Neues Software Release Fireware 11.12.1 und WSM 11.12.1

Seit heute ist das Fireware Release  v11.12.1 verfügbar.

Weitere Infos:

• Release-Notes
• Known Issues

Bei Verwendung einer T50 oder kleiner mit aktivierten SSL-Proxy beachten Sie bitte unseren Artikel zu Fireware v11.12.1 und HTTPS-Proxy mit Deep-Inspection.

Enhancements and Resolved Issues in Fireware v11.12.1

General

• When you enable TDR on a Firebox, a TDR policy is now automatically added to your configuration to allow connections from TDR Host Sensors on your trusted network to TDR FQDNs on TCP port 443.
• This release resolves a Cross-Site Request Forgery vulnerability on the Fireware Web UI login page. [92304]
• This release updates the lighttpd component used by Fireware to resolve several HTTP proxy port-related vulnerabilities (CVE-2016-5387, CVE-2106-5388, and CVE-2016-5386). [92514]
• This release resolves a vulnerability in the Fireware Web UI that could allow an attacker to enumerate management user login IDs. [92884]
• This release resolves an issue that caused session IDs to be sent in the URL for authenticated Fireware Web UI sessions. [92679]
• This release resolves kernel crashes on Firebox T70, M200 and M300 devices configured in drop-in mode. [92760, 92677]
• The Turkish timezone settings have been adjusted to eliminate timezone changes throughout the year. [92464, 92666]
• You can now successfully create a backup image for a Firebox T10 with multiple security subscriptions configured. [92341]
• The French localization of hotspot vouchers has been updated. [92716]
• This release resolves an issue that caused the Front Panel to fail to load from Firebox System Manager. [92771]
• Policy Manager and Firebox System Manager now negotiate stronger TLS ciphers for managment connections. [92530]
• This release resolves an issue that caused Policy Manager to fail to save configurations to Firebox M400, M500, and M440 devices. [92826]
• This release resolves an issue that caused Fireware Web UI to fail to display policies after you upgrade your Firebox to Fireware v11.12. [92932]
• You can now successfully save configurations that contain policies with IPv6 addresses to Fireboxes installed with Fireware v11.11.4 or earlier. [92674]
• This release has optimized memory usage for Firebox T10 and XTM 25/26 devices. [92647, 92341]

Networking and VPN

• PPPoE external interfaces no longer need to restart when you change the NTP, Log Server, or multi-WAN settings on your Firebox. [90146]
• PPPoE Link Monitor now works correctly when you use both Link Monitor Ping and TCP with domain names selected.[92506]
• The BOVPN New Gateway Endpoint menu now correctly displays the local External interface drop-down list as the first option, and includes a tooltip to indicate that only the primary IP address of the selected External interface will be used for tunnel negotiations. [87940]
• The BOVPN Gateway Endpoints list now displays columns in the correct order. [92708]
• NAT rules now work correctly when you configure a BOVPN tunnel host route using a /32 subnet mask and 1-to-1 NAT configured. [92700]
• This release resolves an issue that caused a Firebox to become unresponsive after a secondary IP address configured as part of a Dynamic NAT rule was removed from the Firebox configuration. [92727]
• DWM-221 modem interoperability has been improved. [92809]
• BOVPN IKEv2 tunnels to CheckPoint devices now establish correctly.

FireCluster

• To prevent FireCluster upgrade issues, you can no longer upgrade a single FireCluster member with Policy Manager. [90999]
• Hotspot guest administrators can no longer get access to the backup member of a FireCluster. [92462]
• This release resolves a FireCluster issue that caused a kernel crash and subsequent failover for some customers. [92567]
• From Front Panel, you can now correctly expand FireCluster member details for a Firebox installed with Fireware v11.11.x or earlier. [92633]
• FireCluster devices no longer produce XML-RPC error: connection time out messages when Gateway AV signatures are manually updated in Firebox System Manager. [90792]

Proxies and Services

• The Firebox now includes the host IP address when it sends data to the WebBlocker Websense database for classification. [90264]
• The IPS signature ID is now included in LEEF syslog messages. [92551]
• This release resolves an issue that caused the SMTP/POP3 proxies to strip base64 message parts if the message parts contained the exclamation point character (!). [92622]
• This release improves the detection of macro-enabled Microsoft Office documents. [92408]
• The spamBlocker Virus Outbreak Control block function now correctly auto-blocks the source when a virus is detected. [92021]
• The SMTP proxy deny message has been improved to include different admin actions for Gateway AV Scan errors. [92010]
• The HTTP proxy now supports multiple Transfer-Encoding Methods carried in the same header. [92476]
• An issue that caused some specific websites to fail to load through the HTTPS Proxy has been fixed. [92363]
• When you use policy manual-order mode in Fireware Web UI, HTTPS-Proxy rule position no longer changes when Content Inspection is enabled. [92560]
• An issue has been resolved that caused slow Google website access through links in MS Office products when using the HTTPS Proxy with Content Inspection enabled. [92687]
• Content filtering within gzip-compressed websites has been improved. [63563]
• In Fireware v11.11.4, we announced that PFS support was not available on Firebox T10, T30, T50, XTM 25/26, or XTM 33 devices. Because of a bug, support for PFS-capable ciphers in the TLS handshake process was allowed in both Fireware v11.11.4 and v11.12 for this set of devices, but the restriction is now correctly enforced in v11.12.1. See this Knowledge Base article for more information. [92504]

Authentication

• Active Directory authentication no longer allows concurrent connections from user names that differ only in case. [67433]
• The session table now correctly displays users that authenticate with SSO. [92759]

Certificates

• CA Manager now correctly prevents the generation of a certificate with an invalid lifetime setting. [92803]
• The CLI command Upgrade certificate now regenerates the default self-signed certificates if they have been removed. [92496]
• This release resolves an issue that prevented the certificate portal from providing the correct Proxy Authority certificate for download. [92802]
• An issue that caused managed device templates to fail to apply to devices installed with Fireware v11.10.x because of the WG-Cert Portal Policy has been resolved. [92755]
• You can now connect remotely to manage a Firebox configured with PPPoE that uses a third-party certificate as its Webserver Certificate. [92489]

Logging and Monitoring

• You can now resize the Traffic Monitor search input field. [88613]
• You can now configure logging and notification settings for the blocked sites list in Fireware Web UI. [90621]
• Failed authentication attempts from WatchGuard System Manager for the status user now produce a log message: log in attempt was rejected – invalid credentials. [92445]

Wireless and AP

• AP 100/102/200 firmware v1.2.9.11 and AP300 firmware v2.0.0.6 resolve several stability issues. [88333, 91689, 91711, 92104, 92128, 92711, 92823]
• AP 100/102/200 firmware v1.2.9.11 and AP300 firmware v2.0.0.6 resolve issues with Remote VPN deployment. [92454, 92562, 92579, 92580, 92909]
• This release resolves several issues that caused crashes of the gwcd process. [92840, 92863, 92864]
• Gateway Wireless Controller now supports wireless country settings of AP devices in New Caledonia. [92851]
• Clients connected to AP120 and AP320 devices managed by Gateway Wireless Controller now show correct signal strength values. [92805]
• The Gateway Wireless Controller Wireless Client List now shows a location that matches the location configured for the AP device. [90228]
• Gateway Wireless Controller can now correctly manage an AP120 or AP320 located behind a routed network. [92972]
• Gateway Wireless Controller can now discover unpaired AP300 devices installed with AP firmware v2.0.0.6 over-the-air. [91318]