Transcript XTM Data Loss Prevention

What’s New in
Fireware XTM v11.8.1
WatchGuard Training
What’s New in XTM 11.8.1
 Networking Enhancements
•
•
•
•
•
•
Secondary networks for VLANs [40123]
Support for static NAT and server load balancing for traffic through an Optional
interface [39793]
PPPoE client IP address enforcement [73382]
DHCP Force Renew support on external interfaces [61383]
Sierra Wireless 320U 3G/4G modem support [74572]
Bridge XTM wireless Access Points to the same network [76381]
 XTMv Enhancements
•
XTMv on ESXi now supports active/passive FireCluster [72105]
 WatchGuard AP Device Management Enhancements
•
•
•
New AP status of Discovered in the Gateway Wireless Controller [77081]
Ability to upgrade an AP device from the Gateway Wireless Controller [73497]
Automatic AP device firmware upgrades are now staggered [77738]
WatchGuard Training
2
What’s New in XTM 11.8.1
 Authentication Enhancements
•
•
Customize the Authentication Portal page [42587]
Case-sensitivity disabled for Firebox-DB user names [61132]
 HTTPS-Proxy Enhancements
•
Allow only SSL compliant traffic through the HTTPS-proxy [76197]
 WebBlocker Enhancements
•
Improved WebBlocker local override page [66930]
 Management Server Enhancements
•
•
Management Server Clustering [41220]
Compare versions of configuration files & force users to comment on changes to
configuration files and templates [77204]
 Monitoring & Reporting Enhancements
•
•
Download a diagnostic log file from the Web UI [77638]
New Web Traffic Summary report [76985]
WatchGuard Training
3
Networking Enhancements
WatchGuard Training
4
Secondary Networks for VLANs
 You can now configure a secondary network for a VLAN interface.
•
•
•
Configure these settings on the Secondary tab in the VLAN configuration.
Supported for Trusted, Optional, and External VLAN interfaces.
Secondary IP addresses are often used for Static NAT on external interfaces or
network migration and router consolidation on trusted or optional interfaces.
WatchGuard Training
5
SNAT from Optional to Trusted
 In a Static NAT action or Server Load Balancing NAT action, you can now
select an External or Optional interface.
 This enables you to do static NAT or server load balancing for traffic from
the optional network to the trusted network.
WatchGuard Training
6
PPPoE Client IP Address Enforcement
 PPPoE advanced settings include
an option to enforce the client static
IP address.
 When this option is selected:
•
•
The XTM device sends the
configured PPPoE client IP address
to the PPPoE server.
The XTM device uses the configured
client IP address, even if another IP
address is obtained from the server.
 PPPoE client address enforcement
is useful for clients of ISPs that
provide multiple static IP addresses.
This new option is useful if the ISP
does not respond with the address
included in the client request.
WatchGuard Training
7
DHCP Force Renew
 When you configure the external
interface as a DHCP client, you
can optionally enable the XTM
device to respond to DHCP Force
Renew messages.
•
•
The FORCERENEW message
requests the DHCP client to renew
it's leased IP address sooner than
it ordinarily would.
You can optionally specify a shared
key that must match the key in the
FORCERENEW request.
WatchGuard Training
8
Additional 3G/4G Modem Support
 Sierra Wireless 320U 3G/4G USB modem is now supported for modem
failover.
 To see a complete list of supported modems, see this Knowledge Base
article: http://customers.watchguard.com/articles/Article/Supported-3G4G-USB-devices
WatchGuard Training
9
Bridge XTM Wireless Access Points to the Same Interface
 On an XTM wireless device, you can now bridge Wireless Access Point 1
and Wireless Access Point 2 to the same XTM device interface.
WatchGuard Training
10
XTMv Enhancements
WatchGuard Training
11
FireCluster on XTMv
 You can configure two XTMv devices as an active/passive FireCluster on
VMware vSphere ESXi
 vSwitch configuration requirements:
•
•
The vSwitch connected to an
external interface must accept
MAC address changes.
The vSwitch connected to the
FireCluster management
interface must have
promiscuous mode enabled.
WatchGuard Training
12
AP Device Management Enhancements
WatchGuard Training
13
Staggered AP Device Firmware Automatic Upgrades
 Automatic upgrades of AP device
firmware are now staggered.
•
•
If automatic upgrade is enabled in
the Gateway Wireless Controller
settings, the automatic upgrade of
AP devices does not occur
simultaneously.
If there are multiple paired AP
devices, the AP device firmware
upgrades occur one at a time for
each AP device, five minutes apart.
WatchGuard Training
14
Update AP Device Firmware for a Single AP Device
 You can now upgrade the firmware on a single AP device from the Gateway
Wireless Controller tab in Firebox System Manager.
•
•
•
You can see the version
of AP firmware available
on the XTM device.
You can see the version
of AP firmware currently
installed on each AP
device.
Click Upgrade to upgrade
the AP firmware to the
available version.
 In Fireware XTM Web UI,
this option is available in
the Gateway Wireless
Controller Dashboard.
WatchGuard Training
15
New AP Device Status — Discovered
 The Gateway Wireless Controller now shows a status of Discovered for a
paired AP device that is connected, but it not yet Online.
•
After an AP device
restarts, the status
is Discovered
when the XTM
device has
successfully
communicated to
an AP device, but
the AP device is
not yet online.
WatchGuard Training
16
Authentication Enhancements
WatchGuard Training
17
Customize the Authentication Portal
 You can now configure the look
and feel of the Authentication
Portal page from Fireware XTM
Web UI and Policy Manager.
•
•
•
•
•
WatchGuard Training
Add custom logo
Add custom welcome message
or disclaimer
Specify the page title
Select custom colors
Select custom fonts
18
Disable Case-Sensitivity for Firebox-DB User Names
 For users created for Firebox
Authentication (to the Firebox-DB
Authentication Server), you can
now disable case-sensitivity for
user names
 Users can type their user names
with any capitalization and still
authenticate
WatchGuard Training
19
HTTPS-Proxy Enhancements
WatchGuard Training
20
HTTPS-Proxy — Allow only SSL Compliant Traffic
 By default, when you enable the
HTTPS proxy, it allows SSL traffic
matching any SSL version.
 When this new option is selected, the
HTTPS proxy allows only traffic that
matches one of these SSL versions:
•
•
•
•
•
SSL_V2=0x200
SSL_V3=0x300
TLS_V1=0x301
TLS_V11=0x302
TLS_V12=0x303
 This new option can be useful if you
want to deny traffic that is not HTTP
over SSL.
 This option is not necessary or
available when deep packet inspection
is enabled in your HTTPS proxy
configuration.
WatchGuard Training
21
WebBlocker Enhancements
WatchGuard Training
22
WebBlocker Local Override Page
 The Local Override authentication form that users see in the web browser
when access to a web page is denied by WebBlocker has been formatted to
match the deny message.
WatchGuard Training
23
Management Server Enhancements
WatchGuard Training
24
Management Server Clustering
 Create clusters of WatchGuard Management Servers for failover and
redundancy
 Uses the native Microsoft Failover Cluster service support for high
availability
 Configure each WatchGuard Management Server independently and then
use the command line to complete the setup of the servers in a failover
cluster
WatchGuard Training
25
New Configuration Management Settings
 In WatchGuard Server Center >
Management Server, the setting
to force users to make a comment
before saving changes to a device
or configuration template has been
moved to a new Configuration
Management tab.
 In the Comment Template list,
optionally type the instructions to
appear in the Comments dialog
box, which users see when they
save the configuration file or a
configuration template to the
Management Server.
WatchGuard Training
26
Compare Configuration File Versions
 In WSM, for a device configuration
file, run a Difference Report to
see the changes between versions
of the configuration in the
Configuration History.
 The Difference Report includes all
changes made to the configuration.
WatchGuard Training
27
Monitoring & Reporting Enhancements
WatchGuard Training
28
Download Diagnostic Log File from the Web UI
 Fireware XTM Web UI now
supports download of a
diagnostic log file
(support.tgz)
 Enable diagnostic logging
and download the
support.tgz file
1. Select System >
Configuration File.
2. Click Download the
Support Logs.
 Review the file for diagnostic,
packet trace information
about your XTM device
WatchGuard Training
29
Web Traffic Summary Report
 The Web Traffic Summary report has been added to WatchGuard System
Manager Log and Report Manager. This report (already available with
Dimension) offers a high-level view of:
•
•
Top web sites visited by clients, in a bar chart
Top web categories visited by clients, in a pie chart
WatchGuard Training
30
Thank You!
WatchGuard Training
31