Report Manager should automatically connect to the Report Server that generates reports for that device, and automatically show Reports for that device.
This works best when the Report Server and the Management Server are on the same computer, and that will be the case for most customers.
If the Report Server making reports for the device and the Management Server managing the device are on different computers, then in order for this to work (Report Manager automatically connects to Report Server and shows logs for the selected managed device) you must use the “Monitored Report Servers” option in WSM to add the Report Server information. If you do not do that, you can still use Report Manager to connect to a Report Server and see reports; the difference is that Report Manager will not automatically launch “in the context of” the managed device – you must use the “Connect to Report Server” dialog box to connect to the correct Report Server.

34. Report Server Available Reports
Reports carried forward from earlier Historical Reports:
Denied Packet Summary
Denied Packet Detail
Incoming
Outgoing
SMTP Summary
SMTP Server Summary
SMTP Detail
SPAM Summary
Firebox Statistics
POP3 Summary
POP3 Detail
Alarms
Packet Filter Host Summary
Proxy Host Summary
HTTP Most Popular Domain
HTTP Summary
HTTP URL Detail
IPS Packet
IPS Summary and its detail subreports:
Protocol
Severity
Source
Signature
AV Summary and its detail subreports:
Host
Virus
Sender
WebBlocker Detail
Reports Carried Forward From Earlier Reporting:
HTTP Most Popular Domain
HTTP Summary
HTTP URL Detail
IPS Packet
IPS Summary and its detail subreports:
Protocol
Severity
Source
Signature
AV Summary and its detail subreports:
Host
Virus
Sender
Web Blocker Detail
Denied Packet Summary
Denied Packet Detail
Incoming
Outgoing
SMTP Summary
SMTP Server Summary
SMTP Detail
SPAM Summary
Firebox Statistics
POP3 Summary
POP3 Detail
Alarms
Packet Filter Host Summary
Proxy Host Summary
BUM ß “Boxes Under Management” for those of you who didn’t work with our legacy MSS product J
New Reports:
HTTP Most Active Client
Web Surfing
External Interface Bandwidth Report
Management Server Audit Trail
Management Server Audit Trail Detail
Management Server Authentication

35. Report Server Available Reports
New Reports in 10:
HTTP Most Active Client
Web Surfing
External Interface Bandwidth Report
Management Server Audit Trail
Management Server Audit Trail Detail
Management Server Authentication
BUM “Boxes Under Management”
External interface bandwidth report can work only if you turn on “Performance Statistics” in Policy Manager at Setup > Logging > Performance Statistics.

36. Management Server Enhancements

37. What’s New in WSM/Fireware 10 Management Server Enhancements - Overview
Multi-user support
Record locking
Configuration passphrase caching
Force comments on Config Change
Folders with lockout
Notification enhancements
LiveSecurity Alerts

38. Management Server Enhancements Multi-user support
Add users on new Users tab of Management Server Configuration

39. Management Server Enhancements Multi-user support
Management Server user accounts:
Admin privileges
Can create new user accounts on the Management Server
Can administer all devices under management with WSM connection to Management Server
Read-Write privileges
Read-Only privileges
Can view all devices under management
This user connects to the Management Server in Monitoring Mode

40. Management Server Enhancements Multi-user support
Users must now provide username and passphrase when connecting
Provides audit trail in Management Server report
Default account is admin
This account uses the server management passphrase
This is the same password you used before to connect to your Management Server from WSM

41. Management Server Enhancements Record locking and caching passphrases
When you bring up Policy Manager for a managed device:
WSM prevents others from using Policy Manager for that device when they connect to the Management Server
Reduces the chance that conflicting edits are made at the same time by different users
Policy Manager automatically enters the device’s configuration passphrase when you save the configuration back to the Firebox
No need to remember the configuration passphrases for all your managed devices
No need to share managed devices’ configuration passphrases with others
There is no way to prevent others from using Policy Manager to edit a device’s configuration by connecting directly to the device.
Do not share the configuration passphrases of your managed devices if you want to prevent this. When users have accounts on the management server, there is no need for them to know configuration passphrases for the managed devices.
For this to work:
Firebox you manage must be running Fireware 10
You must launch Policy Manager via a connection to the Management Server (not a connection to the device itself)

42. Management Server Enhancements Record locking
Connect to Management Server using WSM  Launch Policy Manager for an appliance
The device record is locked
When a different user connects to the Management Server at the same time:
A “Maintenance Alert” shows for that device
Policy Manager is not available for that device

43. Management Server Enhancements Configuration passphrase caching
When you use that instance of Policy Manager to save the configuration, Policy Manager automatically puts the appliance’s configuration passphrase into the entry field
When you close Policy Manager (or use it to File > Open a different Firebox) the lock is released

44. Management Server Enhancements Force comments
Force comments on config change
Turn this on in Management Server Configuration
Users must add comment when saving config via a connection to Management Server
These comments will show in the Management Server Report you can run from Report Manager.

45. Management Server Enhancements Folders with lockout
Right-click Management Server and select Add New Folder

46. Management Server Enhancements Folders with lockout
You can make a VPN between two devices inside the same locked folder
You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder
Prevent “mistake” VPNs
Those can cost the managed security provider $$ and reputation
Locks can also apply to nested folders (folders within folders). The same rules apply:
You can make a VPN between two devices inside the same locked folder
You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder
Locked folder has a padlock on the folder’s icon

47. Management Server Enhancements Notification enhancements
Get notified if a managed device does not contact the Management Server when its DVCP lease expires
From:
Subject: Notice from Management Server
Host: dc01
Time: Fri Feb 08 09:15:
Process: 3848:3900
Message:
Information (8249), no contact from device with name Miami_X6500e, id , and IP address

48. Management Server Enhancements LiveSecurity Alerts
WSM displays LiveSecurity broadcasts when you select the Management Server
Alerts that will appear:
New software updates available
WatchGuard vulnerabilities

49. Quarantine Server Enhancements

50. Quarantine Server Enhancements Quarantine email based on virus classification
You can now send SMTP mail to the Quarantine Server based on whether Gateway AntiVirus detected a virus

51. Quarantine Server Enhancements Quarantine mail based on virus classification
You can send SMTP mail to the Quarantine Server based on whether spamBlocker’s Virus Outbreak Detection detected a virus

52. Firebox System Manager Enhancements

53. What’s New in WSM/Fireware 10 Firebox System Manager Enhancements - Overview
Front Panel tab updated for Mobile VPN with SSL
Search Traffic Monitor
Display logs by type of message
Multiple-line select (ctrl-click or shift-click) and copy
Select notifications from entire event catalog
Service Watch graph by bandwidth

54. Firebox System Manager Enhancements Front Panel Tab
Mobile VPN with SSL sessions displayed on Front Panel tab

55. Firebox System Manager Enhancements Front Panel Tab
Log off remote users from Front Panel tab

56. Firebox System Manager Enhancements Traffic Monitor Tab
Search Traffic Monitor

57. Firebox System Manager Enhancements Traffic Monitor Tab
View:
All logs
Only traffic logs
Only alarms
Only events
Only debug logs
Only bandwidth statistics messages

58. Firebox System Manager Enhancements Traffic Monitor Tab
Multiple-line select (ctrl-click or shift-click) and copy

59. Firebox System Manager Enhancements Traffic Monitor Tab
Select Notifications from Event Catalog
Right-click an event in Traffic Monitor
Instantly set up notification for the next time that event happens

60. Firebox System Manager Enhancements Service Watch Tab
Use Service Watch to:
Graph the traffic going through each policy by bandwidth
See the number of sessions going through each policy

61. New Help System

62. New Help System Searchable, with Table of Contents

63. New in Fireware 10

64. Mobile VPN with SSL

65. Mobile VPN with SSL Overview
PC and Mac compatible – one download page for both

66. Mobile VPN with SSL URL for users to get the software
URL to authenticate and get the client software:
Note the /sslvpn.html at the end
URL to authenticate only remains the same

67. Mobile VPN with SSL Configuration in Policy Manager
Simple straightforward configuration
Policy Manager: VPN  Mobile VPN  SSL
Use any authentication server
Specify which WAN users connect to first and second (failover)
Allow granular access or access to all connected networks

68. New Proxies for VoIP Support

69. New Proxies for VoIP H.323 and SIP
These proxies work to allow some VoIP/Videoconferencing through the Firebox:
SIP Proxy
H.323 Proxy
H.323 proxy supports NAT-traversal for voice and video traffic
H.323 Gatekeeper (“PBX” hosting/trunking) and T.120 multimedia support not in this release.
H.323 support is limited to point-to-point connections
SIP proxy supports NAT-traversal for voice and video traffic
Does not provide the PBX registration capabilities of a typical standalone SIP Registrar-Proxy
Must have your own Registrar-Proxy server to route these connections
SIP proxy has only been tested with PBX’s located on the external segment of the Firebox (hosted scenario, no trunking).

70. New Proxies for VoIP H.323 and SIP
Simple to configure
H323
SIP

71. New Proxies for VoIP TFTP
Typically for:
Sending updates to VoIP devices under management
Sending configuration files
Sending ROM images or firmware updates
Trivial File Transfer Protocol
For more than just VoIP
TFTP Proxy lets you allow or deny content by matching file name patterns for:
Downloads
Uploads

72. New TCP-UDP Proxy Multiple Protocol Detection
TCP-UDP Proxy detects what protocol the traffic is:
HTTP
HTTPS
SIP
FTP

73. New HTTPS Proxy What it can do
Block objectionable HTTPS sites using WebBlocker
Allow or deny access to web sites based on Domain Names
Fireware matches Domain Name patterns against the Subject field in the web site’s SSL certificate
Every HTTPS connection to a web site involves an exchange of certificates. The HTTPS proxy reads the certificate that the web site sends and finds the certificate’s Subject field.
Fireware matches the value of the Subject field against the Domain Name area of the HTTPS proxy to allow or deny access.

74. Enhancements to Security Subscriptions

75. What’s New in WSM/Fireware 10 Enhancements to Security Subscriptions
Intrusion Prevention (IPS) Enhancements
New signature set
Broader range of signatures
Botnet protection for servers
Updated signature scanning engine
Approximately 40% increase in IPS performance
Simpler IPS Configuration
P2P and IM now integral part of Fireware (no IPS license required)
WebBlocker Enhancements
Expanded Category List
WebBlocker for HTTPS
spamBlocker Enhancements
Virus Outbreak Detection

76. WebBlocker Enhancements 40 Category to 54 Category Mapping
40-Category List name
54-Category List name
Arts & Entertainment
Arts
Entertainment
Drugs, Alcohol, Tobacco
Illegal Drugs
Alcohol & Tobacco
Violence
Tasteless & Offensive
Hacking
Spyware
Computing & Internet
Downloads
Ringtones / Mobile Phone Downloads
Criminal Skills
Criminal Activity
Phishing & Fraud
Glamour & Intimate Apparel
Intimate Apparel & Swimwear
Fashion & Beauty
Government & Politics
Government
Politics
Lifestyle & Culture
Society & Culture
Philanthropic & Professional Organizations
Remote Proxies
Proxies & Translators
Peer-to-Peer
NOT REPRESENTED
Spam URLs
Infrastructure
Business

77. Single Sign-On

78. Single Sign-On Requirements
Only for Active Directory domains
Install WatchGuard Authentication Gateway software on a domain computer
This computer called the SSO Agent
The domain account under which the agent software runs must:
Have “Log on as a service” permission granted (for the service to run automatically)
Be a member of Domain Admins group (to query PCs running Vista)
All domain PCs must allow connections over 139 and 445
Add exceptions to Windows Firewall for File and Printer Sharing, or turn off Windows Firewall

79. Single Sign-On Settings
Policy Manager:
Setup  Authentication  Authentication Settings
IP address of the PC running WatchGuard Authentication Gateway software (the SSO agent)
How long the SSO agent should cache responses it gets from PCs it queries
IP addresses that the Firebox will not ask about

80. Single Sign-On How it works 1
Firebox sees traffic come from a trusted or optional or VLAN interface
SSO does not work for traffic coming from an external interface
Firebox sends query to SSO agent (PC running WatchGuard Authentication Gateway software)
This is a port 4114 connection. Command is get user <ip.address>
SSO agent checks its cache.
If it has an entry for this IP address, it returns an answer to the Firebox
If not in cache, SSO agent queries that IP address
Uses Windows NetWkstaUserEnum() call
Windows Networking connection over port 139 and/or 445
Computers can still authenticate by bringing up a browser and making an HTTPS connection to the Firebox over port 4100, just as in previous Fireware versions.
If SSO agent PC gets no reply, send error message to Firebox
The IP address is not added to authentication list

81. Single Sign-On How it works 2
PC returns answer to SSO agent. There can be more than one answer
SSO agent uses only the first answer it gets from the PC
SSO agent sends query to Active Directory server to find what groups the user is a member of
Active Directory returns all values of memberOf attribute tied to that user object
SSO agent PC returns answer to Firebox
User name logged in to that PC and groups of which the user is a member
Firebox puts <IP address>, <user name>, and <groups of which the user is a member> in its internal list of authenticated users
Authentication List tab of Firebox System Manager displays the IP address and user name of authenticated users

82. Single Sign-On How it works 3
Use user names and Active Directory groups in your policies to restrict access

83. BOVPN and Mobile VPN with IPSec Enhancements

84. What’s New in WSM/Fireware 10 VPN Enhancements
Selective Auto-start of BOVPN Tunnels
Dead Peer Detection
Mobile VPN with IPSec Policies More Configurable
Notification of BOVPN Events

85. VPN Enhancements Selective auto-start of BOVPN tunnels
At the bottom of the General Settings tab of the Gateway

86. VPN Enhancements Mobile VPN with IPSec more configurable
You can now edit the Mobile VPN/IPSec policy to change the allowed access.
The policy is no longer tied to the “allowed resources” assigned to the Mobile VPN/IPSec Group

87. VPN Enhancements Dead Peer Detection
On the Phase 1 Settings tab of the Gateway

88. VPN Enhancements Notification of BOVPN events
VPN > VPN Settings > BOVPN Notification button

89. New Notification Options

90. New Logging and Reporting Architecture Notification enhancements
SNMPv3 Support
New WebBlocker Alarm Options
The Firebox can now send notifications for:
Multi-WAN Events
BOVPN Down
Lost contact with WebBlocker Server
SNMP v3 provides message integrity, authentication, and encryption.
Fireware 10 supports single user authentication only.
The SNMP v3 server that receives traps must know the Engine ID. Engine ID is the serial number of the Firebox appliance.

91. Networking Enhancements

92. What’s New in WSM/Fireware 10 Networking Enhancements
Static MAC/IP Address Binding
Edit an interface  Advanced tab
Select Only allow traffic sent from or to these MAC/IP Addresses to lock out all other traffic on this interface
Keep the box cleared to add only Static ARP entries
If you turn on “Only allow traffic sent from or to these MAC/IP addresses”, then the Firebox does not learn new ARP entries.
If you do not turn on this option, then the Firebox ARP function continues to learn new addresses, including entries that may not be valid (spoofed ARP).

93. More Integration with LiveSecurity®

94. What’s New in WSM/Fireware 10 LiveSecurity Integration
Quick Setup Wizard pulls feature key from LiveSecurity
Appliance must be registered before you can use the QSW to get the Feature Key
If the appliance is not registered, you can get to the Internet during the Quick Setup Wizard to register it
You can skip this step of the Wizard if you have not registered the device yet
If there is no Feature Key, one user can get to the Internet after it is configured

95. What’s New in WSM/Fireware 10 LiveSecurity Integration
Updated feature key display
Easier to understand
Easier to see when features expire
Old

96. Thank You!