Neues Software Release Fireware 11.12.2 und WSM 11.12.2

Seit wenigen Tagen ist das Fireware Release  v11.12.2 verfügbar.

Wichtig – zur Beachtung:

• PFS bei TLS und HTTPS-DPI wurde nun auch für T10/30/50 & XTM-33 konfigurierbar
• verbesserter Support für VPN zu Amazon AWS
• Für APs wurde ein Truststore eingeführt – neue APs müssen einzeln den “trusted” Status erhalten (Firebox System Manager => Gateway Wireless Controller => bei den Aktionen).
• Längere Mindest-Länge der AP-Passphrases
• Änderungen bei Port 4100 Authentication Policy, bitte nach Update prüfen, ob die Policy noch so eingetstellt ist, wie man Sie konfiguriert hat, insbesondere bei Verwendung von Any-External.

Enhancements and Resolved Issues in Fireware v11.12.2

General

• Single TCP stream now provides the expected throughput on a Firebox M440. [FBX-380]
• This release includes improvements to reduce CPU usage when Management Tunnels are established over SSL. [FBX-2087, FBX-2085, 93080]
• This release resolves an issue that caused IKED to crash after internal hash table corruption. [FBX-1906, 92942]
• Various process crashes have been fixed in this release. [92706, FBX-2751, 92684]
• ConnectWise now creates new tickets when a user removes the default “Quick Response” priority type. [FBX-1821]
• This release resolves a kernel crash that occurred after a FireCluster failover. [92667, 92230]
• A Certd process crash has been fixed. [FBX-1167, 92526]
• A problem that caused some websites to fail to load with a “content decoding error” has been resolved in this release. [FBX-2410]
• Policies that include a VLAN name in the From or To field no longer fail after you change the VLAN name. [92966]
• The Firebox XML-RPC agent no longer returns different responses to login requests that contain valid and invalid usernames. [FBX-1654]
• This release resolves an issue that caused wgagent to crash while processing an invalid XML-RPC request. [FBX-1765]

Proxies and Services

• Perfect Forward Secrecy (PFS) ciphers are now available in HTTPS and SMTP proxies for Firebox T10, T30, T50, XTM 25/26, and XTM 33 models. [FBX-2020, 93045]
• The Blocked Sites Exceptions list now includes default FQDN exceptions for servers required for WatchGuard products and subscription services. [FBX-1416, 92658]
• The HTTP proxy process no longer crashes when inflating data from web pages with content-encoding set to gzip or deflate. [93220, FBX-2729]

Authentication and Single Sign-On (SSO)

• You can now configure lockout settings for all user accounts that use Firebox authentication to protect user accounts from brute force attempts to find the user account login credentials. [FBX-417, 45021, 67544, 45551]
• You can now limit the number of devices that can connect to a Hotspot at the same time for each guest user account. [FBX-433, 82879]
• The SSO client for Mac OS now supports nested groups. [FBX-1484, 92726]
• WatchGuard Single Sign-On and Terminal Services components are now officially supported on Windows Server 2016. [FBX-1153, 92398]
• The SSO Client installer now creates a Windows firewall exception. [FBX-1763, 91373]
• Terminal Services support for manual Single Sign-On authentication now includes Citrix XenApp 7.12. [FBX-1628, 90170]
• When you associate a user with more than 256 authentication groups, the Firewalld process no longer crashes. [93152, FBX-2681]

VPN

• BOVPN Virtual Interface now supports an IPSec VPN tunnel to an Amazon AWS virtual private cloud (VPC). [FBX-110, 41534]
• You can now specify a different pre-shared key for each gateway endpoint for the same branch office VPN gateway. [FBX-1290, FBX-1292]
• In Fireware Web UI, the VPN Statistics System Status page has a new Statistics tab that shows bandwidth and tunnel statistics over time. [FBX-1728]
• The Global VPN setting Enable TOS for IPSec is now correctly applied to BOVPN traffic configured to use a Virtual Interface (VIF). [FBX-2349]
• Mobile VPN with IPSec no longer fails to reconnect after a non-graceful disconnection. [92935, FBX-2195]
• The use of many BOVPN Virtual Interfaces no longer causes a kernel crash. [93193, FBX-2755]
• This release resolves an issue with Mobile VPN with SSL that caused incorrect DNS resolution on Windows 10 clients. [88918]
• This release updates the Mobile VPN with IPSec client for Mac OS X to add support for Mac OS Sierra.
• This release updates the Mobile VPN with IPSec client to resolve an issue related to missing DNS server IP address information. [90324]

Wireless

• Gateway Wireless Controller now supports management of AP322 outdoor AP devices. [FBX-100, FBX-1270]
• The default wireless security mode for AP devices locally managed by a Gateway Wireless Controller and wireless-capable Firebox devices is now WPA2-only (PSK) with AES encryption. [FBX-1974, 93047]
• This release includes several other important security-related enhancements to Gateway Wireless Controller. See the Upgrade Notes topic for important information related to these enhancements. [FBX-111]

Networking and Modem Support

• In the Dynamic DNS configuration, you can select to have DynDNS use the IP address from your router or NAT device. [FBX-1998, 92780]
• You can now enable conditional DNS forwarding from Fireware Web UI and Policy Manager. [FBX-559, 58214]
• In Bridge Mode, you can now configure the Firebox to use DHCP to get an IP address. [FBX-375]
• This release includes support for two new USB modems:
  • Franklin U772 4G USB modem [FBX-1232]
  • NetGear Beam 3G/4G USB modem [FBX-1676]
• This release adds support for Spanning Tree Protocol support for VLAN interfaces. For specific information on supported scenarios, see Fireware Help or What’s New in Fireware v11.12.2. [FBX-753, 61035]
• This release add spanning tree protocol support in Bridge mode. [FBX-991, 56764]
• A dynamic routing daemon crash has been fixed. [92930, FBX-1744]
• The PPPoE daemon now remains stable when Link Monitor probing cannot resolve a domain name. [92024]
• The BGP routing process no longer crashes when MD5 encryption is used. [93038, FBX-1886]
• BGP routes are now added correctly to the routing table after a FireCluster failover. [FBX-2749, 93095]