WSM und Fireware XTM 11.4.2

Im Software-Download-Bereich der WatchGuard Website stehen seit gestern die neuesten Verisonen WSM und Fireware XTM 11.4.2 für die Geräteserien XTM2, XTM5, XTM8 und XTM1050 bereit. WatchGuard hat den Download- und andere Customer-Care-Bereiche vor zwei Wochen ausgelagert, daher sieht die User-Anmeldeseite mittlerweile anders aus – und auch die dahinter liegenden Inhalte werden “anders präsentiert”, verstecken sich zum Teil oder sind (noch) gar nicht auffindbar… Das ändert/bessert sich hoffentlich in den nächsten Tagen/Wochen/xxx… 🙂

Die Liste der Resolved Issues der Version 11.4.2 liest sich so:

General

• This release resolves an issue that caused the XTM device to lock up when configured with a combination of proxy policies, subscription services, and FireCluster. [61091]
• A kernel memory leak and subsequent kernel crash that occured when the XTM device received many packets with MSS =0 has been resolved. [59953]
• An issue that caused a kernel crash and complete XTM device lock up has been resolved. [59031]
• This release resolves an issue that caused excessive logging from lighthttpd. [60508]
• The “message” field from a WatchGuard log message now appears in a syslog message for the same traffic. [60045]
• The ip_dst_cache cleanup timer has been improved to make sure that the ip_dst_cache table does not become full and cause packets to be dropped. [61558]
• Dynamic DNS updates now work correctly when the XTM device is configured with a zero route branch office VPN tunnel. [56166]
• A memory leak in the networkd process has been resolved. [61905]

Networking

• Blocked sites that are added by IPS are now correctly removed from the Blocked Sites list when the expiration time configured to block them is reached. [60631]
• An XTM device configured to use the server load balancing feature no longer allows connections to servers that are non-responsive. [60292]
• Firewall policies are now applied to traffic that passs through two interfaces configured for the same VLAN (VLAN Bridge). [61352]
• When you enable IPS on a policy configured for VLAN Bridged interfaces, it no longer causes traffic to fail though the policy. [61585]
• This release resolves an issue that triggered MAC address flapping on Cisco switches when using an active/passive FireCluster. [60619]

Proxies

• An issue that caused some web pages to not load correctly when using Internet Explorer v8.0 has been resolved. [58259]
• Several issues that caused some downloads to fail through the HTTP proxy when using Gateway AV has been resolved. [61291] [60654]
• The XTM device no longer fails to send quarantined emails to the Quarantine Server. [60940]
• A Custom SOAP web application that required 255 or more requests through the HTTP proxy now works correctly. [58097]

FireCluster

• This release resolves an issue that caused the master device in a FireCluster to become idle after a Force Failover command is issued. [60217]
• The Backup Master can now send log messages to a WatchGuard Log Server that is not on the same subnet as the management IP addresses. [61109]
• A rule to always allow management traffic between the FireCluster management interfaces is now added automatically when you configure FireCluster. This new rule makes sure that management functions to both devices in a cluster are not blocked by policy misconfiguration. [56062]
• This release improves the performance of FSM when connected to an active/passive FireCluster. [61886]
• The FSM Status Report tab now correctly displays data for the backup master device in a FireCluster. [60454]

Mobile VPN with SSL

• This release adds support for multiple Mobile VPN with SSL policies for different users/groups from Policy Manager. [60741]
• The Mobile VPN with SSL client for Windows now connects correctly to the IP address specified by the user in the connection settings instead of always using the IP address in the Mobile VPN with SSL configuration created by the XTM device. [60082]

Mobile VPN with IPSec

• The Mobile VPN Shrew Soft client and the Mobile VPN with IPSec client now work with certificates generated by the WatchGuard Management Server. [61380, 61060]

Mobile VPN with PPTP

• PPTP authentication no longer fails when there are a large number of previous PPTP connections that were not terminated correctly. [61117]

Branch Office VPN

• You can now use Branch Office VPN with an External Wireless interface. [36232]
• Ping traffic through a Branch Office VPN tunnel is no longer given low processing priority to improve latency for ping traffic through VPN tunnels. [60427]
• We have increased the default buffer size for the xfrm_dst_cache on the XTM device to prevent a condition where Branch Office VPN traffic stops when there are many TCP connections through the tunnel. [58141]
• Tunnels no longer fail with a “no proposal chosen” error when you use a dynamic external interface for the tunnel Gateway. This problem occurred when the gateway name for each gateway was not unique enough, which caused the wrong gateway to be selected for Phase 2. [60594]
• This release resolved an issue that caused VoIP traffic with the ToS bit set to fail to pass through a Branch Office VPN tunnel. [59479]

Authentication

• The Terminal Services Agent no longer uses 100% of the CPU when the first user starts an RDP session. [60111]
• Terminal Server/Citrix users can now use the Interbase SQL client to get access to a remote server. [60847]
• A Terminal Services Agent installation problem that occurred on some servers has been resolved. [60848]
• Radius Authentication for PPTP users now works correctly on XTM 2 Series devices. [61164, 61151]
• The deny message shown for authentication denies that occur because only one authentication is allowed for the same user account has been improved. [59214]
• We have improved performance when many users authenticate to the XTM device using Firebox-DB authentication. [61760]

Management

• Firewall policies can now be applied to intra-VLAN traffic. [61382]
• The Management Server can now correctly apply updates to remote devices using dynamic external interfaces. [61141]
• When you upgrade from Fireware XTM software v11.3 or earlier to v11.4.x, IPS is no longer disabled for policies that previously had IPS enabled. [61108]
• Configuration saves now take effect without the need to reboot on XTM 5 Series appliances running v11.4 or v11.4.1. [60074]
• This release resolves an issue that caused some Management Server backups created in v11.4 to fail to restore. [61075]

Certificates

• A problem that caused custom web server certificates to not generate correctly has been resolved. [61421]
• Management connections no longer fail because a web server certificate has many DNS names. [56441]

WatchGuard Log Server

• LogViewer searches no longer fail to find a match after a new installation of the WatchGuard Log Server. [60411]
• The WatchGuard Server Center no longer shows an abnormally high maximum database size immediately after a change is made to lower the database size. [61378]

Firebox System Manager (FSM)

• FSM connections no longer fail if there are three or more FSM instances connected to the same XTM device. [61728]
• Traffic Monitor no longer stops displaying log messages after a PPTP connection. [61227]