Transcript What`s New in Fireware v11.11

What’s New in Fireware v11.11
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
2
What’s New in Fireware v11.11
 New Features and Enhancements
• Network Discovery
• Mobile Security
• Botnet Detection
• Explicit Proxy
• Allowed Google Apps domains
• Multiple Hotspot Portals
• RADIUS Single Sign-On
• BOVPN Virtual Interface Interoperability
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
3
What’s New in Fireware v11.11
 Additional Feature Enhancements
• APT Blocker Clean threat level
• Remove Office documents that contain
macros with the SMTP Proxy
• Self-signed certificate support for SMTP
over TLS deep inspection
• Username in HTTP Proxy Deny Message
• Gateway Wireless Controller
enhancements
• FireCluster upgrade improvements
• Loopback Interface
• 32-bit BGP AS number support
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
4
Network Discovery
View a graphical representation of your
network
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
5
Network Discovery
 Network Discovery is a subscription service that provides the
ability to discover devices on your internal network and
display them on a network map in Fireware Web UI
 Get this information for each device:
• IP Address
• Device Name / Host Name
• MAC address
• Operating System and services
• Open network ports
• Mobile Security devices and compliance status
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
6
Network Discovery
 When you enable Network Discovery, the process load
increases and consumes additional memory
• Can noticeably affect the performance of your Firebox,
particularly if you have a large network
 Only enable Network Discovery if you plan to use it
• To minimize the performance impact, configure the Network
Discovery scan settings to only scan the networks that you must
monitor
 Network Discovery is only supported on M and T Series
Fireboxes, and XTMv devices
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
7
Network Discovery — Network Scan
 To configure network scan
settings, select
Subscription Services >
Network Discovery
 Enable Network Discovery
and select the Firebox
interfaces to scan
 Specify a Network Scan
Schedule
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
8
Network Discovery — Manual Scan
 You can also perform an on-demand, manual scan
 Initial scan is performed quickly to display the map, other
details (ports, services, OS) are added in later scan stages
 Select only the interfaces or networks you want to scan
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
9
Network Discovery — Scan Details
 Several scan stages to
determine host details
• Quick Host Discover
• TCP and OS
• UDP and Service
Version
 UDP and Service
Version scan stage takes
the longest time
 A full scan for a
x.x.x.x/24 network with
100 active hosts can
take several hours
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
10
Network Discovery — Network Map
 Select Dashboard
> Network
Discovery >
Network Map tab
 The Network Map
is organized by
Firebox interfaces
and networks
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
11
Network Discovery — View Devices
 From the Network Map tab, you can:
• Select a device
• View the address in FireWatch or Traffic Monitor
• Remember Device — Add descriptive details for the Firebox
and save the description in the map configuration
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
12
Network Discovery — Device List
 Select Dashboard > Network Discovery > Device List tab
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
13
Network Discovery — Search Filters
 On the Network
Discovery pages, you
can use Search to filter
the scan results
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
14
Network Discovery — Device Details & Ports
 Device Details
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
15
Network Discovery — Remember Device
 Click Remember Device to edit device details and specify a
name and description
• Remembered device details are saved in the map configuration
 Select Approved Device to add to an Approved device group
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
16
Network Discovery — Approved Device
 Approved Device group
• Identify a device as a known approved device on your network
• Helps you differentiate between known and rogue devices
• When an Approved Device is offline, it is displayed in the idle
devices section of the map
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
17
Network Discovery — Device Expiration
 Device expiration from the Network Map
• Previously detected devices expire and are removed from the
map when:
– A new manual or scheduled scan does not discover the device
– After seven days if no manual or scheduled scan is performed
• Mobile devices are considered offline if no traffic is sent for more
than two hours
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
18
Network Discovery — Limitations
 Intermediary firewalls or other NAT devices can affect the
accuracy of the scan path
• Hosts cannot be discovered behind NAT
 Less common OS types and services might not be recognized
 Most Firebox OS versions can be detected, but not hardware
models
 Host name or device type cannot always be correctly detected
 Subnet mask limits for scans:
• /24 — Remote networks
• /16 — Neighbor networks
• /8 — Not scanned
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
19
Mobile Security
Extend firewall security to mobile devices
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
20
Mobile Security Overview
 Mobile Security sets security requirements for iOS and
Android mobile devices to send traffic through your network
 Requires an additional license (number of users with
expiration date)
 On the Firebox, you set device compliance requirements
• Approved OS versions
• Not rooted or jailbroken
• No malware/riskware/adware (Android only)
 To be compliant, mobile users must run the FireClient app
 Compliance status appears in the Mobile Security Dashboard
 The Firebox denies traffic from mobile devices that are not
compliant
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
21
Mobile Security Overview
1. Enable and configure Mobile Security
2. The Android or iOS device
connects to the network
3. The user runs the FireClient app to
check compliance
4. The Firebox allows traffic from compliant devices
FireClient
The Firebox drops traffic from mobile devices that are not
compliant
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
22
Mobile Security Licensing
 Mobile Security license
• Specifies the maximum number of unique concurrent users
• Has an expiration date
• Example: MOBILE_SECURITY_USER#1000@Nov-15-2016
– This license allows 1,000 unique users and expires 15 Nov 2016
 User licensing is per unique user
• Users must authenticate to use Mobile Security
• A user can use FireClient to connect from more than one mobile
device simultaneously, and it counts as only one user
 Mobile Security is supported for Firebox models only
• The Mobile Security license is not available for XTM models
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
23
Mobile Security — Device Type Detection
 The Firebox uses these methods to detect the device type for
all devices that connect:
• Firebox web portals (Hotspot Portal, Authentication Portal)
– Gets device type from User-Agent in the HTTP header
• Single Sign-On with Exchange Monitor
– Gets device type from Exchange Server log messages
• DHCP fingerprinting
– Gets device type based on the pattern of traffic from DHCP clients
through the Firebox
– The DHCP server can be on the Firebox or on another server
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
24
Mobile Security — Device Type Detection
• Mobile VPN (IPSec and SSL VPN only)
– Gets device type from an attribute in the SSL VPN handshake
– Gets device type based on the pattern of IPSec packets
 If the device type is iOS or Android, Mobile Security denies
traffic for devices that are not compliant
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
25
Mobile Security — Configuration
 In Fireware Web UI:
• Select Subscription Services > Mobile Security
• Select Enable Mobile Security
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
26
Mobile Security — Configuration
• Configure settings:
– Enforcement — When to enforce Mobile Security
– Device Compliance — Requirements for Android and iOS devices
– Device Protection — Protect Android devices while connected
– Device Authorization Agreement — An agreement you want
FireClient users to accept
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
27
Mobile Security — Enforcement
 Enforcement settings:
• VPN enforcement
– By default, Mobile Security
drops VPN traffic from mobile
devices that are not compliant
• Interfaces
– Specify which interfaces Mobile
Security enforcement applies to
• Exceptions
– No enforcement for traffic to
these destinations
– Includes Kaspersky by default
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
28
Mobile Security — Device Compliance
 FireClient downloads the device-specific compliance settings
to use as criteria for mobile device compliance
• Android and iOS devices have different available settings
Reconnection
settings
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
29
Mobile Security — Device Compliance
 Android compliance settings
• OS versions to allow
• Do not allow:
– Rooted devices
– USB debugging enabled
– Apps from unknown sources
– Malware/Adware/Riskware
(as detected by Kaspersky)
 iOS compliance settings
• OS versions to allow
• Do not allow jailbroken devices
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
30
Mobile Security — Device Protection
 Settings for FireClient for Android after the initial compliance
check
• Keep-alive — Controls how often FireClient contacts the Firebox
• Device Protection — Monitor new applications and files
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
31
Mobile Security — Authorization Agreement
 Specify an agreement that users must accept in FireClient
• The agreement is versioned and has a time and date stamp
• If you change the agreement, users must agree to it the next
time they use FireClient to connect
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
32
Mobile Security — Monitoring
 Mobile Security Dashboard
• Includes all mobile devices that have connected with FireClient
• View device details to see why the device is not compliant
• Compliance status:
– Passed — Device is compliant
– Failed — Device is not compliant
– Unknown — FireClient is not connected or did not yet report compliance
status
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
33
Mobile Security — Monitoring
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
34
Mobile Security — Monitoring
 Compliance status
appears on the System
Status > Network
Discovery page
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
35
FireClient
 Mobile app for Android and iOS devices
• Requires user to authenticate unless already authenticated
• Downloads a compliance checklist from the Firebox
• Uses Kaspersky service for malware detection (Android only)
• Checks mobile device compliance status and reports to Firebox
• Uses HTTP and HTTPS to communicate to the Firebox
• Sends keep-alive requests to maintain a connection to the
Firebox
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
36
FireClient
 OS Compatibility
• Android 4.1 and higher
• iOS 8 and higher
 Availability
• Free in the Google Play store and the Apple App Store
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
37
Use FireClient
 Install FireClient from Google Play store or Apple App Store
 To install FireClient, connect to a network that does not have
Mobile Security enabled
 Connect to the corporate network with WiFi or a VPN
 Launch FireClient
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
38
Use FireClient
1. Connect to
Firebox
Firebox internal
interface IP address
2. Authenticate to
Firebox
Authentication is not
required if the user is
already authenticated
through SSL VPN or
IPSec VPN.
3. Verify
compliance
4. Resolve any
compliance
issues
Keep FireClient running
to remain compliant
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
39
Scenario — Local Connection
 Employee brings Android tablet to work and wants to use the
company internal wireless network
• User connects the tablet to an AP device on the trusted network
• Without FireClient, the device can only connect to destinations
on the Mobile Security exception list (Kaspersky)
• User connects and authenticates from FireClient
– FireClient downloads the compliance checklist from the Firebox
– FireClient uses Kaspersky cloud service for malware detection
– If malware is found, the user is prompted to remove the app
– If detected malware is not removed, the compliance check fails
• After FireClient reports the device is compliant, the tablet can
access all destinations allowed by other policies
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
40
Scenario — VPN Connection
 Employee uses IPSec or SSL Mobile VPN to connect and
authenticate to the corporate network from an iPad
• VPN component on the Firebox detects the device type is iPad
• Mobile Security drops VPN traffic from mobile devices that are
not compliant (enabled by default)
• Traffic through the VPN is allowed only to sites on the Mobile
Security exception list
• User connects from FireClient
– No authentication is required, because user is already authenticated
– FireClient downloads compliance checklist and checks compliance
• After FireClient reports the device is compliant, the iPad can
access all destinations allowed by other policies
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
41
Botnet Detection
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
42
Botnet Detection
 A botnet comprises a large number of malware-infected client
computers that are controlled by a remote server to perform
malicious acts
• Denial-of-service attacks
• Sending spam and viruses
• Stealing private data from clients
 The Firebox can already block access from infected clients on
your network to botnet sites over HTTP with the WebBlocker
Command and Control and Botnet Activity categories
 Botnets are now finding other paths to control infected botnet
clients using non-traditional network ports, social networks,
and P2P networks
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
43
Botnet Detection
 The new Botnet Detection Subscription Service uses a feed of
known botnet site IP addresses from Reputation Enabled
Defense (RED) and adds these addresses to the Blocked
Sites List
• Note: The Botnet Sites list is too large to display in the Blocked
Sites List
 Enables your Firebox to block botnet activity at the packet
level
 Botnet Detection is enabled with the RED feature key
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
44
Botnet Detection — Configuration
 Botnet Detection is enabled by default
 You can create exceptions to the Botnet Detection Sites list
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
45
Botnet Detection — Statistics
 Botnet Detection statistics:
• Dashboard > Subscription
Services page
• Firebox System Manager >
Subscription Services tab
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
46
Botnet Detection — Botnet List Updates
 Enable automatic
updates of the Botnet
Detection Sites list to
keep the list of botnet
sites up to date
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
47
Botnet Detection — Logs and Notifications
 Botnet Detection log messages indicate the source and
destination if the Firebox detects infected clients on your
network that are in communication with a botnet command
and control server:
Jan 1 10:25:40 2016 WatchGuard-Firebox local0.warn firewall: msg_id="3000-0148"
Deny 4-Optional-3 0-External 84 icmp 20 63 10.0.5.97 42.62.40.103 8 0 id=4124
seq=3 botnet="destination" msg="blocked sites" (Internal Policy)
Jan 1 10:31:45 2016 WatchGuard-Firebox local0.warn firewall: msg_id="3000-0148"
Deny 4-Optional-3 0-External 28 icmp 20 63 85.17.31.111 100.0.0.1 8 0 id=14608
seq=512 botnet="source" msg="blocked sites " (Internal Policy)
 Enable alarm notifications in the Blocked Sites List
configuration
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
48
Explicit Proxy
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
49
Explicit Proxy
 In a typical proxy configuration, the Firebox transparently
proxies and inspects client connections to servers
 Explicit proxy support enables the Firebox to accept direct
requests from clients and then connect to specified servers
and retrieve the information on behalf of the client
 Provides easier drop-in integration for customers that want to
replace an existing proxy server with a Firebox, without
infrastructure and client reconfiguration
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
50
Explicit Proxy — HTTP Explicit Proxy
 HTTP Explicit Proxy
• Web browser clients are configured to send requests directly to
the Firebox IP address and port
• HTTP traffic is proxied and inspected by Firebox security
services, and the configured HTTP Proxy Action rules apply
• Firebox adds a Via Header to the HTTP Request/Response
– This can be the Firebox IP address or a customizable alias
• Explicit Proxy uses TCP port 3128 by default
• Web caching is not performed by the Firebox
• Explicit Proxy is logged and reported in Dimension as HTTP
Proxy traffic
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
51
Explicit Proxy — HTTP CONNECT Tunnel
 HTTP CONNECT tunneling support for HTTPS
• Client sends an HTTP request to the Firebox Explicit Proxy on
port number 3128
• The Explicit Proxy establishes a TCP connection to the specified
destination
• When the connection is established, the Explicit Proxy responds
to the original HTTP request with an HTTP response, and then
the client can send data to the destination server
• Allow, Deny, or Block based on the specified ports, or select an
HTTPS proxy action to use for HTTPS traffic through a tunnel
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
52
Explicit Proxy — FTP over HTTP (Web FTP)
 FTP over HTTP connection support
• The Explicit Proxy can proxy FTP connections sent over HTTP
(also known as Web FTP)
• For example, a web URL specified as
ftp://ftp.example.com/path or
ftp://user:[email protected]/path/
• The Explicit Proxy connects to the destination server with native
FTP commands to retrieve a directory listing or file, and then
sends the data to the client in an HTTP response
– HTTP request is subject to the Explicit Proxy rules
– Firebox uses the FTP protocol through the specified FTP proxy
action, and standard FTP proxy action rules apply
– HTTP response to the client is not passed through the Explicit Proxy
action
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
53
Explicit Proxy — Configuration
 Add and configure the Explicit Proxy policy
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
54
Explicit Proxy — Proxy Action
 Configure the Explicit
Proxy proxy action
• Via Header address
• Web FTP settings —
Select an FTP proxy
action
• Enforce authentication
portal for Explicit Proxy
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
55
Explicit Proxy — CONNECT Tunneling
 CONNECT Tunneling configuration in the Explicit Proxy proxy
action
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
56
Explicit Proxy — PAC Files
 Proxy Auto-Configuration (PAC) File Support
• A PAC file is a simple JavaScript file with the proxy configuration
for a client web browser
• The PAC file configures the web browser with a proxy server
address (the Firebox)
• The PAC file can be hosted on the Firebox and made available
to clients with Web Proxy Auto-Discovery Protocol (WPAD)
• Configure WPAD with a custom DHCP rule on a Firebox
interface – Option 252
– Note: The Firebox does not support WPAD with DNS
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
57
Explicit Proxy — PAC Files
• You can manage multiple PAC files on the Firebox
• PAC files can be synchronized in a cluster
– Note: The Firebox does not validate the contents of PAC files
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
58
Explicit Proxy — Policies
 Policy for PAC file downloads created automatically when
Explicit Proxy policy configured
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
59
Explicit Proxy — PAC File Management
 PAC File Management
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
60
Explicit Proxy — WPAD over DHCP
 Add PAC file to DHCP options on a Firebox interface
 Custom Option — Code 252
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
61
Explicit Proxy — Browser Configuration
 Configure Web Browsers
Edge Browser Settings
• Can be discovered with
WPAD (Automatically
detect settings)
• In most enterprises, the
proxy auto configuration
URL is distributed by
Active Directory policies
• Can also provide
manual configuration of
explicit proxy address
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
62
Allowed Google Apps
Domains
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
63
Allowed Google Apps Domains
 Use the HTTPS Proxy with content inspection enabled to
block users from accessing personal Google services
 Configure specific domains that are allowed access to Google
services
 Allow domains used for Google for Work services and block
users from logging into Google Gmail or other personal
Google service accounts
 Content inspection must be enabled because most Google
services are SSL encrypted
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
64
Allowed Google Apps Domains
 Inserts
X-GoogApps-AllowedDomains HTTP header
followed by a domain
name list into all
requests for
*.google.com
 Google services that do
not require
authentication, such as
Google Search or
YouTube, cannot be
blocked
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
65
RADIUS SSO
Single Sign-On with RADIUS
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
66
RADIUS SSO — Overview
 RADIUS SSO (RSSO) enables single sign-on for users who
have already authenticated to a RADIUS server with 802.1x
authentication
• Targeted primarily at wireless users
– Many universities and large schools have existing wireless networks
that use RADIUS for user authentication
• Can also work for a wired network
– Switch must have 802.1x enabled and must be used for NAC
(network access control) with the RADIUS server
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
67
RADIUS SSO — Overview
• Requirement for RSSO
– The wireless access point (AP), switch, or access controller (AC)
that users connect to must support 802.1x authentication and
RADIUS accounting
– The AP or AC switch must send RADIUS accounting messages that
include the user’s IP address to the RADIUS server
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
68
RSSO — How it Works
1. Client authenticates to the AP with WPA/WPA2 Enterprise
2. AP interacts with RADIUS server to authenticate the user
3. AP sends RADIUS accounting messages with user name
and IP address through RADIUS proxy server to the Firebox
4. Firebox creates a firewall session for the authenticated user
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
69
RSSO — How it Works
3. RADIUS Accounting (Proxy)
RADIUS
Server
2. RADIUS Accounting
Wireless AP
Device
4. Firebox creates a firewall
Firebox
session for the user
It is possible but not recommended, to
send RADIUS accounting messages
directly from AP/AC device to the Firebox.
Switch with
RADIUS accounting
1. 802.1x with EAP
Wireless Client
Other Client
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
70
RSSO — How it Works
 For RSSO to work, the Start, Stop and Interim-Update
RADIUS accounting messages must include these attributes:
• User-Name — Name of the authenticated user
• Framed-IP-Address — Actual IP address of the user
 When mobile devices connect with WPA/WPA2
authentication:
• AP device sends RADIUS accounting messages from the
RADIUS proxy server to Firebox
• Firebox creates a user session when it receives a Start or
Interim-Update message with the user name and IP address
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
71
RSSO — How it Works
 When mobile devices disconnect:
• AP device sends RADIUS accounting message from the
RADIUS proxy server to Firebox
• Firebox removes the user session when it receives the Stop
accounting message with the user name and IP address
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
72
RSSO Support
 RSSO should work for connections to AP and AC devices that
support the User-Name and Framed-IP-Address attributes in
RADIUS accounting messages
 Who supports it:
• WatchGuard AP devices — Supported on all WatchGuard AP
device models in an AP firmware update to be released with
Fireware v11.11
• Aruba IAP — Verified it works well
• Ruckus AC — Not confirmed (Ruckus documentation indicates it
supports Framed-IP-Address)
• Cisco Meraki — Cloud management, not confirmed (Cisco
documentation says it supports Framed-IP-Address)
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
73
Configure RSSO on the Firebox
 Web UI —
Authentication > Single
Sign-On > RADIUS
• You can enable RSSO
for one RADIUS server
IP address
• Group Attribute is for
user-defined groups
• It must match the FilterID attribute for the
group on the RADIUS
server
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
74
RSSO — Groups and Policies
 When you enable RSSO, the group RADIUS-SSO-Users is
automatically created on the Firebox
• RSSO also supports user-defined groups configured on both the
RADIUS server and the Firebox
• Only RSSO users who are not a member of a user-defined group
are considered members of the RADIUS-SSO-Users group
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
75
RSSO — Groups and Policies
 When you enable RSSO, two policies are automatically added
• Allow RADIUS SSO Service
– Allows incoming accounting traffic on port 1813 to the Firebox
– Allows traffic from the RADIUS server IP address to the Firebox
• Allow RADIUS SSO Users
– Allows outgoing traffic from authenticated users
– Allows TCP-UDP traffic from RADIUS-SSO-Users to Any-External
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
76
RADIUS Proxy Server
 You can configure a RADIUS server, such as freeradius, as a
RADIUS accounting proxy
• The RADIUS server receives accounting messages from the AP
device or AC and sends them to the Firebox
– Communication is protected by the shared secret
– The Firebox can only receive accounting communication from the
one IP address configured in the Firebox RADIUS SSO settings
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
77
RADIUS Proxy Server
 One AP device or AC can send RADIUS accounting
messages directly to the Firebox rather than through a proxy
• The IP address of the AP device or AC must match what is
configured in the Firebox RADIUS SSO settings
• For SSO from more than one AP device or AC, accounting
messages must be routed through a RADIUS accounting proxy
server
 RSSO Session Timeout and Idle Timeout are independent of
global Firebox timeouts or timeouts on the RADIUS server
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
78
RSSO — Session Status
 User sessions authenticated through RSSO appear in the
Authentication List
• Type — Firewall User
• Domain — RADIUS
• Client — Single Sign-On
• Login Limit — Based on the user/group login limit
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
79
RSSO and the Authentication Portal
 When RSSO is enabled, users can still use the Authentication
Portal on the Firebox to authenticate with another account in a
different domain or with different group membership
 Authentication Portal sessions override RSSO sessions for
user connections from the same IP address
• A session created by the Authentication Portal replaces any
existing session created by RSSO for the same IP address
• A session created by RSSO does not replace an existing session
created by the Authentication Portal for the same IP address
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
80
RSSO and AD SSO
 You can enable both RSSO and AD SSO at the same time
 RSSO will not replace sessions created by AD SSO
 If possible, to avoid an overlap that can cause authentication
inconsistencies, do not use both RSSO and AD SSO for the
same subnet or IP address range
 If you must use both SSO types for some clients in the same
subnet, use the RSSO or AD SSO Exception list to define the
expected session priority
• The Exception list defines IP addresses for clients that do not
use that SSO type
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
81
Multiple Hotspots
Configure different hotspot portals for different
Firebox interfaces
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
82
Multiple Hotspots Overview
 You can now configure multiple hotspots
 You can enable each hotspot for one or more interfaces
• Interfaces can be physical or virtual (VLAN, bridge, link
aggregation, wireless)
 Each hotspot can use a different authentication type
• Connect without credentials
• Require users to authenticate with generated credentials
(user name and passphrase or passphrase only)
 External Guest Authentication
• There is still only one external guest hotspot
• You can now enable it for multiple interfaces
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
83
Configuration
 Hotspots configuration page now has three tabs
• Hotspots — Add hotspots and enable hotspots for interfaces
• External Guest Authentication — Configure external guest
authentication hotspot (only one)
• Settings — Configure global settings that apply to all hotspots
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
84
Add a Hotspot
 Type a Hotspot Name
 Configure Authentication settings
(No change from Fireware v11.10.x)
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
85
Add a Hotspot
 Customize the hotspot page
• Text, logo, terms, color
• No change from Fireware v11.10.x
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
86
Enable a Hotspot on Interfaces
 After you add a hotspot, enable it for one or more interfaces
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
87
External Guest Authentication
 You can configure one External Guest Authentication hotspot
 If you enable external guest authentication, you must enable
the External Guest Authentication Hotspot for at least one
interface
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
88
Hotspot Settings
 On the Settings tab, configure settings common to all
hotspots
• No change from Fireware v11.10.x.
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
89
Hotspot Guest Administration Portal
 In the Wireless Guest Administration Portal, select the hotspot
 Click Advanced Settings to:
• Manage default guest user account settings
• Customize the printed voucher
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
90
Hotspot Guest Administration Portal
 For each hotspot the guest administrator can:
• Add or delete guest accounts for the selected hotspot
• Print vouchers for guests
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
91
BOVPN Interoperability
Connect a BOVPN virtual interface to a
third-party VPN endpoint that supports GRE
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
92
BOVPN Interoperability
 BOVPN virtual interface routes are now supported between a
Firebox and a third-party device that uses GRE
• Examples:
– Firebox to Cisco
– Firebox to Fortinet
 Both static and dynamic routing through the BOVPN virtual
interface are supported
• For static routing through the VPN, configure BOVPN virtual
interface routes exactly the same as for BOVPN virtual interface
routes between two Fireboxes
• For dynamic routing to a third-party VPN endpoint, the
configuration is different
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
93
BOVPN Virtual Interface Configuration
 For dynamic routing to a
third-party VPN endpoint
the Interface Peer IP
address is a network mask
rather than the IP address
of the peer endpoint
• Local IP address — Must
be on the same subnet as
the local IP address on the
third-party VPN endpoint
• Peer IP address — Must
be the netmask configured
on the third-party VPN
endpoint
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
94
Supported Third-Party VPN Endpoints
 Third-party endpoints that support GRE over IPSec are
supported as a BOVPN virtual interface endpoint
 Supported third-party endpoints include:
• Cisco
• Fortinet
• Juniper
• Checkpoint
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
95
Non-Supported Third-Party VPN Endpoints
 Third-party endpoints that do not support GRE over IPSec are
not supported as a BOVPN virtual interface endpoint
 Non-supported third-party endpoints include:
• Dell SonicWALL
• Palo Alto Networks
• Amazon AWS
• Microsoft Azure
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
96
Other Enhancements
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
97
APT Blocker Enhancements
 New Clean threat level
• Sends a log message for files that were scanned and allowed
with no malware detected
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
98
APT Blocker Enhancements
 Apple Mac application file support
• Mac executable files (.app files) can now be sent to the Lastline
cloud server for analysis
 New compressed file support
• RAR and 7z files can now be decompressed
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
99
Strip Documents with Macros — SMTP Proxy
 With the SMTP Proxy, you can now strip Microsoft Office
document attachments if they contain VBScript macros
 Macros in Office documents have become a popular way for
malicious malware, such as ransomware, to spread into a
network
 This rule type only applies to VBScript type macros in
documents, not for macro-embedded document files
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
100
Strip Documents with Macros — SMTP Proxy
 In an SMTP proxy action, create a Content Type rule for
attachments for “application/x-vbscript” and set the action to
Strip.
• This action removes Office document attachments that contain
VBScript macros before the message is delivered to the recipient
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
101
Self-Signed Certificates — SMTP with TLS
 You can now use third-party self-signed certificates when you
enable deep inspection of SMTP with TLS encryption
 Allows users to import self-signed certificates from other
devices, such as WatchGuard XCS or mail servers
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
102
Username in HTTP Proxy Deny Message
 You can now add a user name variable %(user-name)% in the
HTTP Proxy Deny Message to show the authenticated user
name
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
103
Gateway Wireless Controller Enhancements
 WatchGuard AP Device Automatic Deployment
• Add an unpaired AP device to the network and have it configured
automatically by the Gateway Wireless Controller (GWC)
– Configure specific SSIDs for automatic deployment
– When an unpaired AP device is connected to the network, it is
automatically configured by the GWC with the auto-deployment
SSID settings (security encryption and other SSID settings)
– All other AP device settings such as radio settings are set to the
defaults
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
104
Gateway Wireless Controller Enhancements
 Enable automatic deployment
 Select SSIDs to configure on auto-deployed AP devices
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
105
Gateway Wireless Controller Enhancements
 AP devices are not
paired with the GWC,
but are automatically
deployed with the
configured SSIDs
 Only pair an AP device
if you want to change
the default auto-deploy
SSID configuration
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
106
Gateway Wireless Controller Enhancements
 Enable automatic
deployment on a
specific SSID
 This SSID is configured
on automatically
deployment AP devices
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
107
Gateway Wireless Controller Enhancements
 By default, the Gateway Wireless Controller sends discovery
broadcasts on all networks to discover unpaired AP devices
 In the GWC settings, you can now limit the networks that you
use for AP discovery broadcasts or disable all discovery
broadcasts
 This is useful for the automatic deployment feature, and helps
to enable control over the networks that allow AP devices to
be automatically paired
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
108
Gateway Wireless Controller Enhancements
 Gateway Wireless Controllers scalability improvements
• A single GWC instance can now manage a much larger number
of AP devices
 Gateway Wireless Controller now supported in Firebox
drop-in mode
 AP support for RADIUS SSO accounting
 Wireless client monitoring page includes PHY mode to
indicate specific wireless modes, which includes b, g, a, n,
n40, ac80, etc.
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
109
Improved FireCluster Upgrade Process
 The cluster master manages the upgrade of both members
• The cluster master uploads the Fireware OS upgrade file and
manages the upgrades of both members
 Why this change?
• Enables upgrade of both cluster members from Fireware Web UI
• Improves remote FireCluster upgrade
– Previously, for Policy Manager to remotely upgrade a FireCluster,
each cluster member was required to have a dedicated external IP
address assigned as the management IP address
– When you upgrade a FireCluster from Fireware OS v11.11 or higher,
external cluster management IP addresses are not required
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
110
FireCluster Upgrade from the Web UI
 Select System >
Upgrade OS, select an
upgrade file
 The cluster master
upgrades the backup
master first
 The upgrade status
appears in the Web UI
 After the first member
upgrade is complete,
the second member
upgrade starts
automatically
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
111
FireCluster Upgrade from the Web UI
 After the first member
upgrade is complete, log
in again
 The previous backup
master is now the cluster
master
 When upgrade of both
members is finished, a
message appears at the
top of the page
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
112
FireCluster Upgrade from Policy Manager
 To start a FireCluster upgrade select File > Upgrade
 For upgrades from Fireware OS v11.11 or higher, the upgrade
method Policy Manager uses depends on the IP address you
connect to when you do the upgrade:
• To use the new method, connect to an interface IP address
– Policy Manager uploads the OS upgrade to the cluster master
– The cluster master sends the OS upgrade file to the backup master
and automatically coordinates the upgrade of both cluster members
– Policy Manager does not connect to the Management IP addresses
• To use the old method, connect to a Management IP address
– Policy Manager connects individually to the Management
IP addresses of each member to perform the upgrade
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
113
FireCluster Upgrade from Policy Manager
 Unlike upgrades from the Web UI, in Policy Manager, you can
upgrade one or both cluster members
• WatchGuard recommends that you upgrade both cluster
members
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
114
FireCluster Upgrade from the CLI
 You can also use the upgrade system CLI command to
upgrade both members of a FireCluster
• After the first member upgrade is finished you must log in again
to monitor the cluster upgrade status
• After you log in again, to see the status of the cluster upgrade
use the show upgrade status command
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
115
Loopback Interface
 You can now enable a Loopback interface
• The Loopback interface is a virtual interface for dynamic routing
(RIP, OSPF, BGP) to multiple ISPs
• Supported in Mixed Routing Mode only
• Supported for both active/active or active/passive FireCluster
 Limitations
• You cannot use the Loopback interface IP address or secondary
IP address as a physical/virtual interface, local gateway IP
address of a BOVPN or BOVPN virtual interface, or the route to
IP address of a network route
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
116
Loopback Interface
 The loopback interface name is WG-Loopback
 Use the IPv4 interface IP address rather than the interface
name in the dynamic routing configuration
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
117
Loopback Interface
 You can optionally add IPv4 secondary networks
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
118
Loopback Interface
 In Policy Manager, these settings are in the Network
Configuration dialog box, on the Loopback tab
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
119
32-bit BGP AS Number Support
 Added support for 32-bit BGP Autonomous System numbers
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Thank You!
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WatchGuard Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved