Category Archives: WSM

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.7 Build # 359571

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.7 Build # 359571

New features in Fireware XTM v11.7 Build # 359571

Policy Grouping

  •  With Policy Grouping, you can create and apply tags to policies and then use the tags to easily filter the list of policies and streamline the number of policies in the policy list at one time. This is particularly helpful for users who have complicated device configuration files with many policies to manage. Policy tags are not available for devices running older versions of Fireware XTM OS (pre-v11.7) or for configuration files created for pre-v11.7 devices.

Link Aggregation

  •  You can now group your XTM device physical interfaces together to work as a single logical interface. With link aggregation, you can increase the cumulative throughput of your XTM device beyond the capacity of a single physical interface, and provide redundancy if there is a physical link failure.

WebBlocker Cloud Option with Websense

  •  New support for the Websense URL database in the cloud. Now, you can use the Websense cloud, with over 100 content categories and many new categories, as your WebBlocker Server. Or, if you prefer, you can continue to use a WebBlocker Server with the SurfControl database and 54 content categories. For new WebBlocker activations, the Websense cloud configuration is the default setting. When you upgrade to Fireware XTM v11.7, WebBlocker continues to use the previously configured WebBlocker server. After you upgrade, you can update the WebBlocker configuration to use the Websense cloud for WebBlocker lookups. When you switch between WebBlocker server options, the management software can automatically convert the currently blocked categories to similar categories in the other database.

WatchGuard Mobile VPN App for iOS and Android

  •  New apps make it easy for end users to build a VPN connection from iOS and Android devices. The administrator of the XTM appliance can securely email a file with the required configuration details, which the user can simply click to install the VPN profile after the app is installed. For Android, we now provide a WatchGuard client for Mobile VPN with IPSec. The WatchGuard VPN app for iOS operates with both Mobile VPN with IPSec and Mobile VPN with L2TP connections. The iOS app will be available in the Apple store later this month. The Android app will be available in the Google Play app store later this month as well.

Mobile VPN with L2TP

  •  Support for a new type of Mobile VPN connection – L2TP (Layer 2 Tunneling Protocol) v2, as described in RFC 2661.

IPS and Application Control Support in the HTTPS Proxy

  •  IPS and Application Control security subscriptions are now fully supported by the HTTPS proxy to allow the XTM device to scan for IPS and Application Control signatures on the decrypted HTTPS content stream.

Other new features include:

  •  New web interface for CA Manager – The CA Manager Web UI has moved to the Log and Report Manager Web UI. The combined web interface has been renamed to WebCenter.
  • New web UI to manage quarantined email messages – New look and feel for the Web UI that email recipients use to see and manage their quarantined email messages.
  • Support for more than four external interfaces on your XTM device
  • Hardware Health Monitoring – Your XTM device now self-monitors the health of specific hardware areas and sends an email notification if it detects a problem in those areas.
  • FireCluster support with wireless devices – You can now configure FireCluster for XTM 2 Series Models 25 and 26 Wireless and XTM 33 Wireless. Only active/passive mode is supported for wireless devices.
  • New DHCP options for VoIP support – You can now configure your XTM device to support DHCP options 66, 67 and 150.
  • Per user/group and concurrent login support – You can now set the number of concurrent, authenticated sessions you want to allow, and you can control this on a per user or per group basis.
  • Wireless Hotspot external authentication support – You can optionally configure the wireless hotspot on the XTM device to redirect hotspot users to an external web server before they connect to the wireless network.
  • IPv6 enhancements – We add support for IPv6 stateful firewalling for these networking and security features:

1.1.        IPv6 host/network/address ranges in From and To lists in policies

1.2.        IPv6 addresses in blocked sites and blocked site exceptions

1.3.        Blocked ports applies to both IPv6 and IPv4 traffic

1.4.        TCP SYN checking applies to both IPv6 and IPv4 traffic

  • Branch office VPN failover to modem – If you have enabled serial modem failover on your XTM 25, 26, 3 Series, or 5 Series device, you can configure the branch office VPN to fail over to a modem if all external interfaces cannot connect.
  • Stream packet capture data to a file – A new advanced option to stream packet capture data to a file.
  • Global Dynamic NAT enhancements – When you configure a global dynamic NAT rule, you can now set the source IP address to use
  • IPS Scan mode – You can now select between two scan modes, Fast Scan and Full Scan. The default setting is Full Scan, which directs IPS to scan all packets. To improve performance, you can select Fast Scan, which directs IPS to scan fewer packets. Fast Scan mode greatly improves throughput for scanned traffic, with a slight drop in IPS effectiveness.
  • New Management Tunnels – New support for remote XTM devices behind a NAT gateway

Resolved Issues in Fireware XTM v11.7 Build # 359571

General

  • WFS firmware component files and management applications are no longer bundled with WatchGuard System Manager [67508]
  • A problem that caused the XTM 1050 10 Gigabit Fiber ports to fail has been resolved [70118]
  • This release resolves a problem that caused a kernel crash when a reset packet is sent out through the 10 Gigabit Fiber ports on the XTM 1050 and XTM 2050 [70384, 70296]
  • When an IP address is added to the Temporary Blocked Site list by the administrator through the Firebox System Manager > Blocked Sites tab, the expiration time is no longer reset when traffic is received from the IP address [42089]

Proxies and Subscription Services

  •  File downloads no longer stall when you use an HTTP packet filter policy with IPS [67659]
  • The SIP ALG now supports REFER method for call transfers [59635]
  • The IPS deny message contents have been improved [66839]
  • We have improved the scand daemon so that it restarts faster in the event of a crash

Logging and Reporting

  •  You can now show more than 5000 lines of log messages in Firebox System Manager [66518]
  • The contents of the XTM Configuration Report have been localized for both viewing and printing into all languages supported by the Fireware XTM Web UI [66546]
  • The behavior of the Report Server Maximum Database Size setting now matches that of the Log Server, and prevents the Report Server database from filling the disk partition [67245]
  • Log collector no longer crashes when it reaches the 2GB virtual size limit on 32-bit Windows systems [64249]

Networking

  •  If you manually created dynamic routing policies in Fireware XTM v11.5.x or earlier, the To and From lists in these policies are no longer cleared when you upgrade to v11.6 or v11.7 [67721]
  • The SNMP process is now automatically restarted if it becomes stuck in a dormant state [66491]
  • The IGMP_Max_Membership setting for OSPF has been increased to support a large number of VLANs with dynamic routing [69979]

FireCluster

  •  This release resolves a problem that caused the master in an XTM 2050 FireCluster to go into an idle state when you added a new interface [70392]
  • The Terminal Services TO Agent now works correctly when used in an active/passive FireCluster [70098, 69944]

Wireless

  •  The 5GHz Wireless band now works correctly with channels 36, 40, 149 or 165 [65559]

Branch Office VPN

  •  Managed BOVPN tunnels now include support for optional 1-to-1 NAT [68244]
  • The amount of time it takes to fail over from a leased line to a branch office VPN with OSPF or BGP has been reduced [70460]

Mobile VPN

  •  Frequent mobile VPN client log in/log out events no longer cause a low memory condition on the XTM device [67538]
  • When you use a native Cisco IPsec iOS client for Mobile VPN with IPSec, the client no longer disconnects after three minutes of idle time [69430]
  • If you set the diagnostic log level for Mobile VPN with SSL traffic to “debug” level, log messages now correctly display in Firebox System Manager > Traffic Manager [65165]
  • You can now correctly establish a Mobile VPN with SSL connection from a Windows-based computer when the Windows system account is Chinese [58208]
  • A continuous FTP session over a Mobile VPN with IPSec connection is no longer terminated if an IPSec rekey occurs during the FTP transfer [32769]

You can download 11.7 Build # 359571 from Watchguard Support Portal by logging in to your account.

Watchguard System Manager – 11.6.1 – CSP1 Build # 348296

Watchguard System Manager – 11.6.1 – CSP1 Build # 348296

Watchguard System Manager – 11.6.1 – CSP1 Build # 348296 Resolves the following issues:

BUG68447: 11.6.1 management server fails to apply 11.3.x template to fully managed 11.3.x device

You can request Watchguard System Manager 11.6.1 – CSP1 Build # 348296 from Watchguard Support by logging a support case online, they should then be able to provide an ftp download link and appropriate credentials.

Please note that Watchguard CSP releases are cumulative so you should only need to apply the latest to ensure that you also have any previous fixes.

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6.1 – Build # 346666

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6.1 – Build # 346666

11.6.1 – Build # 346666 Provides some new features and resolves the following issues:

• This release introduces support for the new high-performance XTM 5 Series models 515, 525, 535, and 545

• Provides an update to our localized user interfaces and documentation

• An XTM device configured in bridge mode can now pass VLAN traffic between 802.1Q switches or bridges

• FireCluster support for XTM 25, 26, and 33 wired models

• Several issues have been resolved in this release that caused XTM devices to crash when configured to use Application Control or IPS [66937, 65426, 65636, 67312, 66135, 67159, 67399, 67310]

• An issue was resolved that caused some XTM device processes to crash when running Mu Dynamics default published vulnerability test [66490]

• An issue was resolved that caused a kernel crash and device reboot [67329]

• The XTM 2 Series device can now handle a large file transfer without interface instability [67367]

• A problem that caused incorrect data to display on the XTM 5 Series LCD screen has been resolved [67197]

• Policy Manager now displays the correct VLAN limits for XTM 5 Series models 505, 510, 520, and 530 with a standard Fireware XTM feature key (not Pro) [67780]

• You can now successfully configure and apply Traffic Management actions for XTM 2 and 3 Series devices from the Web UI [67221, 66645]

• Firebox X Edge e-Series devices can now be successfully managed with templates [67658]

• The notification message sent when a local Log or Report database is down now correctly shows the host IP address instead of “???” [41731]

• The Log Server can now handle backup files greater than 2GB in size without generating an error message: “Error (8199), Exception during backup of oldest log data: File is not a zip file” exception” [66811]

• The DHCP lease activity report now works correctly [66062]

• Log Collector now handles XTM device log data that spans multiple SSL/TLS records without crashing [66347]

• A problem has been resolved that caused poor performance on XTM 2 Series models 25 and 26 because of an incorrect memory allocation for security subscription signatures [67240]

• A deny message is now correctly sent to the web browser in most cases when Application Control blocks content in the Web/Web 2.0 category [66201]

• The WebBlocker automatic database update time is no longer off by one hour when daylight savings time is in effect on the host server’s timezone [67551]

• If you use PPPoE or DHCP for an external interface on an XTM device configured to use multi-WAN, the XTM device no longer loses the default routes for external interfaces after the external interface reconnects [67424, 67520]

• A problem has been resolved that caused a static route to fail after an external interface configured to use PPPoE is disconnected, then reconnected [67520]

• Tagged VLAN traffic is now correctly recognized when an XTM device is configured in Bridge mode [64355]

• The CLl command “restore factory default all” now successfully restores a device to its factory default settings [66240]

• An issue has been resolved that caused Policy Manager to incorrectly display an interface IP address as 0.0.0.0/24 when you viewed a FireCluster configuration for a cluster in drop-in mode [63551]

• The Mobile VPN with SSL process no longer crashes during a FireCluster failover [66118]

You can download 11.6.1 – Build # 346666 from the Watchguard website

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6 – CSP2 Build # 346090

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6 – CSP2 Build # 346090

11.6 – CSP2 Build # 346090 Resolves the following issues:

BUG66240: CLI command “restore factory-default all” fails to restore factory default

BUG67367: the state of the interface of XTM23 become unstable when transfering one big file by FTP

BUG67310: A/P XTM8 fails over WARNING: utm-11_6/src/343405/dev.c:1871 skb_gso_segment 0xce/0x1ca

Potential fix for Kernel Crashes related to “scheduling while atomic” when using BOVPN

BUG64611: BUG: scheduling while atomic: ntpd/2446/0x10000200 on 11.5.1 XTM5

BUG67819: XTM2 memory leak causing xfrm_dst_cache value to increase and causing appliance to lockup

Potential fix for Kernel crash matching the following bugs:

BUG65288: kernel crash and reboot

BUG65179: Interface traffic stopped EIP: 0060: e02acf7b EFLAGS: 00010246 CPU: 3

BUG66670: XTM1050 rebooted itself and writing crash log EIP: 0060:[<dff64f7b>] EFLAGS: 00010246 CPU: 1

BUG66809: A/P Cluster Master reboots kernel BUG at /builds/utm-11_5_3_csp/src/341451/ EIP: ec2b9f59

BUG66872: A/P Cluster Member reboots kernel BUG at/builds/utm-11_5_3/src/340457/ip_set.c:507 EIP e033af7b

You can request 11.6 – CSP2 Build # 346090 from Watchguard Support by logging a support case online, they should then be able to provide an ftp download link and appropriate credentials.

Please note that Watchguard CSP releases are cumulative so you should only need to apply the latest to ensure that you also have any previous fixes.