Verlust der Default-Route bei PPPoE-Reconnect – Fireware 12.1.1

Kürzlich ist uns ein unschöner rare Case untergekommen:

Symptom:

  • das externe PPPoE-Interface hat eine IP-Adresse
  • das externe PPPoE-Interface ist bei Multi-WAN “als available” markiert
  • “das Internet geht nicht” – von Innen kein DNS/Ping/Whatever über dieses Interface möglich
  • nach physikalischem Disconnect/Reconnect des Kabels zum Modem wird ein neuer PPPoE-Handshake erzwungen und alles funktioniert, wie es soll
  • alternativ: nach einem Reboot (ebenfalls neuer PPPoE Handshake) ebenfalls wieder alles OK.

Ursache:

  • beim PPPoE-Reconnect wird eine IP-Adresse zugewiesen
  • in seltenen Fällen kann es aber passieren, daß irgendwie die Default-Route über dieses Interface verloren geht

Abhilfe:

Fireware 12.2 Beta

Derzeit sind wieder zwei Beta-Tests im Gange.

  • Fireware 12.2
    • mit “Intelligent Antivirus”, einer weiteren zusätzlichen AV-Engine
    • redundante SSO-Agent-Anbindung
    • das zentrale Geolocation-Profil ist pro Policy an/abschaltbar
  • AuthPoint (ein Cloud-gestützter Dual-Factor mit OTP und Push-Benachrichtigung

Originaltext:

New Features now in Beta in Fireware 12.2
Interested in new features? Help us test the next release of Fireware!  We have Fireware 12.2 in Beta now, and this new release adds some excellent new capabilities:

  • A second Artificial Intelligence based malware scan on rackmount appliances
  • Redundant SSO agents
  • Geolocation rules by policy

Click Here to sign up for the Beta program now and to learn more about the many new features.

Neues Software Release Fireware 12.1.3 und System Manager 12.1.3

Jetzt verfügbar:

    • Fireware Release  v12.1.3
  • WatchGuard System Manager v12.1.3

Fireware 12.1.3 General Availability
WatchGuard is pleased to announce the General Availability (GA) of Fireware 12.1.3 and WSM 12.1.3. These maintenance releases don’t include new features, but they provide resolution to many issues that have been reported by customers. WatchGuard partners and customers should review the Release Notes to see a full list of fixed issues prior to upgrading.

Does this release pertain to me?
The Fireware 12.1.3 maintenance release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life. Firebox 12.2 is only available for Firebox appliances.

Reminder: AV Signatures ending for 11.x releases
WatchGuard announced last July that we would end support for AV signatures for the older AVG engine in Fireware 11.x by April 15th 2018. WatchGuard may continue to deliver some signature updates for 11.x firmware versions for a few more weeks, but frequency will decline and security efficacy will not be guaranteed to the same levels as 12.x firmware.  Customers must upgrade to a 12.x version of Fireware to receive the signature updates for protection against the latest threats and to maintain adequate defense against malware using the GAV service.

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain the Fireware 12.1.3 update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.

 

Enhancements and Resolved Issues in Fireware 12.1.3

General
  • This release removes weak ciphers that do not support forward secrecy from the Firebox web server. [FBX-10752]
  • Web pages served by the Firebox now include security headers outlined in the OWASP Secure Headers Project in HTTP responses. [FBX-9691]
  • This release resolves a vulnerability that made possible a SAML assertion replay attack against the Access Portal. [FBX-9731]
  • This release corrects the Japanese localization of FireCluster upgrade error messages in Fireware Web UI. [FBX-10941]
  • Firebox System Manager no longer reports an error when you view the Front Panel of a Firebox Cloud instance. [FBX-10910]
  • Firebox System Manager no longer frequently disconnects when you connect to a Firebox with an older version of Fireware. [FBX-11814]
  • This release resolves an issue that prevented certificate sync when the Firebox first joins a FireCluster. [FBX-11449]
  • This release resolves an issue that caused all authenticated sessions to terminate after configuration changes are made to authentication server settings with Fireware Web UI. [FBX-11263]
Integrations
  • This release resolves an issue that resulted in Autotask creating unintended duplicate configurations. [FBX-11533]
  • Fireware Web UI no longer allows invalid configuration options that cause AutoTask to fail. [FBX-11771]
Networking
  • This release resolves an issue that caused the Firebox to stop replying to DHCP requests. [FBX-9213, FBX-10643]
  • This release resolves an issue that caused DHCP relay to stop working after a Firebox reboot. [FBX-11464]
  • This release resolves an issue that caused the removal of the default route after PPPoE interface re-negotiation. [FBX-11668]
  • The Huawei E3372 modem now works correctly. [FBX-10888]
  • This release resolves an issue with the WebUI that prevented changing the Link Monitor settings on T10/T15 when using a Modem as external interface. [FBX-11040, FBX-10535]
  • The Enable Link-Monitor check box no longer re-selects itself after you disable it. [FBX-10214]
  • Policy Manager now correctly allows configuration of Multi-Wan for T15 Fireboxes with Fireware Pro. [FBX-11500]
Centralized Management
  • Management Server now correctly restricts configuration options for active Directory based on RBAC role.[FBX=9167]
VPN
  • Mobile VPN with SSL download page no longer fails to load for two-factor authentication users. [FBX-10085]
  • This release resolves an issue that caused the Mobile VPN with SSL process to crash when FIPS is enabled on Firebox. [FBX-2558]
  • BOVPN over TLS clients can now connect to a remote VPN server with its primary server configured as a domain name. [FBX-11556]
  • This release resolves a kernel crash that occurs when Mobile VPN with SSL traffic is sent through a Virtual Interface (VIF). [FBX-11800]
  • This release adds enhancements to BOVPN Dead Peer Detection when the Firebox is located behind a NAT device. [FBX-11192]
  • This release adds several IPSec BOVPN stability improvements for Fireboxes in a NAT environment. [FBX-11188]
  • This release resolves an issue that causes Managed Branch Office VPN tunnels to restart when the the Management server changes the Firebox configuration. [FBX-11400]
  • SLVPN Management tunnels can now use the # symbol as the first character of the password. [FBX-11271]
  • This release resolves an issue that caused packet loss through Branch Office VPN on M4600 and M5600 with large amounts of traffic. [FBX-11584]
Proxies and Services
  • This release reduces load on the Firebox processor caused by excessive proxy log messages.[FBX-10691]
  • The HTTP proxy no longer fails to get the MD5 hash during a file upload when the file exceeds the Gateway AV scan limit.[FBX-11577]
  • This release improves IPS and Application Control scanning when Content inspection is enabled on T15, T30 and XTM330 platforms.[FBX-11354]
  • IMAP proxy connection count is now correctly reported in Proxy Connection Statistics for connections handled by the TCP-UDP proxy. [FBX-10586]
  • This release resolves an issue that caused some websites to fail to load in the Chrome browser for connections through the HTTPS proxy with TCP MTU probing enabled. [FBX-11280]
  • A FireCluster member without a DNSWatch license will now correctly register to the DNSWatch service when it becomes Master. [FBX-10180]
  • This release resolves an issue that prevented HostWatch from correctly displaying data related to SIP and H323 proxies. [FBX-10238]
  • This release includes several improvements in Proxy memory usage. [FBX-11465, FBX-9256, FBX-10886]
  • This release resolves a memory leak that occurred when the IMAP proxy was enabled. [FBX-11255]
  • This release resolves an issue that prevented mail from downloading through the IMAP proxy with log messages that included: “fail to parse fetch argument list”. [FBX-10782]
  • The status of Content Inspection is now included in IMAP proxy log messages when viewed from the Fireware Web UI.[FBX-10822]
  • Log messages generated by the IMAP Proxy now include the TLS Profile name configured in the proxy. [FBX-10125]
Wireless
  • Gateway Wireless Controller updates of AP420 and AP325 no longer fail because of an AP reboot during the upgrade process. [FBX-11081]
  • This release resolves an issue that caused the Firebox T35-W model to crash when wireless is enabled. [FBX-9760]

Erinnerung: Update auf 12.x notwendig bis spätestens 15.4.

Wir möchten nochmals dringend darauf hinweisen, daß der Support der AV-Signaturen für die Virenscanner-Engine von AVG zum 15.4.2018 abläuft. Ab diesem Zeitpunkt wird es für den Gateway-Antivirus mit AVG Engine keine neuen Pattern Files mehr geben (der Virenscanner wird zwar weiter laufen, aber dann eben ohne aktuelle Pattern Files). Daher empfehlen wir, bis zum 15.4. auf eine Version 12.x upzudaten.  WatchGuard hat mit Version 12.x den Hersteller für den Gateway Antivirus (hin zu Bitdefender) gewechselt.

Siehe hier zu auch unseren Blog-Artikel Virenscanner gewechselt und den Blog-Artikel AVG Pattern bis April 2018 verfügbar.

Bisher sind uns für 12.1.1 keine negativen Feedbacks zugetragen worden, die Version lief auch auf unserem Testgerät seit der Beta3 (seit ca. 4-5 Wochen) stabil.

Neues Software Release Fireware 12.1.1 und System Manager 12.1.1, AP Firmware 8.5.0-646, Mobile VPN with IPSec for Windows v12.13

Jetzt verfügbar:

  • Fireware Release  v12.1.1
  • Mobile VPN with IPSec for Windows v12.13
  • AP Firmware 8.5.0-646

WatchGuard is pleased to announce the release of WSM and Fireware v12.1.1. Fireware v12.1.1 is a planned update to the Firebox operating system that features critical enhancements to network security and resolves a number of longstanding Firebox limitations. At a high level, this release introduces:

DNSWatch

DNSWatch is a new cloud-based service that monitors DNS requests through the Firebox to prevent connections to known malicious domains. It protects against malicious clickjacking and phishing domains regardless of connection type, protocol. or port. DNSWatch is included in the Total Security Suite subscription for Firebox T Series, M Series, XTMv, FireboxV, and Firebox Cloud appliances. Make sure you update your Firebox feature key to get access to this new service.

Support for New Dynamic DNS Providers

You can now configure Dynamic DNS with No-IP, Dynu, DNSdynamic, Afraid.org, Duck DNS, and Dyn.

Firebox Wireless Enhancements

This release includes multiple enhancements to wireless security, including the ability to manually disconnect Firebox wireless clients.

BOVPN over TLS Support in WatchGuard System Manager

You can now configure a Branch Office VPN over TLS in all Firebox user interfaces.

TLS Profiles

We have moved the content inspection settings from HTTPS proxy actions to TLS profiles.

Networking Enhancements

This release introduces many improvements to device networking, including:

  • USB Modem Support for Verizon 620L and 730L
  • Ability to connect USB modems to the Firebox with no reboot
  • Ability to configure a default gateway other than the Firebox IP address in the Firebox DHCP server
  • Per-interface configuration of DHCP relay
  • Apply firewall policies to intra-VLAN traffic setting is now enabled by default for external VLAN interfaces

Mobile VPN with IPSec for Windows v12.13

This release also includes an update the the Mobile VPN with IPSec Windows client from NCP. The v12.13 client includes:

  • Updated look to the Mobile VPN client and connection indicator icon
  • Ability to configure VPN Bypass in the client firewall to allow users to connect directly to specified networks without using the VPN
  • New Home Zone feature to enable connections to the user local network without specific administrator configuration on the client firewall

For more information on the feature updates and available bug fixes in this release, see the Enhancements and Resolved Issues section. For more detailed information about the feature enhancements and functionality changes included in Fireware v12.1.1 see Fireware Help or review What’s New in Fireware v12.1.1.

Hardware-Problem bei einigen M200 und M300

Einige WatchGuard Firebox M200 und M300 haben Performance Probleme, wenn die Interfaces 3 bis 7 (eth3 bis eth7) verwendet werden. Hierfür ist eine Charge fehlerhafter Netzwerk-Chips verantwortlich, die in einigen M200 und M300 Appliances verbaut worden sind.
Das Problem äußert sich in signifikantem Paketverlust oder Durchsatzproblemen von und zu Netzen, die über eth3 bis eth7 verbunden sind. Dies beeinträchtigt auch die korrekte Cluster-Funktionalität, wenn für das/die HA-Interface(s) die Schnittstellen eth3 bis eth7 verwendet werden, was in den allermeisten Fällen der Fall sein dürfte!

Ob Ihre M200 oder M300 von dem Problem betroffen ist, können Sie recht einfach selbst feststellen:

Firebox System Manager > Status Report

Scrollen Sie dort zu der Interface-Statistik der Interface eth3 bis eth7 und suchen Sie dort insbesondere nach dem Wert in_bad_octets. (Sie können im Status Report übrigens auf Strg+F drücken und am unteren Bildschirmrand geht ein Volltextsuchfeld auf, in dem Sie nach diesem Begriff suchen können…):

Eth6 NIC statistics
tx_packets: 10861583
tx_bytes: 2283336906
rx_packets: 8992113
rx_bytes: 905807745
in_good_octets: 473664403
in_bad_octets: 0
in_unicast: 4765801
in_broadcasts: 462

Wenn der Wert für „in_bad_octets“ dort Null beträgt oder sich über einen Zeitraum von mehreren Minuten nicht ändert, ist dieses Interface / Ihr Gerät von der Problematik NICHT betroffen. Bitte überprüfen Sie aber alle infrage kommenden Schnittstellen von eth3 bis eth7.
Wenn der Wert für „in_bad_octets“ hochzählt, machen Sie davon mehrere Screenshots oder erzeugen Sie durch Klick auf die Schaltfläche „Support“ unten rechts im Status Report die „support.tgz“ Datei. Öffnen Sie einen Support Incident in Ihrem Account auf der WatchGuard Website und berichten dort Ihre Feststellungen unter Hinweis auf den Knowledge Base Artikel 000011245. Laden Sie dort dann auch Ihre Screenshots bzw. die „support.tgz“ Datei hoch. Sie werden dann höchstwahrscheinlich per RMA ein Austauschgerät von WatchGuard erhalten.

Nochmal der Hinweis: Andere Modelle außer M200 und M300 sind von dieser Problematik NICHT betroffen!