1 / 60

Fireware Pro 9.1 What’s New

Fireware Pro 9.1 What’s New. What’s New in Fireware 9.1 Overview. This presentation has three categories: New Features in 9.1 Enhancements to existing features Miscellaneous changes. Fireware 9.1 New Features. Factory Shipped User Area New power-on mode New steps for Quick Setup Wizard

raphael
Download Presentation

Fireware Pro 9.1 What’s New

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fireware Pro 9.1 What’s New

  2. What’s New in Fireware 9.1Overview • This presentation has three categories: • New Features in 9.1 • Enhancements to existing features • Miscellaneous changes

  3. Fireware 9.1New Features • Factory Shipped User Area • New power-on mode • New steps for Quick Setup Wizard • Quarantine Server • HTTP proxy exceptions • POP3 proxy • Automatic redirect after firewall authentication • New authentication web server certificate • Server load balancing • Import/export proxy actions and rulesets • Support for jumbo frames • Support for Windows Vista • Find Policy feature

  4. Factory Shipped User AreaFireware pre-loaded from factory • Benefits: • Improved out-of-box experience • Faster, easier deployment • One computer can get to the Internet during QSW • Register box with LSS and get feature key during QSW • No need to disconnect from Firebox, connect to live Internet connection, get feature key, reconnect to Firebox, continue Wizard • User can still finish QSW if user forgot to (or did not know to) install Fireware on the management station • Not sure yet when manufacturing cutover happens

  5. Power-on optionsSafe Mode & Recovery Mode • Safe Mode (New boot method) • Power-on + down arrow button • Hold button until LCD shows WatchGuard Technologies • Available only if 9.1 image is installed on box • Allows one computer out to the Internet • Saves time: Loads new Fireware image only if image on computer is newer • Recovery Mode (Same as current method) • Power-on + up arrow button • Used to be called Safe Mode • No Internet access until QSW is done • Must have feature key to finish • New Fireware image is always loaded

  6. Quick Setup WizardNew and different steps • Skip instructional steps if user knows that the box is in a discoverable state Next step, discovery At least four more steps until discovery

  7. Quick Setup WizardNew and changed steps • Set external IP address information during QSW • External interface settings are saved to Firebox immediately • Lets user out to Internet before or during feature key step • DNS information • The Firebox must have DNS information for spamBlocker to work, and to get Gateway AV/IPS updates • Feature key step of QSW: “Click to go to LiveSecurity site” • Works only if 9.1 installed • Works only if booted using down arrow • Detects and displays current license if user ran the QSW previously • Remote management step • Adds an external IP address to the From: field of WatchGuard policy

  8. Quarantine ServerQuarantine spam • Works with spamBlocker only • Does not quarantine based on virus signature or content types • SMTP proxy yes; quarantine spam, bulk, or suspect email • POP3 proxy no; cannot quarantine POP3 email New icon in WatchGuard toolbar Install with server components during WSM install

  9. Quarantine ServerNew “Quarantine” action in spamBlocker • Quarantine based on spam classification • Quarantine based on Exception

  10. Quarantine ServerServer Settings • Set maximum database size • Admin notification when database gets close to capacity • SMTP server settings

  11. Quarantine ServerExpiration Settings • How long to keep messages • For which domains the Quarantine Server will keep email

  12. Quarantine ServerUser notification Customize body text for notification emails sent to users

  13. Quarantine ServerRules • Automatically remove messages based on: • From specific domains • From specific senders • With specific text in the Subject

  14. Quarantine ServerStatistics Export data to: • Excel • CSV Filter report by: • Date • Spam classification View data by: • Month • Week • Day

  15. Quarantine ServerUser notification

  16. Quarantine ServerSimple for user to delete or release emails

  17. HTTP Proxy ExceptionsBypass rule checking • An easy way to allow content from: • Windows Updates • Symantec Updates • Other friendly sites Proxy sets all rules to Allow for these sites • Allows all content from hosts that match this list

  18. POP3 ProxyServer and Client POP3 proxies

  19. POP3 ProxyBenefits • Content Type filtering • Strip or lock attachments based on declared MIME type • Filename filtering • Strip or lock attachments based on filename pattern • AV scanning • Strip or lock attachments if virus found • IPS scanning • Strip or lock attachments if signature matches • spamBlocker • Allow or tag based on categorization • No quarantine for spam with POP3 email (only SMTP email can be quarantined)

  20. POP3 ProxyBenefits • Simpler, easier-to- understand defaults

  21. POP3 ProxyLimitations • POP3 proxy cannot block POP3 emails: • In POP3 transaction, client gets message count first • Client keeps trying until number of messages received matches count • We must deliver the correct number of messages • Attachment scanning • Inline engine – not store-and-forward • Client may get truncated attachment along with the deny message • spamBlocker cannot quarantine POP3 messages • For the same reasons we cannot block POP3 mail • spamBlocker can [Allow] or [Add Subject Tab] only

  22. Firewall Authentication Automatic redirect after authentication • Setup > Authentication > Authentication Settings • Authentication settings moved here from Setup > Global settings • New Redirect option: User’s browser is redirected to this URL five seconds after successful authentication

  23. Firewall Authentication Customizable Web Server Certificate • No more security warnings! • Why does the user get warnings from the browser? • The name on the certificate does not match the URL in the browser • Fixed with new Fireware web server certificate • Uses subject alternative names to match several possible URLs • Three different options for Fireware’s web server certificate • Certificate is not trusted • User still must import the CA cert from the issuing authority or the (web server certificate itself) • Import to trusted root store

  24. Firewall Authentication Customizable web server certificate • Three options: • Default certificate • Uses each trusted interface IP address as subject alt names • Third party certificate • Must import using FSM • Mark purpose as “web server” when generating Certificate Signing Request (CSR) • Custom Certificate • Signed by Firebox • Option to add more subject alt name fields:IP addresses or domain names

  25. Server Load BalancingBalances incoming traffic to server clusters • Add it in a familiar, intuitive way. • In the To: field, select Add > Add NAT • New drop-down list to select Server Load Sharing instead of Static NAT • Sticky Connections makes sure new connections from the same client use the same server for the specified time.

  26. Server Load BalancingAlgorithms • Supports up to 10 servers per object • Algorithms: • Weighted Round-robin • Weighted Least Connections

  27. Policy Manager EnhancementsImport and Export from Policy Manager • Useful for managing many boxes • Copy back and forth between XML configurations • Must be from the same version of WSM/Policy Manager • Cannot import 9.0 object into 9.1 Policy Manager, for example • Convert older configuration before exporting for use in newer version • Objects you can import/export: • Proxy actions • Individual rulesets within proxy actions • Custom policies • WebBlocker exceptions • spamBlocker exceptions • Schedules

  28. Import/export Objects you can import/export • Proxy actions

  29. Import/export Objects you can import/export Must be in Advanced View to see Import/Export buttons • Individual rulesets within proxy actions • SMTP: greeting rules; authentication schemes, content types, filenames, mail from, mail to, headers • HTTP: request methods, URL paths, headers, authentication schemes, content types, cookies, body content types • DNS: OPCodes, query types, query names • FTP: commands, downloads, uploads • POP3: authentication schemes, content types, filenames, headers

  30. Import/export Objects you can import/export • Custom policies

  31. Import/export Objects you can import/export • WebBlocker Exceptions

  32. Import/export Objects you can import/export • spamBlocker Exceptions

  33. Import/export Objects you can import/export • Schedules

  34. Ethernet Driver UpdatesSupport for Jumbo Frames • You can now set MTU on Firebox interfaces up to 9000 • Previous limit was 1500 • 1500 is normal maximum MTU for Ethernet

  35. WSM EnhancementSupport for Windows Vista • All variants of Windows Vista are supported in WSM v9.1 for Firebox configuration, monitoring, and management • Windows Vista not supported yet for MUVPN • Vista-compatible MUVPN client scheduled for Fall

  36. Policy Manager EnhancementsFind Policy (Edit  Find) Finds policies that match the search criteria

  37. Policy Manager EnhancementPolicy-Based Routing (PBR) Column • If a policy uses PBR: Interface number used for PBR listed in new column Multiple interface numbers indicate that the PBR uses failover

  38. Fireware 9.1Feature Enhancements • Management Server • HTTP proxy • SMTP proxy • FTP proxy • GatewayAV/IPS • spamBlocker • WebBlocker • Branch Office VPN • IPSec Pass-through • Firebox certificates • DHCP • HostWatch • PMTU

  39. Management Server Enhancements • Better efficiency • Compiling and deploying policies is faster • Better scalability • New “Hub” VPN resource • For default-route VPNs (send all traffic through VPN) • Turn off logging of DVCP-generated VPN policies • Custom VPN policies only • Phase 1 now configurable • Still uses Aggressive Mode; no Main Mode tunnels • Several defects fixed

  40. Management Server EnhancementsNew Hub Network VPN Resource VPN sends all traffic through the Firebox that has “Hub Network” as the local resource. Warning tells you that a dynamic NAT rule may be necessary to let traffic from branch office out to Internet.

  41. HTTP Proxy EnhancementsWebDAV Support • All WebDAV methods now supported • What is WebDAV? • Stands for Web-based Distributed Authoring and Versioning • A set of extensions to the HTTP 1.1 specifications • Adds new HTTP request methods to the familiar GET, HEAD, POST, etc. • Used for collaborative authoring of documents and versioning control: • Outlook Web Access • SubVersion (popular open-source version control system) • Wherever you see team authoring and version control

  42. HTTP Proxy EnhancementsWebDAV Support

  43. SMTP Proxy EnhancementsBenefits and limitations • Turn off ESMTP altogether with one box • Turn off logging of denied ESMTP verbs • Auto-detect MIME types

  44. FTP Proxy EnhancementsBenefits and limitations • Full data channel inspection • Gateway AntiVirus • Intrusion Prevention • New option for maximum number of failed logins • Auto-block the source if number is exceeded • Protects against dictionary attacks on your FTP server

  45. AV/IPS EnhancementsBenefits and limitations • All inline scanning engine now • Same inline scanning engine that has always been used in the HTTP proxy • This means we no longer use the Clam AV scanning engine for the SMTP • No limit to the size of attachments we can scan • We do, however, still use Clam AV signatures

  46. spamBlocker EnhancementsBenefits and limitations • Proactive Patterns • spamBlocker downloads small (no more than 20MB) database of patterns • For quicker detection of patterns no longer in the wild • Works only on legacy Peak, any e-Series • Trusted email forwarders • Bulk import/export spamBlocker exceptions (white/blacklists) • Set Allow or Deny when spamBlocker server is unavailable

  47. WebBlocker EnhancementsBenefits and limitations • New organization for categories in UI • New UI option to change listening port of WebBlocker Server • Right-click WebBlocker Server icon in Windows taskbar • Stop service, then right-click again:

  48. Branch Office VPN EnhancementsBetter explanation of SA creation • Phase 2 SA creation options expanded, more user-friendly Old New

  49. Branch Office VPN EnhancementsRekey BOVPNs • Rekey All • Tools menu in FSM • Rekey Selected • Right-click the active tunnel in the Front Panel tab

  50. IPSec Pass-through EnhancementsCode Overhauled • IPSec pass-through code totally overhauled • Multiple IPSec clients behind Firebox can make outbound VPN sessions to concentrators on the external network at the same time, with fewer problems • Enable IPSec Pass-through at VPN > VPN Settings

More Related