Category Archives: 525

Watchguard Feature Requests and Enhancements

Below is a list of Requests for Engineering and Enhancements that have been submitted to Watchguard for the XTM UTM Appliance Range

If you would also like any of these features then I would suggest that you raise a Technical support case with Watchguard and mention the appropraite RFE within your support ticket. You should also ask the case to be set to Status: Bug/Enhancement Submitted and select “Receive BUG/RFE Updates?” so that you are alerted when the feature is implemented in a new XTM OS release. The more cases that are logged against an RFE the faster Watchguard are likely to get the new feature implemented.

  • RFE61499 – Support for FTP through Explicit TLS/SSL
  • RFE62784: Ability to choose dns server requests on dedicated external interface
  • RFE66209 Protection against Brute Force Attacks on OWA, FTP and SMTP
  • RFE67449 – Support for SMTP PIPELINING
  • RFE67450: support for DSN in SMTP proxy
  • RFE67451: support for ENHANCEDSTATUSCODES in SMTP proxy
  • RFE72251: Local WebBlocker Server with Websense Categorization Engine
  • RFE73433 Ability to block or drop traffic based off of geographic location

Please also feel free to post your comments about these feature requests and any others that you think would be beneficial.  I will update the post with new RFE’s so that we can collectively push Watchguard product development for them to be implemented.

 

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.7.2 Build # 365430

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.7.2 Build # 365430

Issues resolved in Fireware XTM v11.7.2 Build # 365430

General
•WatchGuard Server Center no longer fails to open if you specify a long path to the log file. [71406]
•You can now upgrade the XTM OS version on your XTM device from Fireware XTM Web UI from a Windows 8 browser. [70997]
•In response to a security advisory issued by OpenSSL, we have upgraded Fireware XTM OS to use OpenSSL 0.9.8y. [71416]
•In response to a security advisory issued by Adobe, we have upgraded the Flex XSS used in the Fireware XTM Web UI. [70444]
•Our thanks to Wayne Murphy and Ben Burns of Sec-1 for reporting some XSS and SQLi web application vulnerabilities in our quarantine portal, which have been resolved in this release. [71188]

Proxies and Subscription Services
•WebBlocker evaluations (with a WebBlocker trial license) now operate correctly. [71507]
•WebBlocker exception rules to deny web site access now work correctly. [71760, 71783]
•An issue that caused web browsing to slow or fail when you use WebBlocker with Websense server has been resolved. [71057, 71557]
•This release resolves a system memory leak that occurred when you used the HTTPS proxy and WebBlocker. [71082]
•You can now set a main Application Category to Drop while you have a subcategory set to Allow. [71018]
•Proxy stability when using IPS or Application Control has been improved. [71024, 71046, 71270, 71495, 71371, 71240, 71733, 70977, 71713]
•TLS encryption is no longer enabled by default in the SMTP proxy configuration, but can be enabled if you want to use it. [71137]

Logging and Reporting
•This release resolves an issue that caused the logging processes on the XTM device to use a high percentage of CPU. [59979, 66060]
•Log data now correctly shows in Log Manager when you sort messages by the “Date-Time” column. [70145]
•Correct log data now shows correctly in Firebox System Manager Traffic Monitor and in the Web UI Syslog option. [71044]
•A problem with log messages generated for Reputation Enabled Defense has been corrected so that the number of sites blocked by RED is now correctly counted. [70920]
•The User Authentication Denied report now generates with correct and complete information. [71359]
•A problem that prevented reports for older data sets from generating with a resulting memory error has been resolved in this release. [70957]
•The Web Audit by Client PDF report generation process has been improved so that the data now matches the data in an HTML formatted report. [63472]

Networking
•The SNMP process on XTM 25/26 and XTM 33 devices is now restarted automatically in the event that it gets stuck in a dormant state. [70975]
•Multi-WAN failover now works correctly with Static NAT configured on the external interface for failover. [71148]
•This release resolves a problem that prevented Policy Based Routing from correctly routing traffic through a second external interface. [71175]

FireCluster
•This release resolves an issue that caused a low memory condition when an active/passive FireCluster was configured. [70204]
•The Virtual MAC address is no longer sent from the backup master when you use an active/passive FireCluster with DHCP relay enabled. [71028]

Authentication
•You can now correctly add and edit Firebox-DB users from the Web UI. [71079]

Branch Office VPN
•An automatically created VPN policy to allow traffic through a managed VPN tunnel now works correctly when its name exceeds 46 characters in length. [70994]
•When you install the Management Server on a non-English Windows OS, you can now correctly add VPN resources. [71180]

Mobile VPN
•The feature key entry previously called “Mobile VPN Users” has been re-labeled “IPSec VPN Users” for clarity. [69581]

You can download 11.7.2 Build # 365430 from Watchguard Support Portal by logging in to your account.

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.7 Build # 359571

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.7 Build # 359571

New features in Fireware XTM v11.7 Build # 359571

Policy Grouping

  •  With Policy Grouping, you can create and apply tags to policies and then use the tags to easily filter the list of policies and streamline the number of policies in the policy list at one time. This is particularly helpful for users who have complicated device configuration files with many policies to manage. Policy tags are not available for devices running older versions of Fireware XTM OS (pre-v11.7) or for configuration files created for pre-v11.7 devices.

Link Aggregation

  •  You can now group your XTM device physical interfaces together to work as a single logical interface. With link aggregation, you can increase the cumulative throughput of your XTM device beyond the capacity of a single physical interface, and provide redundancy if there is a physical link failure.

WebBlocker Cloud Option with Websense

  •  New support for the Websense URL database in the cloud. Now, you can use the Websense cloud, with over 100 content categories and many new categories, as your WebBlocker Server. Or, if you prefer, you can continue to use a WebBlocker Server with the SurfControl database and 54 content categories. For new WebBlocker activations, the Websense cloud configuration is the default setting. When you upgrade to Fireware XTM v11.7, WebBlocker continues to use the previously configured WebBlocker server. After you upgrade, you can update the WebBlocker configuration to use the Websense cloud for WebBlocker lookups. When you switch between WebBlocker server options, the management software can automatically convert the currently blocked categories to similar categories in the other database.

WatchGuard Mobile VPN App for iOS and Android

  •  New apps make it easy for end users to build a VPN connection from iOS and Android devices. The administrator of the XTM appliance can securely email a file with the required configuration details, which the user can simply click to install the VPN profile after the app is installed. For Android, we now provide a WatchGuard client for Mobile VPN with IPSec. The WatchGuard VPN app for iOS operates with both Mobile VPN with IPSec and Mobile VPN with L2TP connections. The iOS app will be available in the Apple store later this month. The Android app will be available in the Google Play app store later this month as well.

Mobile VPN with L2TP

  •  Support for a new type of Mobile VPN connection – L2TP (Layer 2 Tunneling Protocol) v2, as described in RFC 2661.

IPS and Application Control Support in the HTTPS Proxy

  •  IPS and Application Control security subscriptions are now fully supported by the HTTPS proxy to allow the XTM device to scan for IPS and Application Control signatures on the decrypted HTTPS content stream.

Other new features include:

  •  New web interface for CA Manager – The CA Manager Web UI has moved to the Log and Report Manager Web UI. The combined web interface has been renamed to WebCenter.
  • New web UI to manage quarantined email messages – New look and feel for the Web UI that email recipients use to see and manage their quarantined email messages.
  • Support for more than four external interfaces on your XTM device
  • Hardware Health Monitoring – Your XTM device now self-monitors the health of specific hardware areas and sends an email notification if it detects a problem in those areas.
  • FireCluster support with wireless devices – You can now configure FireCluster for XTM 2 Series Models 25 and 26 Wireless and XTM 33 Wireless. Only active/passive mode is supported for wireless devices.
  • New DHCP options for VoIP support – You can now configure your XTM device to support DHCP options 66, 67 and 150.
  • Per user/group and concurrent login support – You can now set the number of concurrent, authenticated sessions you want to allow, and you can control this on a per user or per group basis.
  • Wireless Hotspot external authentication support – You can optionally configure the wireless hotspot on the XTM device to redirect hotspot users to an external web server before they connect to the wireless network.
  • IPv6 enhancements – We add support for IPv6 stateful firewalling for these networking and security features:

1.1.        IPv6 host/network/address ranges in From and To lists in policies

1.2.        IPv6 addresses in blocked sites and blocked site exceptions

1.3.        Blocked ports applies to both IPv6 and IPv4 traffic

1.4.        TCP SYN checking applies to both IPv6 and IPv4 traffic

  • Branch office VPN failover to modem – If you have enabled serial modem failover on your XTM 25, 26, 3 Series, or 5 Series device, you can configure the branch office VPN to fail over to a modem if all external interfaces cannot connect.
  • Stream packet capture data to a file – A new advanced option to stream packet capture data to a file.
  • Global Dynamic NAT enhancements – When you configure a global dynamic NAT rule, you can now set the source IP address to use
  • IPS Scan mode – You can now select between two scan modes, Fast Scan and Full Scan. The default setting is Full Scan, which directs IPS to scan all packets. To improve performance, you can select Fast Scan, which directs IPS to scan fewer packets. Fast Scan mode greatly improves throughput for scanned traffic, with a slight drop in IPS effectiveness.
  • New Management Tunnels – New support for remote XTM devices behind a NAT gateway

Resolved Issues in Fireware XTM v11.7 Build # 359571

General

  • WFS firmware component files and management applications are no longer bundled with WatchGuard System Manager [67508]
  • A problem that caused the XTM 1050 10 Gigabit Fiber ports to fail has been resolved [70118]
  • This release resolves a problem that caused a kernel crash when a reset packet is sent out through the 10 Gigabit Fiber ports on the XTM 1050 and XTM 2050 [70384, 70296]
  • When an IP address is added to the Temporary Blocked Site list by the administrator through the Firebox System Manager > Blocked Sites tab, the expiration time is no longer reset when traffic is received from the IP address [42089]

Proxies and Subscription Services

  •  File downloads no longer stall when you use an HTTP packet filter policy with IPS [67659]
  • The SIP ALG now supports REFER method for call transfers [59635]
  • The IPS deny message contents have been improved [66839]
  • We have improved the scand daemon so that it restarts faster in the event of a crash

Logging and Reporting

  •  You can now show more than 5000 lines of log messages in Firebox System Manager [66518]
  • The contents of the XTM Configuration Report have been localized for both viewing and printing into all languages supported by the Fireware XTM Web UI [66546]
  • The behavior of the Report Server Maximum Database Size setting now matches that of the Log Server, and prevents the Report Server database from filling the disk partition [67245]
  • Log collector no longer crashes when it reaches the 2GB virtual size limit on 32-bit Windows systems [64249]

Networking

  •  If you manually created dynamic routing policies in Fireware XTM v11.5.x or earlier, the To and From lists in these policies are no longer cleared when you upgrade to v11.6 or v11.7 [67721]
  • The SNMP process is now automatically restarted if it becomes stuck in a dormant state [66491]
  • The IGMP_Max_Membership setting for OSPF has been increased to support a large number of VLANs with dynamic routing [69979]

FireCluster

  •  This release resolves a problem that caused the master in an XTM 2050 FireCluster to go into an idle state when you added a new interface [70392]
  • The Terminal Services TO Agent now works correctly when used in an active/passive FireCluster [70098, 69944]

Wireless

  •  The 5GHz Wireless band now works correctly with channels 36, 40, 149 or 165 [65559]

Branch Office VPN

  •  Managed BOVPN tunnels now include support for optional 1-to-1 NAT [68244]
  • The amount of time it takes to fail over from a leased line to a branch office VPN with OSPF or BGP has been reduced [70460]

Mobile VPN

  •  Frequent mobile VPN client log in/log out events no longer cause a low memory condition on the XTM device [67538]
  • When you use a native Cisco IPsec iOS client for Mobile VPN with IPSec, the client no longer disconnects after three minutes of idle time [69430]
  • If you set the diagnostic log level for Mobile VPN with SSL traffic to “debug” level, log messages now correctly display in Firebox System Manager > Traffic Manager [65165]
  • You can now correctly establish a Mobile VPN with SSL connection from a Windows-based computer when the Windows system account is Chinese [58208]
  • A continuous FTP session over a Mobile VPN with IPSec connection is no longer terminated if an IPSec rekey occurs during the FTP transfer [32769]

You can download 11.7 Build # 359571 from Watchguard Support Portal by logging in to your account.

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6.1 – CSP3 Build # 354688

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6.1 – CSP3 Build # 354688

11.6.1 – CSP3 Build # 354688 Resolves the following issues:

BUG69616: The dynamic IP at peer side is not added into the local cache file at multi-wan

BUG69351: After reboot multiple Phase 1 one time outs occurred. Unable to build VPN tunnels

BUG69624: Limit rate of phase one auto start after reboot

BUG69377  Incorrect model number displayed with MODEL 505 license

BUG69625: iked crash sig 6, sig 11

BUG68554: Interface failing to route and not listing ‘inet addr’ in status report > interfaces

BUG68312: SIP proxy causes CFM restart due to memory cap violation

BUG67656: Process `cfm.5′ with pid: 1515 / tid: 1515 died unexpectedly on signal 6 (SIP)

BUG67479: CFM Stack traces using SIP after upgrading from 11.4.2 to 11.5.3U1 using existing setup

BUG67782: cfm.2 stacktrace, SIP (stack contents @ 0xbe836430), signal 6

BUG67001: BOVPN over 1:1 NAT fails with multiWAN causes one way traffic (inbound fails)

BUG68944: VPN 1:1 nat does not work when we use it on multiwan(3 pppoe and 1 dhcp)xtm box

BUG69090: VPN tunnel fails and stops passing traffic – xfrm_dst_cache value exceeded in slab info

BUG67819: memory leak causing xfrm_dst_cache value to increase and causing appliance to lockup

BUG69351: After reboot multiple Phase 1 one time outs occurred. Unable to build VPN tunnels XTM2050

You can request 11.6.1 – CSP3 Build # 354688 from Watchguard Support by logging a support case online, they should then be able to provide an ftp download link and appropriate credentials.

Please note that Watchguard CSP releases are cumulative so you should only need to apply the latest to ensure that you also have any previous fixes.