Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 Build # 337008 has been release and can be downloaded via the Watchguard website http://www.watchguard.com/
This major XTM OS Release introduces the following changes/improvements:
Significant enhancements introduced in this release include:
- Application Control now offers a deny message to users whose HTTP requests are blocked
- New Advanced Search for log messages added to Log and Report Manager
- Mobile VPN with SSL now supports multiple authentication servers and Active Directory authentication domains
- Management Server device configuration template improvements
- Ability to create a device configuration template from an existing configuration file
- Inclusion of hosted WebBlocker Server settings in template for XTM 2 Series and XTM 33 devices
- Policy order in a template is preserved when you apply the template to an XTM device
- Support for FireCluster for XTM 330 appliances
Minor enhancements include:
- The ability to select the port used to send email notifications from the Log Server
- An updated list of trusted Certificate Authorities for proxies
- Diagnostic log messages for the Terminal Services Agent and TO Set Tool
- SMTP-proxy TLS encryption rules now limited to a maximum of 200 bytes
The following bugs/issues have also been resolved in this release
General
- After you reboot your XTM device, you no longer see the warning “Cannot create directory `/etc/wg/tmp’”. [62883]
- A problem that caused some XTM 8 Series devices to reboot because of a kernel crash has been resolved in this release. [64465]
- ICMP redirects are now handled correctly after you upgrade from Fireware XTM v11.4.2 to v11.5.2. [64589]
- Several problems that resulted in device configuration changes requiring a reboot to take effect have been resolved in this release. [64201, 64763]
- A memory leak in the SNMP daemon has been corrected. [63860]
- This release resolves problems that occurred during an upgrade from Fireware XTM OS v11.3.x. [64815]
Networking
- When you configure policy-based Dynamic NAT with the Source IP option, you no longer need to add the Source IP address as a secondary address on the external network. [64292]
- A default route is now correctly added when you enable Eth0 as an external interface. [63588]
- This release resolves a problem with server connection stability when you use an SNAT load balancing action in your configuration. [64280]
- It is no longer necessary to reboot your XTM device after you change the wireless guest network. [64415]
- Dynamic NAT now supports nested aliases. [58991]
- Dynamic NAT now works correctly when configured with an IP address range. [45005]
- Branch office VPN tunnels can now successfully be created to use 1-to-1 NAT configured with an IP address range. [65105, 64480]
- The multi-WAN Link Monitor now works correctly. [62535, 64817, 61487]
- Multi-WAN now works correctly when configured in Routing Table mode, with the Link Monitor configured to use both ping and TCP using domain name. [61564]
- XTM 2 Series Gigabit interfaces are now correctly labeled in the Firebox System Manager Status Report. [60621]
- QoS marking now works correctly in proxy policies. [63518]
- Multicast traffic can now pass through a branch office VPN on an XTM device configured in drop-in mode. [62234]
Proxies
- The default proxy trusted CA list has been updated to match the ones in most major popular browsers. [64438]
- A problem that caused some HTTP downloads to stall when you use the HTTP proxy with IPS enabled has been resolved. [63136]
- This release includes improvements to the clean-up of stale proxied connections that could prevent new connections from being allowed. [63574, 64519]
FireCluster
- A problem that caused the master XTM 8 Series device in a FireCluster to reboot because of a kernel crash has been resolved. [63683]
- High UDP traffic levels through a branch office VPN tunnel that terminates to a FireCluster no longer cause the FireCluster to reboot. [64251]
- The FireCluster synchronization timeout has been increased to prevent synchronization failures. [63231]
- A problem with the maintenance of the static ARP list for an active/active FireCluster has been resolved to improve FireCluster stability. [64440]
- This release includes improved proxy debug log messages for FireCluster users. [63793]
- A problem that caused a FireCluster to crash and reboot has been resolved. [64669]
- A problem has been resolved that sometimes caused the FireCluster master to reboot when you used the CLI to remove a member. [64518]
- The Status Report cluster load balancing algorithm label has been corrected from “Lease Connections” to “Least-connections”. [64684]
- A problem that caused DHCP leases to fail to synchronized with the backup member has been fixed. [64148]
- The backup member no longer crashes when the FireCluster is under heavy proxy traffic load and a manual failover is initiated. [64226]
- A problem that caused some active/active FireClusters to fail when configured with branch office VPN has been resolved. [64909]
- In a FireCluster environment, log messages are now consistently and correctly sent to the Log Server. [64983]
Mobile VPN with SSL
- The Mobile VPN with SSL Mac client now correctly removes the previously assigned DNS server addresses after it is disconnected. [64418]
Mobile VPN with IPSec
- A problem that resulted in a stack trace with the error message “Iked stack trcace eip=0x080c4013” has been resolved. [65026]
Branch Office VPN
- Packets with a total data size value between 1507 and 1538 now correctly pass through a branch office VPN tunnel. [63764]
- You can now correctly configure 1-to-1 NAT with an IP range for a branch office VPN tunnel. [65105]
Authentication
- A problem that caused the SSO Event Log Monitor to crash has been fixed. [64824]
WSM & Management Server
- The Apache httpd server bundled with WSM has been upgraded to version 2.2.21. [58220, 64556]
- IPS is now correctly shown as enabled/disabled within an XTM template. [64124]
- The “Add Device” wizard now correctly detects and configures the gateway device with the private IP address of the Management Server. [64498]
Policy Manager
- The backup archive password is no longer recorded in the log file. [64088]
- Attempts to save configuration changes for new features to an XTM device running Fireware XTM v11.4 are now detected and handled correctly. [64609]
Web UI
- The WatchGuard Authentication policy is no longer deleted when you disable Mobile VPN with SSL from the Web UI or CLI. [65234]
- Gateway AV can now be enabled in an SMTP proxy action from the Subscription Services > Gateway AV > Configure page. [62464]
Security Services
- A problem that caused Gateway AV to fail when performing archive file scanning has been resolved. [64898, 65114]
Logging & Reporting
- The log level setting now works correctly for DHCP log messages. [57096]
- Corrupt Log or Report Server database tables no longer cause an upgrade to the new v11.5.x database schema to abort. [64726]
- This release corrects multiple issues with restoring log files from backup archives. [64141, 65173]
- You can now export log search results from the Log and Report Manager. [63198, 42489, 62608]
- The Log and Report Manager Logs > Devices list now includes the serial number for each device. [63786]
- WatchGuard Server Center no longer resets the start time to a previous value when a report schedule is edited. [64980]
- Users with permission to view only reports can now see all the reports they have access to. [65127]
- The Alarms Summary report is now available in the Log and Report Manager Dashboard and Devices sections. [64420]
- The default pivot (Users or Hosts) can now be set for the graphs available on the Log and Report Manager Dashboard tab. [65098]
- Percentage and Total count statistics have been added to a number of summary reports in Report Manager. [62981, 63019]