1. What’s New in Fireware XTM v11.8.1 WatchGuard Training

2. What’s New in XTM 11.8.1  Networking Enhancements Secondary networks for VLANs [40123] Support for static NAT and server load balancing for traffic through an Optional interface [39793] PPPoE client IP address enforcement [73382] DHCP Force Renew support on external interfaces [61383] Sierra Wireless 320U 3G/4G modem support [74572] Bridge XTM wireless Access Points to the same network [76381]  XTMv Enhancements XTMv on ESXi now supports active/passive FireCluster [72105]  WatchGuard AP Device Management Enhancements New AP status of Discovered in the Gateway Wireless Controller [77081] Ability to upgrade an AP device from the Gateway Wireless Controller [73497] Automatic AP device firmware upgrades are now staggered [77738] WatchGuard Training 2

3. What’s New in XTM 11.8.1  Authentication Enhancements Customize the Authentication Portal page [42587] Case-sensitivity disabled for Firebox-DB user names [61132]  HTTPS-Proxy Enhancements Allow only SSL compliant traffic through the HTTPS-proxy [76197]  WebBlocker Enhancements Improved WebBlocker local override page [66930]  Management Server Enhancements Management Server Clustering [41220] Compare versions of configuration files & force users to comment on changes to configuration files and templates [77204]  Monitoring & Reporting Enhancements Download a diagnostic log file from the Web UI [77638] New Web Traffic Summary report [76985] WatchGuard Training 3

4. Networking Enhancements WatchGuard Training 4

5. Secondary Networks for VLANs  You can now configure a secondary network for a VLAN interface. Configure these settings on the Secondary tab in the VLAN configuration. Supported for Trusted, Optional, and External VLAN interfaces. Secondary IP addresses are often used for Static NAT on external interfaces or network migration and router consolidation on trusted or optional interfaces. WatchGuard Training 5

6. SNAT from Optional to Trusted  In a Static NAT action or Server Load Balancing NAT action, you can now select an External or Optional interface.  This enables you to do static NAT or server load balancing for traffic from the optional network to the trusted network. WatchGuard Training 6

7. PPPoE Client IP Address Enforcement WatchGuard Training 7  PPPoE advanced settings include an option to enforce the client static IP address.  When this option is selected: The XTM device sends the configured PPPoE client IP address to the PPPoE server. The XTM device uses the configured client IP address, even if another IP address is obtained from the server.  PPPoE client address enforcement is useful for clients of ISPs that provide multiple static IP addresses. This new option is useful if the ISP does not respond with the address included in the client request.

8. DHCP Force Renew WatchGuard Training 8  When you configure the external interface as a DHCP client, you can optionally enable the XTM device to respond to DHCP Force Renew messages. The FORCERENEW message requests the DHCP client to renew it's leased IP address sooner than it ordinarily would. You can optionally specify a shared key that must match the key in the FORCERENEW request.

9. Additional 3G/4G Modem Support  Sierra Wireless 320U 3G/4G USB modem is now supported for modem failover.  To see a complete list of supported modems, see this Knowledge Base article: http://customers.watchguard.com/articles/Article/Supported-3G- 4G-USB-deviceshttp://customers.watchguard.com/articles/Article/Supported-3G- 4G-USB-devices WatchGuard Training 9

10. Bridge XTM Wireless Access Points to the Same Interface  On an XTM wireless device, you can now bridge Wireless Access Point 1 and Wireless Access Point 2 to the same XTM device interface. WatchGuard Training 10

11. XTMv Enhancements WatchGuard Training 11

12. FireCluster on XTMv  You can configure two XTMv devices as an active/passive FireCluster on VMware vSphere ESXi  vSwitch configuration requirements: The vSwitch connected to an external interface must accept MAC address changes. The vSwitch connected to the FireCluster management interface must have promiscuous mode enabled. WatchGuard Training 12

13. AP Device Management Enhancements WatchGuard Training 13

14. Staggered AP Device Firmware Automatic Upgrades WatchGuard Training 14  Automatic upgrades of AP device firmware are now staggered. If automatic upgrade is enabled in the Gateway Wireless Controller settings, the automatic upgrade of AP devices does not occur simultaneously. If there are multiple paired AP devices, the AP device firmware upgrades occur one at a time for each AP device, five minutes apart.

15. Update AP Device Firmware for a Single AP Device  You can now upgrade the firmware on a single AP device from the Gateway Wireless Controller tab in Firebox System Manager. You can see the version of AP firmware available on the XTM device. You can see the version of AP firmware currently installed on each AP device. Click Upgrade to upgrade the AP firmware to the available version.  In Fireware XTM Web UI, this option is available in the Gateway Wireless Controller Dashboard. WatchGuard Training 15

16. New AP Device Status — Discovered  The Gateway Wireless Controller now shows a status of Discovered for a paired AP device that is connected, but it not yet Online. After an AP device restarts, the status is Discovered when the XTM device has successfully communicated to an AP device, but the AP device is not yet online. WatchGuard Training 16

17. Authentication Enhancements WatchGuard Training 17

18. Customize the Authentication Portal WatchGuard Training 18  You can now configure the look and feel of the Authentication Portal page from Fireware XTM Web UI and Policy Manager. Add custom logo Add custom welcome message or disclaimer Specify the page title Select custom colors Select custom fonts

19. Disable Case-Sensitivity for Firebox-DB User Names WatchGuard Training 19  For users created for Firebox Authentication (to the Firebox-DB Authentication Server), you can now disable case-sensitivity for user names  Users can type their user names with any capitalization and still authenticate

20. HTTPS-Proxy Enhancements WatchGuard Training 20

21. HTTPS-Proxy — Allow only SSL Compliant Traffic WatchGuard Training 21  By default, when you enable the HTTPS proxy, it allows SSL traffic matching any SSL version.  When this new option is selected, the HTTPS proxy allows only traffic that matches one of these SSL versions: SSL_V2=0x200 SSL_V3=0x300 TLS_V1=0x301 TLS_V11=0x302 TLS_V12=0x303  This new option can be useful if you want to deny traffic that is not HTTP over SSL.  This option is not necessary or available when deep packet inspection is enabled in your HTTPS proxy configuration.

22. WebBlocker Enhancements WatchGuard Training 22

23. WebBlocker Local Override Page  The Local Override authentication form that users see in the web browser when access to a web page is denied by WebBlocker has been formatted to match the deny message. WatchGuard Training 23

24. Management Server Enhancements WatchGuard Training 24

25. Management Server Clustering  Create clusters of WatchGuard Management Servers for failover and redundancy  Uses the native Microsoft Failover Cluster service support for high availability  Configure each WatchGuard Management Server independently and then use the command line to complete the setup of the servers in a failover cluster WatchGuard Training 25

26. New Configuration Management Settings WatchGuard Training 26  In WatchGuard Server Center > Management Server, the setting to force users to make a comment before saving changes to a device or configuration template has been moved to a new Configuration Management tab.  In the Comment Template list, optionally type the instructions to appear in the Comments dialog box, which users see when they save the configuration file or a configuration template to the Management Server.

27. Compare Configuration File Versions WatchGuard Training 27  In WSM, for a device configuration file, run a Difference Report to see the changes between versions of the configuration in the Configuration History.  The Difference Report includes all changes made to the configuration.

28. Monitoring & Reporting Enhancements WatchGuard Training 28

29. Download Diagnostic Log File from the Web UI WatchGuard Training 29  Fireware XTM Web UI now supports download of a diagnostic log file (support.tgz)  Enable diagnostic logging and download the support.tgz file 1. Select System > Configuration File. 2. Click Download the Support Logs.  Review the file for diagnostic, packet trace information about your XTM device

30. Web Traffic Summary Report  The Web Traffic Summary report has been added to WatchGuard System Manager Log and Report Manager. This report (already available with Dimension) offers a high-level view of: Top web sites visited by clients, in a bar chart Top web categories visited by clients, in a pie chart WatchGuard Training 30

31. Thank You! WatchGuard Training 31