Tag Archives: Update

Neues Software Release Fireware 12.1.1 und System Manager 12.1.1, AP Firmware 8.5.0-646, Mobile VPN with IPSec for Windows v12.13

Jetzt verfügbar:

  • Fireware Release  v12.1.1
  • Mobile VPN with IPSec for Windows v12.13
  • AP Firmware 8.5.0-646

WatchGuard is pleased to announce the release of WSM and Fireware v12.1.1. Fireware v12.1.1 is a planned update to the Firebox operating system that features critical enhancements to network security and resolves a number of longstanding Firebox limitations. At a high level, this release introduces:


DNSWatch is a new cloud-based service that monitors DNS requests through the Firebox to prevent connections to known malicious domains. It protects against malicious clickjacking and phishing domains regardless of connection type, protocol. or port. DNSWatch is included in the Total Security Suite subscription for Firebox T Series, M Series, XTMv, FireboxV, and Firebox Cloud appliances. Make sure you update your Firebox feature key to get access to this new service.

Support for New Dynamic DNS Providers

You can now configure Dynamic DNS with No-IP, Dynu, DNSdynamic, Afraid.org, Duck DNS, and Dyn.

Firebox Wireless Enhancements

This release includes multiple enhancements to wireless security, including the ability to manually disconnect Firebox wireless clients.

BOVPN over TLS Support in WatchGuard System Manager

You can now configure a Branch Office VPN over TLS in all Firebox user interfaces.

TLS Profiles

We have moved the content inspection settings from HTTPS proxy actions to TLS profiles.

Networking Enhancements

This release introduces many improvements to device networking, including:

  • USB Modem Support for Verizon 620L and 730L
  • Ability to connect USB modems to the Firebox with no reboot
  • Ability to configure a default gateway other than the Firebox IP address in the Firebox DHCP server
  • Per-interface configuration of DHCP relay
  • Apply firewall policies to intra-VLAN traffic setting is now enabled by default for external VLAN interfaces

Mobile VPN with IPSec for Windows v12.13

This release also includes an update the the Mobile VPN with IPSec Windows client from NCP. The v12.13 client includes:

  • Updated look to the Mobile VPN client and connection indicator icon
  • Ability to configure VPN Bypass in the client firewall to allow users to connect directly to specified networks without using the VPN
  • New Home Zone feature to enable connections to the user local network without specific administrator configuration on the client firewall

For more information on the feature updates and available bug fixes in this release, see the Enhancements and Resolved Issues section. For more detailed information about the feature enhancements and functionality changes included in Fireware v12.1.1 see Fireware Help or review What’s New in Fireware v12.1.1.

Neues Software Release Fireware 12.1 und System Manager 12.1

Jetzt verfügbar: Fireware Release  v12.1.

Fireware 12.1 General Availability

We are pleased to announce the new release of Fireware 12.1 and WSM 12.1! These significant new releases are now available for download from the software download center. The highlight of Fireware 12.1 is the Access Portal, a clientless application portal that is available for SSO integration for cloud assets and internal resources via RDP and SSH. With the rate and notoriety of recent cybersecurity incidents involving compromised personal information, the marketplace for web-based authentication solutions continues to grow at a Compound Annual Growth Rate upwards of 10%.1 The Access Portal is uniquely positioned to integrate into existing authentication markets to provide a clientless experience while encouraging strong authentication with existing SSO vendors or even providing MFA access (i.e. Google Authenticator, etc.) to the portal itself.

The release of Fireware 12.1 adds a bevy of networking, VPN and proxy improvements that allow the network administrator to focus on the network without compromising security:

Enhancements and Resolved Issues
This list may not include all resolved issues and enhancements included in this release. If you have questions about the status of a specific active or resolved issue, contact WatchGuard Technical Support.


  • This release adds new Access Portal functionality. [FBX-98]
  • Web UI users who log in with IE no longer see a 500 internal server error when their management session times out. [FBX-8202]
  • Multi-word Policy Tags are now displayed correctly in Web UI. [FBX-7577]
  • Users are longer redirected to the Web UI >Front Panel when they select options to add or remove a Policy Tag. [FBX-7576]
  • This release resolves an issue that caused a crash resulting in a “scheduling while atomic: fqdnd” message. [FBX-6664]
  • Hotspot Guest Accounts are now included in Firebox backup files. [FBX-8507]
  • This release resolves an issue in which certain public IP addresses were not correctly identified by the Geolocation service. [FBX-7353]
  • You can now import and export lists of FQDNs, host IP addresses, network IP addresses, and host ranges for aliases. [42310, FBX-5207]
  • Intra-VLAN traffic can now be applied to firewall policies as an option on external interfaces. [FBX-3764]
  • This release improves the performance of the Web UI Front Panel and FireWatch when a Firebox is under heavy load. [FBX-8510]
  • Error messages related to Trusted Platform Module, or TPM, no longer appear for Firebox models that do not have TPM. [FBX-8776]
  • The Firebox log process, loggerd, no longer crashes when the Log Server configuration contains an FQDN. [FBX-8555] You can now configure a wildcard IP address in an alias. [FBX-4280]
  • OID values for a PPPoE interface no longer change when the interface refreshes. [FBX-6109]
  • The Firebox no longer adds the internal IP address in a Static NAT to the blocked sites list when the connection matches a Domain Name block action. [FBX-8802]

Proxies and Services

  • In Web UI, when polices are manually ordered, the Certificate Portal policy no longer moves to the bottom when you modify the HTTPS proxy with content inspection enabled. [FBX-6873]
  • The Quovadis SHA256 Root CA Certificate has been added to the Trusted CA for Proxies store. [FBX-8409]
  • This release adds *.watchguard.com to the default HTTP proxy exceptions. [FBX-7874] When you configue WebBlocker through the Proxy Action in Fireware Web UI, it now displays the Advanced Tab. [90763, FBX-3183]
  • The Explicity proxy now selects the correct redirect IP address for authentication for clients that connect through a BOVPN Tunnel. [FBX-7570]
  • The iTunes application now works better through the HTTPS proxy with Content Inspection. [FBX-7930]
  • The Feature Key Compliance tool now correctly removes all WebBlocker actions from your configuration. [FBX-7494]
  • SMTP proxy log messages now include the TLS version when TLS Encryption is enabled. [FBX-4116]
  • The IMAP proxy now correctly handles ACL extensions. [FBX-7025]
  • The IMAP proxy now supports IMAPS, or IMAP over TLS. [FBX-6941]
  • You can now exempt some or all domains and applications in a predefined list from HTTPS Content Inspection. [FBX-6217]
  • The WebBlocker action configuration now uses the term Deny instead of Block for WebBlocker categories. [FBX-3430] Networking
  • This release resolves an issue in which 1-to-1 NAT rules ignore multi-WAN failover order. [FBX-5702]
  • The Host Mapping table for Drop-in mode is no longer cleared of data when you edit it. [FBX-6312]
  • When you enable Link Aggregation, it now correctly resets the default LA interface MTU to 1500. [FBX-8435]
  • This release resolves an issue in which the Global DNAT rule fails when the “Set Source IP” matches the Loopback interface and that interface is disabled. [FBX-6401]
  • You can now completely disable Link Monitoring for Multi-Wan. [FBX-4430]
  • The Loopback interface configuration now correctly checks for overlapping IP addresses. [FBX-6400]
  • TCP MSS Control Auto Adjustment no longer unexpectedly reduces the MSS value. [78916, FBX-2431]
  • This release resolves an issue in which Policy Manager removes VLAN, Bridge or LAG interfaces when you make other changes to the Multicast Setup configuration. [FBX-9221]
  • Firebox Cloud for AWS now supports multiple Elastic IPs and secondary IP addresses on external interfaces. [FBX-6906, FBX-6903] Firebox Cloud for AWS now supports manually configured static routes. [FBX-7611]
  • An issue where traffic management did not correctly throttle traffic on XTM 2 and Firebox T series devices has been resolved. [FBX-8885, FBX-8027]
  • This release includes support for the Verizon USB730L and AT&T MF861 USB modems. [FBX-7800, FBX-7801]
  • You can now configure a modem as an interface, rather than as a failover option. [FBX-3667]
  • You can now configure /31 and /32 subnet masks for Secondary IP addresses. [68645, FBX-8464, FBX-8465]
  • FireCluster
    MAC override is now automatically disabled on each interface when you enable FireCluster. [FBX-6166]
  • Centralized Management
    In Management Server, you can now view historical configurations for a Firebox with a dynamic external IP address. [FBX-7010] VPN
  • The Firebox now correctly sends an Inform Delete message for a Branch Office VPN when you change the Phase 2 configuration. [FBX-7988]
  • You can now create Branch Office VPNs over TLS instead of IPSec. [FBX-5253]
  • This release introduces Mobile VPN with IKEv2. [FBX-9044]


  • The SSO connection error message Check Firewall has been updated to Check host firewall and connectivity for greater clarity. [92777]
  • The SSO Agent Configuration Tool now provides a connection status for Event Log Monitor and Exchange Monitor. [83378]
  • This release features design enhancements to Event Log Monitor to improve SSO performance in large environments. [FBX-2440]
  • This release resolves an issue in which users from different authentication servers with the same user name could not simultaneously log in because of the configured login limit. [FBX-2626]
  • The Firebox can now correctly retrieve group information for users who authenticate with FireClient. [FBX-8620]


  • The WG-Cloud-Managed-WiFi policy template now includes port 80 for firmware downloads. [FBX-3565]
  • The WG-Cloud-Managed-WiFi policy template now includes port 3852 for CIP functionality. [FBX-9036]
  • GWC timeout values have been adjusted to avoid continuous AP status changes seen when many APs are connected. [FBX-9332]
  • This release introduces Smart Steering and minimum RSSI, which replaces the Fast Handover functionality. [AP-48]
  • You can now use Gateway Wireless Controller to manage an AP325 local mode. [FBX-6688]

Does this release pertain to me?

The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life.

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.


Neues Software Release Fireware 12.0.2 und System Manager 12.0.2

Jetzt verfügbar: Fireware Release  v12.0.2.


Fireware 12.0.2 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0.2 and WSM 12.0.2 today. These releases, which are now available at the software download center, resolve several issues that had been reported from the field. Since these are maintenance releases, there are no new features included. Please review the Release Notes for a comprehenisve list of issues that are addressed. Notable highlights include:

  • A fix for an issue that caused some websites to fail to load correctly when using Microsoft Internet Explorer 11 or Edge browser.
  • An option to mitigate the KRACK WPA2 vulnerability for client connections to wireless Fireboxes.

WatchGuard partners and customers should review the Release Notes and What’s New presentations prior to upgrading.

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life.

AV Signatures in 11.x releases
WatchGuard will discontinue support for AV signatures for the older AVG engine in Fireware 11.x by April 2018. Customers with active Gateway Antivirus subscriptions should update to a 12.x release before then.

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

Vorsicht – System Manager 12.1Beta2 nicht mit Fireware 12.0.1 verwenden

ACHTUNG: Bitte den WSM-12.1 Beta nicht mit Fireware 12.0.1 verwenden.
Hier gibt es noch einige Issues => siehe “Known Issues” auf der Beta Plattform.

Die wichtigsten “Known Issues”:

  • WSM 12.1 removes any configured BOVPN Virtual Interface tunnels from Fireboxes running Fireware v12.0.1 or earlier.[FBX-9001]
  • WSM12.1 removes any configured Mobile VPN with SSL authentication server settings from Fireboxes running Fireware v12.0.1 or earlier. [FBX-9032]

Bitte den Rest selbst in der Beta Plattform nachlesen.

Beta Release Fireware 12.1 und System Manager 12.1

Auf der WatchGuard Beta Plattform https://watchguard.centercode.com/ ist seit einiger Zeit Fireware 12.1 beta 2 verfügbar (Stand 08.Nov.2017).

ACHTUNG: Bitte den WSM-12.1 Beta nicht mit Fireware 12.0.1 verwenden.
Hier gibt es noch einige Issues => siehe “Known Issues” auf der Beta Plattform.

neue Features:

Access Portal
Dies ist ein Add-On zur Total Security Suite: Das Access Portal ist ein HTML5-Application-Portal.  Alle modernen Web Applikationen, die SAML Standard unterstützen werden für ein SSO durch das neue Access Portal verfügbar sein. Das Access Portal wird nur auf diesen Fireboxen verfügbar sein:

  • Firebox M370/M470/M570/M670
  • Firebox M400/M440/M500
  • Firebox M4600/M5600
  • FireboxV
  • Firebox Cloud

Für den Beta Test dieses Features ist ein neue Feature Key notwendig, der auf der Beta Plattform beantragt werden kann.

HTTPS Predefined Exceptions List
Es gibt eine vordefinierte Exception List für Content-Inspection Filter. Diese vordefinierten Listen erleichtern es, Applikationen wie Skype, Office365, Dropbox und weitere freizuschalten.

IMAP Proxy und TCP-UDP Proxy unterstützen nuzn secure IMAP (IMAPS). Support für STARTTLS wird in einem späteren Release folgen.

WebBlocker Usabiilty/UI Improvements
Die WebBlocker UI wurde verbessert und optimiert

Mobile VPN with IKEv2
Mobile VPN unterstützt jetzt IKEv2. Damit sollten die Native IKEv2 VPN Clients auf Windows, macOS, und iOS Geräten funktionieren. Für Android wird auf die Third-Party-App “strongSwan” verwiesen.

BOVPN über TLS – zwischen Fireboxen – als alternatives VPN falls IPSec nicht funktioniert (wenn es vom Provider, Router oder Modem nicht unterstützt wird).

Modem as an Interface
3G und 4G Modems, die bisher für Failover unterstützt wurde, werden nun als Externes Interface unterstützt und können direkt für Policies verwendet werden.

Wildcard IP Address Support
Man kann nun IP-Address-Wildcards definieren: z.B für 10.10.*.5 würde man schreiben.

Gateway Wireless Controller Enhancements

  • “smart steering” (aka “Fast Roaming”) wird nun für AP120, AP300, AP320, AP322, auf SSID-Ebene unterstützt.
  • “Band steering” ist jetzt auf SSID-Ebene konfigurierbar
  • Weitere Verbesserungen beim Gateway Wireless Controller und bei der AP Passwort-Sicherheit


Vorsicht mit Fireware v12.0.1 und M200/M300 (Update)

Heute (09.11.) haben wir auf der WatchGuard Software-Download-Seite für die M200+M300 folgende Meldung entdeckt:

Fireware v12.0.1 Currently Unavailable

We have identified an issue with Fireware v12.0.1 (Build 545166) for Firebox M200/M300 devices that can cause the network interfaces to stop passing traffic after a reboot. We are working on this issue and will provide updated software as soon as possible.

Fazit: Für M200/M300 => bitte vorerst kein Update auf die v12.0.1.
Wir informieren hier, sobald wir neue Informationen haben.
Update 13.11.2017: 
In der Nacht von Freitag auf Samstag (MEZ, 10.11.) wurde von WatchGuard das Update veröffentlicht.
Bitte beachten prüfen Sie die Build-Nummer: Nur Build 546110  sollte verwendet werden.

Neues Software Release Fireware 12.0.1 und System Manager 12.0.1

Jetzt verfügbar: Fireware Release  v12.0.1.

Insbesondere zu beachten: Bzgl. des Virenscanners gibt es neue Einstellungen/Optionen, wie sich der Scanner bei “encrypted files”, “scan size exceeded” etc. verhalten soll. Es empfiehlt sich daher, diese Einstellungen nach dem Update zu prüfen, ob die automatisch gesetzten Optionen den eigenen Vorstellungen ensprechen.

Weiterlesen »

KRACK-Attacke: WPA und WPA2 Vulnerabilities – Firmware für Access-Points

Heute (16.10.2017) geht eine Meldung um die Welt, die bei allen Wi-Fi-benutzern für Aufhorchen sorgt: Es gibt in den Protokollen WPA und WPA2 einige Fehler, die herstellerübergreifend fast jegliche Wi-Fi Kommunikation betrifft. Die Fehler sind in Standard-Libraries der WPA- und WPA2 Protokolle enthalten und daher praktisch überall anzutreffen.

Unter bestimmten Umständen kann es möglich sein, WPA- und WPA2-Verschlüsselungen auszuhebeln, da der Fehler bereits im 4-Way-Handshake der Protokolle enthalten ist, also dort, wo die Schlüssel für die Verschlüsselung erzeugt werden. Es geht soweit, daß der Wi-Fi-Datenstrom abgefangen, entschlüsselt und ohne Kenntniss des Users modifiziert werden kann.

Der Artikel beschreibt weitere Details und Firmware-Release-Dates der Access-Point Firmware.

Weiterlesen »

GAV Probleme beim Update der Virenscanner-Patterns auf XTM2-Series

Manchmal kommt es vor, dass keine aktuellen Gateway Antivirus Pattern heruntergeladen werden können. Siehe hierzu auch unseren Blog-Artikel “Crash Report kann AV-Update verhindern”.

Neben diesen “Crash Reports” kann es – je nach Größe des vorhandenen Flash-Speichers in einer WatchGuard XTM/Firebox (vom Modell vorgegeben) – auch zu Problemen mit der Aktualisierung der Antivirus-Pattern kommen, wenn auf der Firebox die Firmware-Images von WatchGuard Access Points gespeichert sind/werden. Dies ist bei älteren Softwareversionen auch standardmäßig der Fall, selbst wenn beim Kunden überhaupt keine WatchGuard Access Points im Einsatz sind. Bekannt ist derzeit ist ein Fall auf der XTM2-Serie (XTM25, XTM25-W, XTM26, XTM26-W), bei dem diese AP Firmware-Images nötigen Speicherplatz blockiert haben, so dass die AV-Updates nicht heruntergeladen bzw. gespeichert werden können. Abhilfe schafft hier das manuelle Löschen der AP Firmware-Images von der XTM/Firebox. Ab der Softwareversion Fireware 11.12.4 sind die AP Firmware-Images auch gar nicht mehr im eigentlichen Firebox-Betriebssystem enthalten und müss(t)en ohnehin einzeln auf die Firebox heruntergeladen werden.

Trifft dieses Szenario zu, sieht die Fehlermeldung bei einem GAV-Update wie folgt aus:

2017-04-14 11:04:12 sigd Manual GAV update is currently running Debug 
2017-04-14 11:04:18 sigd Decompression failed for '/sigs//tmp/incavi.avm' Debug 
2017-04-14 11:04:18 sigd Curl returned error: Failed writing body (4294967295 != 16384) Debug 
2017-04-14 11:04:18 sigd unable to download files for GAV Debug


  1. Ggfs. Einschalten des Gateway Wireless Controller unter Network => Gateway Wireless Controller => [x] enable the Gateway Wireless Controller (danach muss eine Passphrase vergeben werden)
  2. Danach unter Dashboard > Gateway Wireless Controller (der Punkt existiert sonst nämlich nicht) unter Manage Firmware => Remove all Firmware
  3. Ggfs. Ausschalten des Gateway Wireless Controller unter Network => Gateway Wireless Controller => [_] enable the Gateway Wireless Controller

WatchGuard System Manager

  1. Im Policy Manager nötigenfalls den Gateway Wireless Controller aktivieren: Network => Gateway Wireless Controller => [x] enable the Gateway Wireless Controller
  2. Save to Firebox
  3. Firebox System Manager starten
  4. Im Tab Gateway Wireless Controller => Manage Firmware => Remove all Firmware
  5. Nötigenfalls den Gateway Wireless Controller wieder abschalten: Network => Gateway Wireless Controller => [_] enable the Gateway Wireless Controller