Tag Archives: SSL

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6.1 – Build # 346666

Watchguard XTM 1050, XTM 2050, XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.6.1 – Build # 346666

11.6.1 – Build # 346666 Provides some new features and resolves the following issues:

• This release introduces support for the new high-performance XTM 5 Series models 515, 525, 535, and 545

• Provides an update to our localized user interfaces and documentation

• An XTM device configured in bridge mode can now pass VLAN traffic between 802.1Q switches or bridges

• FireCluster support for XTM 25, 26, and 33 wired models

• Several issues have been resolved in this release that caused XTM devices to crash when configured to use Application Control or IPS [66937, 65426, 65636, 67312, 66135, 67159, 67399, 67310]

• An issue was resolved that caused some XTM device processes to crash when running Mu Dynamics default published vulnerability test [66490]

• An issue was resolved that caused a kernel crash and device reboot [67329]

• The XTM 2 Series device can now handle a large file transfer without interface instability [67367]

• A problem that caused incorrect data to display on the XTM 5 Series LCD screen has been resolved [67197]

• Policy Manager now displays the correct VLAN limits for XTM 5 Series models 505, 510, 520, and 530 with a standard Fireware XTM feature key (not Pro) [67780]

• You can now successfully configure and apply Traffic Management actions for XTM 2 and 3 Series devices from the Web UI [67221, 66645]

• Firebox X Edge e-Series devices can now be successfully managed with templates [67658]

• The notification message sent when a local Log or Report database is down now correctly shows the host IP address instead of “???” [41731]

• The Log Server can now handle backup files greater than 2GB in size without generating an error message: “Error (8199), Exception during backup of oldest log data: File is not a zip file” exception” [66811]

• The DHCP lease activity report now works correctly [66062]

• Log Collector now handles XTM device log data that spans multiple SSL/TLS records without crashing [66347]

• A problem has been resolved that caused poor performance on XTM 2 Series models 25 and 26 because of an incorrect memory allocation for security subscription signatures [67240]

• A deny message is now correctly sent to the web browser in most cases when Application Control blocks content in the Web/Web 2.0 category [66201]

• The WebBlocker automatic database update time is no longer off by one hour when daylight savings time is in effect on the host server’s timezone [67551]

• If you use PPPoE or DHCP for an external interface on an XTM device configured to use multi-WAN, the XTM device no longer loses the default routes for external interfaces after the external interface reconnects [67424, 67520]

• A problem has been resolved that caused a static route to fail after an external interface configured to use PPPoE is disconnected, then reconnected [67520]

• Tagged VLAN traffic is now correctly recognized when an XTM device is configured in Bridge mode [64355]

• The CLl command “restore factory default all” now successfully restores a device to its factory default settings [66240]

• An issue has been resolved that caused Policy Manager to incorrectly display an interface IP address as 0.0.0.0/24 when you viewed a FireCluster configuration for a cluster in drop-in mode [63551]

• The Mobile VPN with SSL process no longer crashes during a FireCluster failover [66118]

You can download 11.6.1 – Build # 346666 from the Watchguard website

Schannel.dll – Pre Service Pack 2 Revision History for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Small Business Server 2011 (SBS 2011)

Schannel.dll – Pre Service Pack 2 Revision History for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Small Business Server 2011 (SBS 2011)

05-May-2015 – 6.1.7601.23045 – Schannel.dll – x86/x64 – https://support.microsoft.com/en-us/kb/3061518 – MS15-055: Vulnerability in Schannel could allow information disclosure: May 12, 2015

05-May-2015 – 6.1.7601.18843 – Schannel.dll – x86/x64 – https://support.microsoft.com/en-us/kb/3061518 – MS15-055: Vulnerability in Schannel could allow information disclosure: May 12, 2015

06-Mar-2015 – 6.1.7601.22983 – Schannel.dll – x86/x64 – https://support.microsoft.com/en-gb/kb/3046049 – MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015

06-Mar-2015 – 6.1.7601.18779 – Schannel.dll – x86/x64 – https://support.microsoft.com/en-gb/kb/3046049 – MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015

14-Oct-2014 – 6.1.7601.22843 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/3011780 – MS14-068: Vulnerability in Kerberos could allow elevation of privilege: November 18, 2014

14-Oct-2014 – 6.1.7601.22843 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/3003743 – MS14-074: Vulnerability in Remote Desktop Protocol could allow security feature bypass: November 11, 2014

19-Sep-2014 – 6.1.7601.22814 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2992611 – MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

19-Sep-2014 – 6.1.7601.18606 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/3011780 – MS14-068: Vulnerability in Kerberos could allow elevation of privilege: November 18, 2014

19-Sep-2014 – 6.1.7601.18606 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2992611 – MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

11-Jul-2014 – 6.1.7601.22741 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2982706 – You cannot access network shares after the computer restarts in Windows 8.1 or Windows 7

30-May-2014 – 6.1.7601.22705 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2973337 – SHA512 is disabled in Windows when you use TLS 1.2

30-May-2014 – 6.1.7601.18489 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/3003743 – MS14-074: Vulnerability in Remote Desktop Protocol could allow security feature bypass: November 11, 2014

30-May-2014 – 6.1.7601.18489 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2973337 – SHA512 is disabled in Windows when you use TLS 1.2

10-Jun-2013 – 6.1.7601.22352 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2830145 – SID S-1-18-1 and SID S-1-18-2 can’t be mapped on Windows 7 or Windows Server 2008 R2-based computers in a domain environment

08-Mar-2013 – 6.1.7601.22276 – Schannel.dll – x64 – http://support.microsoft.com/kb/2824066 – Hotfix is available that corrects “User’s SID” in event ID 6035 in Windows Server 2008 R2

05-Nov-2012 – 6.1.7601.22153 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2768492 – User cannot connect to remote desktop server on a Windows 7-based or Windows Server 2008 R2-based client computer

02-Nov-2012 – 6.1.7601.22150 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2760730 – Description of an update rollup that resolves interoperation issues in Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1

21-Sep-2012 – 6.1.7601.22116 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2748437 – User profile folder name is displayed as “user [email protected] name” when use a UPN to log on to a Windows 7-based or Windows Server 2008 R2-based client computer

23-Jul-2012 – 6.1.7601.22068 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2574819 – An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1

20-Jul-2012 – 6.1.7601.17911 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2574819 – An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1

02-Jun-2012 – 6.1.7601.22010 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2655992 – MS12-049: Vulnerability in TLS could allow information disclosure: July 10, 2012

02-Jun-2012 – 6.1.7601.17856 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2655992 – MS12-049: Vulnerability in TLS could allow information disclosure: July 10, 2012

06-Apr-2012 – 6.1.7601.21959 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2695401 – DPAPI keys are not synchronized when you unlock a Windows 7-based or Windows Server 2008 R2-based computer

10-Feb-2012 – 6.1.7601.21920 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2675498 – “NetBIOS domain name\username” format cannot be used with the Kerberos referral mechanism to log on to a computer in a cross-forest environment

18-Jan-2012 – 6.1.7601.21901 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2665790 – Resource-based constrained delegation KDC_ERR_POLICY failure in environments that have Windows Server 2008 R2-based domain controllers

17-Nov-2011 – 6.1.7601.21861 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2585542 – MS12-006: Description of the security update for Webio, Winhttp, and schannel in Windows: January 10, 2012

17-Nov-2011 – 6.1.7601.17725 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2585542 – MS12-006: Description of the security update for Webio, Winhttp, and schannel in Windows: January 10, 2012

18-Dec-2010 – 6.1.7601.21624 – Schannel.dll – x86/x64 – http://support.microsoft.com/kb/2416849 – SSL authentication fails and X.509 error occurs when a WCF-enabled application performs mutual authentication in Windows 7, in Windows Server 2008 R2, in Windows Vista, or in Windows Server 2008

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.3 Build # 339420

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.3 Build # 339420

Fireware XTM OS 11.5.3 Build # 339420 Resolves the following issues:

Minor enhancements

• Changes to the routes section of the Firebox System Manager Status Report to improve consistency in the way IPv4 and IPv6 routes are displayed.

• New IP address validity checking in Mobile VPN configurations to help prevent common errors with overlapping IP addresses.

General

• An instability issue found on some XTM 2 devices, where the device could pass traffic normally but could not be managed with WSM or Web UI, has been fixed. [64546]

• A Support Snapshot (a support.tgz file) can now be correctly saved to a USB drive. [64897]

Policy Manager

• You can now use an IP address with a leading zero (10.19.09.0 vs 10.19.9.0) without causing branch office VPN failures. [65189]

• Policy Manager now updates the Mobile VPN with IPSec policies when the configured Virtual IP Address Pool is changed. [65241]

Authentication

• The Event Log Monitor has been enhanced to more effectively retrieve group information in a clientless SSO environment. [65300]

• The SSO Client now responds appropriately when a client computer resumes from a hibernate or sleep state. [65561]

• In the SSO Setup Wizard, the Event Log Monitor check box is now clear by default. [65825]

• The SSO Agent can now correctly load configuration information when the network interface is unavailable. [65802]

Proxies

• HTTP proxy performance has been improved when downloading very large files. [65967]

• A chunking handling issue in the HTTP proxy has been resolved. [65505]

• The SMTP proxy now correctly detects a multi-line 550 response as a valid response. [64463]

• When you use TLS with the default optional allowed rules in the SMTP proxy, email messages can now be delivered successfully to mail servers that do not support TLS. [64650]

• A SIP ALG memory leak issue has been resolved. [65749]

• The SIP ALG now allows provisional ACKs. [65247]

• A problem that caused the SIP ALG to crash has been resolved. [60222]

Security Services

• Gateway AV now detects password-encrypted virus attachments as scan errors. [65047]

• Gateway AV signature update memory utilization has been optimized in this release. This prevents Gateway AV scanning failures caused by a lack of memory. [64940, 64511, 62222]

• The HTTP response no longer stalls when both Gateway AV and RED are enabled. [65877]

• The UTF8 encoded X-WatchGuard-AntiVirus header no longer breaks attachments with long file names. [64883]

• WebBlocker can now correctly fail over to a configured backup server. [65211]

Centralized Management

• Device configuration templates that contain a TCP-UDP proxy policy and a WebBlocker action now work correctly with WatchGuard devices running Fireware XTM v11.3.x. [65408]

Logging & Reporting

• The frequently seen log message: “failed to get routing rules” has been suppressed. [65463]

• A problem that caused log messages to take up to 15 minutes to fail over to a backup Log Server in some networks has been resolved. [62275]

• The Log Collector can now gracefully recover from errors related to a lack of shared memory. [65101]

• Report Manager no longer shows “500 Internal Server Error” when you try to get access to device reports on February 29th of a calendar leap year. [65735]

• Report Manager can now successfully generate PDF output for reports that contain a bar chart. [65099]

• Report Server no longer stops responding to requests while it generates ConnectWise reports data. [65725]

• The Application Usage and Blocked Applications reports no longer display the incorrect IP address value in the y-axis. [65302]

• You can now specify “https://” as part of the ConnectWise Server address without causing WatchGuard Server Center to fail. [64712]

Networking

• Configuration files that include a large number of 1-to-1 NAT entries no longer cause a traffic interruption when saved. [60037]

• A problem that caused a significant memory spike when you configured the DHCP server lease time to one second has been resolved. [65242]

• A problem that caused XTM device performance degradation to occur on devices configured with at least one VLAN interface and many secondary IP addresses has been resolved. [65591]

FireCluster

• A problem that could cause members in a cluster to lock up until rebooted has been resolved. This problem would only occur on a cluster for which proxies were configured. [61091]

• A crash that could occur when one or more connections spanned multiple failovers (at least two failovers in a row) has been corrected. [66008, 66177]

• A problem that could cause connections to time out prematurely has been corrected. In most cases, the symptom would be the disruption of a service (e.g. an FTP download would fail). The problem could affect connections assigned to the non-master of an Active/Active cluster or connections assigned to the new master of an Active/Passive cluster following a failover. [66110]

• Log messages about a FireCluster reboot have been improved to include the reason for the reboot. [65115]

• A problem that prevented a FireCluster failover from occurring because of an error in interpreting the health of the FireCluster Monitored Port has been resolved. [65441]

• An Application Control bug that caused both members of an active/passive FireCluster to reboot has been resolved. [65770]

Mobile VPN with SSL

• Policy Manager and Web UI now display a warning message if Mobile VPN with SSL is enabled and the external IP address of the XTM device is modified. [65806]

• A problem that caused the Mobile VPN with SSL client to crash when connecting from a computer using the Mac OSX 64-bit operating system has been resolved. [65776]

• The Mobile VPN with SSL client running on a computer using Windows 7 64-bit OS can now operate correctly with a third-party web server certificate. [65535]

Mobile VPN with IPSec

• The Mobile VPN with IPSec Shrew Soft client can now connect to an XTM device configured with a static IP address. [64920]

Branch Office VPN

• The latency of packets that traverse a branch office VPN tunnel has been improved. [65333]

• This release resolves a problem that caused an IKEd stacktrace issue in FireCluster. [63108, 65292]

CLI

• You can now use the CLI vlan-id command with the “external dhcp” option successfully. [65478]

• The CLI show sysinfo command now displays the correct CPU utilization values. [64521]

You can download Fireware XTM OS 11.5.3 Build # 339420 from the Watchguard website.

Please note that Watchguard XTM OS releases are cumulative so you should only need to apply the latest OS to ensure that you also have any previous fixes/features.

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 Build # 337008

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 Build # 337008 has been release and can be downloaded via the Watchguard website http://www.watchguard.com/

This major XTM OS Release introduces the following changes/improvements:

Significant enhancements introduced in this release include:

  • Application Control now offers a deny message to users whose HTTP requests are blocked
  • New Advanced Search for log messages added to Log and Report Manager
  • Mobile VPN with SSL now supports multiple authentication servers and Active Directory authentication domains
  • Management Server device configuration template improvements
    • Ability to create a device configuration template from an existing configuration file
    • Inclusion of hosted WebBlocker Server settings in template for XTM 2 Series and XTM 33 devices
    • Policy order in a template is preserved when you apply the template to an XTM device
  • Support for FireCluster for XTM 330 appliances

Minor enhancements include:

  • The ability to select the port used to send email notifications from the Log Server
  • An updated list of trusted Certificate Authorities for proxies
  • Diagnostic log messages for the Terminal Services Agent and TO Set Tool
  • SMTP-proxy TLS encryption rules now limited to a maximum of 200 bytes

The following bugs/issues have also been resolved in this release

General

  • After you reboot your XTM device, you no longer see the warning “Cannot create directory `/etc/wg/tmp’”. [62883]
  • A problem that caused some XTM 8 Series devices to reboot because of a kernel crash has been resolved in this release. [64465]
  • ICMP redirects are now handled correctly after you upgrade from Fireware XTM v11.4.2 to v11.5.2. [64589]
  • Several problems that resulted in device configuration changes requiring a reboot to take effect have been resolved in this release. [64201, 64763]
  • A memory leak in the SNMP daemon has been corrected. [63860]
  • This release resolves problems that occurred during an upgrade from Fireware XTM OS v11.3.x. [64815]

Networking

  • When you configure policy-based Dynamic NAT with the Source IP option, you no longer need to add the Source IP address as a secondary address on the external network. [64292]
  • A default route is now correctly added when you enable Eth0 as an external interface. [63588]
  • This release resolves a problem with server connection stability when you use an SNAT load balancing action in your configuration. [64280]
  • It is no longer necessary to reboot your XTM device after you change the wireless guest network. [64415]
  • Dynamic NAT now supports nested aliases. [58991]
  • Dynamic NAT now works correctly when configured with an IP address range. [45005]
  • Branch office VPN tunnels can now successfully be created to use 1-to-1 NAT configured with an IP address range. [65105, 64480]
  • The multi-WAN Link Monitor now works correctly. [62535, 64817, 61487]
  • Multi-WAN now works correctly when configured in Routing Table mode, with the Link Monitor configured to use both ping and TCP using domain name. [61564]
  • XTM 2 Series Gigabit interfaces are now correctly labeled in the Firebox System Manager Status Report. [60621]
  • QoS marking now works correctly in proxy policies. [63518]
  • Multicast traffic can now pass through a branch office VPN on an XTM device configured in drop-in mode. [62234]

Proxies

  • The default proxy trusted CA list has been updated to match the ones in most major popular browsers. [64438]
  • A problem that caused some HTTP downloads to stall when you use the HTTP proxy with IPS enabled has been resolved. [63136]
  • This release includes improvements to the clean-up of stale proxied connections that could prevent new connections from being allowed. [63574, 64519]

FireCluster

  • A problem that caused the master XTM 8 Series device in a FireCluster to reboot because of a kernel crash has been resolved. [63683]
  • High UDP traffic levels through a branch office VPN tunnel that terminates to a FireCluster no longer cause the FireCluster to reboot. [64251]
  • The FireCluster synchronization timeout has been increased to prevent synchronization failures. [63231]
  • A problem with the maintenance of the static ARP list for an active/active FireCluster has been resolved to improve FireCluster stability. [64440]
  • This release includes improved proxy debug log messages for FireCluster users. [63793]
  • A problem that caused a FireCluster to crash and reboot has been resolved. [64669]
  • A problem has been resolved that sometimes caused the FireCluster master to reboot when you used the CLI to remove a member. [64518]
  • The Status Report cluster load balancing algorithm label has been corrected from “Lease Connections” to “Least-connections”. [64684]
  • A problem that caused DHCP leases to fail to synchronized with the backup member has been fixed. [64148]
  • The backup member no longer crashes when the FireCluster is under heavy proxy traffic load and a manual failover is initiated. [64226]
  • A problem that caused some active/active FireClusters to fail when configured with branch office VPN has been resolved. [64909]
  • In a FireCluster environment, log messages are now consistently and correctly sent to the Log Server.  [64983]

Mobile VPN with SSL

  • The Mobile VPN with SSL Mac client now correctly removes the previously assigned DNS server addresses after it is disconnected. [64418]

Mobile VPN with IPSec

  • A problem that resulted in a stack trace with the error message “Iked stack trcace eip=0x080c4013” has been resolved. [65026]

Branch Office VPN

  • Packets with a total data size value between 1507 and 1538 now correctly pass through a branch office VPN tunnel. [63764]
  • You can now correctly configure 1-to-1 NAT with an IP range for a branch office VPN tunnel. [65105]

Authentication

  • A problem that caused the SSO Event Log Monitor to crash has been fixed. [64824]

WSM & Management Server

  • The  Apache httpd server bundled with WSM has been upgraded to version 2.2.21. [58220, 64556]
  • IPS  is now correctly shown as enabled/disabled within an XTM template. [64124]
  • The “Add Device” wizard now correctly detects and configures the gateway device with the private IP address of the Management Server. [64498]

Policy Manager

  • The backup archive password is no longer recorded in the log file. [64088]
  • Attempts to save configuration changes for new features to an XTM device running Fireware XTM v11.4 are now detected and handled correctly. [64609]

Web UI

  • The WatchGuard Authentication policy is no longer deleted when you disable Mobile VPN with SSL from the Web UI or CLI. [65234]
  • Gateway AV can now be enabled in an SMTP proxy action from the Subscription Services > Gateway AV > Configure page. [62464]

Security Services

  • A problem that caused Gateway AV to fail when performing archive file scanning has been resolved. [64898, 65114]

Logging & Reporting

  • The log level setting now works correctly for DHCP log messages.    [57096]
  • Corrupt Log or Report Server database tables no longer cause an upgrade to the new v11.5.x database schema to abort. [64726]
  • This release corrects multiple issues with restoring log files from backup archives. [64141, 65173]
  • You can now export log search results from the Log and Report Manager. [63198, 42489, 62608]
  • The Log and Report Manager Logs > Devices list now includes the serial number for each device. [63786]
  • WatchGuard Server Center no longer resets the  start time to a previous value when a report schedule is edited. [64980]
  • Users with permission to view only reports can now see all the reports they have access to. [65127]
  • The Alarms Summary report is now available in the Log and Report Manager Dashboard and Devices sections. [64420]
  • The default pivot (Users or Hosts) can now be set for the graphs available on the Log and Report Manager Dashboard tab. [65098]
  • Percentage and Total count statistics have been added to a number of summary reports in Report Manager. [62981, 63019]