Enhancements and Resolved Issues in Fireware v11.10
General
- This release resolves an issue that caused the fwatch process to consume 100% of the CPU. [84950]
- This release resolves a kernel crash. [84635]
- This release resolves a kernel crash that caused the Firebox to reboot unexpectedly. [78799]
- This release resolves an issue that caused TCP connections to be unexpectedly closed by the Firebox. Previously, long-lived TCP connections, such as Remote Desktop, would close when the connection reached the configured idle timeout, or authenticated user session timeout. These timeouts would occur even if the TCP connection was active. [84739]
- This release resolves an issue that resulted in many "zombie" inactive instances of wgredir process, which caused high CPU load. [84490]
- The link speed on Firebox T10 devices now displays correctly after it is manually configured. [80469]
- If you use RapidDeploy, you can now use the rapid_ip.csv file on a USB drive to change the external interface to an interface other than eth0 on an appliance started with factory-default settings. [78178]
- After you enable the appliance to use NTP to synchronize the system time, you can enable the device as an NTP server. A policy called NTP Server is automatically created to allow connections to the NTP server from clients on the trusted and optional networks. [79739]
- Policy Checker now operates correctly when your device configuration includes Branch Office VPN Virtual Interfaces. [81126]
- The WatchGuard System Manager Help and Fireware Web UI Help have been merged into a new Fireware Help system, available online or as a zip file that you can download.
Web UI
- This release removes a vulnerability to Cross-Site-Scripting attacks from Fireware Web UI. [83087]
- This release resolves an issue that caused the Web UI to incorrectly display content type auto-detection as disabled in POP3 proxy actions. [84011]
- Default Packet Handling rules now appear correctly in Configuration Reports. [83559]
- You can now configure DHCP ranges on the same subnet as secondary networks from the Web UI. [84107]
Policies, Proxies, and Subscription Services
- You can enable time and bandwidth usage quotas for users on your network for access to external sites. [67517]
- Gateway Antivirus, Intrusion Prevention, spamBlocker, and WebBlocker services now have activation wizards that guide you through the steps to enable these services and provide a basic configuration. [79956, 80001, 83539]
- A deny action is now available for DLP email actions. [78300]
- This release resolves a CPU lockup and reboot that occurred when using IPS or Application Control. [83883]
- This release resolves an issue that prevented the SIP ALG from correctly terminating a SIP connection entry. [82639]
- The Firebox CPU no longer increases when UDP traffic is sent through proxy policies with a Firebox interface specified as the destination address. [84524, 83639]
- This release resolves an issue that caused all spamBlocker email classifications to fail with the error "Message Classification Failed: Type=3, Code=201, Desc=still unable to connect". [83920, 81034]
- This release resolves an issue that caused the proxy process to crash and restart. [84556]
- When the HTTPS proxy is configured with content inspection enabled, the RapidSSL SHA256 CA - G3 intermediate CA certificate is now handled correctly. [84618]
- This release resolves an issue that occurred when using the DNS proxy with an active/active FireCluster. [83873]
- Proxy resource usage on XTM 25 and 26 devices has been improved by reducing the amount of proxy processes initialized at appliance bootup. [80187]
- HTTPS proxy transaction log messages now include sent and received bytes for more accurate reporting. [82677]
- This release resolves an issue with inbound TLS over SMTP through the SMTP proxy that occurred when you use WatchGuard System Manager v11.8 or higher to save configuration changes to a device with an 11.6.x OS version. [84271]
Authentication & Guest Services
- You can now configure time and bandwidth quotas for guest services. [82323]
- RDP is now supported for Event Log Monitor (Clientless SSO) mode. [67281]
- Single-Sign On is now supported for zero-route BOVPN tunnel traffic so customers can now apply UTM security services more easily on their hub devices. [41635]
- This release adds support for switching between multiple users when using the Event Log Monitor in Clientless SSO mode. [68827]
- SSO Exchange Monitor (EM) now supports Exchange Server 2013. [80697]
- A problem that caused a long delay when authenticating with SSO Exchange Monitor has been resolved. [82868]
- The SSO Exchange Monitor (EM) log file is now limited to a size of 5MB. [83195]
- The SSO Event Log Monitor diagnostic log file download now completes successfully for the local ELM. [83202]
- The SSO Client now correctly retrieves the Windows logon for a client that uses a 3rd party desktop management solution running in elevated mode. [60489]
- The new logging and archiving functionality we added in Fireware v11.9.x is now available for the Mac SSO client. [83468]
- The lighttpd process no longer uses excessive CPU when an authentication redirect occurs. [84927]
- This release resolves a formatting error on the page for hotspot guest vouchers that caused only 99 vouchers to be printable. [84086]
Centralized Management
- This release resolves an issue in which Management Server does not update a managed device IP address correctly when the device gets a new IP address over DHCP. [80229]
- This release resolves an issue in which the Managed Device IP address for a managed device with a Management Tunnel over SSL fails to update because a user has the device management tab open when the IP address changes in the Management Tunnel over SSL. [84158]
- Role-Based Access Control for Management Server now correctly enables roles for new devices that are added to existing folders. [81418]
- Management Server no longer fails to start on an Win2012R2 server after you restore a server backup file. [83257]
- This release resolves an issue in which Management Tunnels over IPSec did not always use NAT-Traversal. [83210]
- Certificates imported to a FireCluster in Fully Managed Mode now display correctly. [83834]
Certificates
- You can now perform all the same certificate management tasks from the Web UI that you could previously perform only from Firebox System Manager. This includes the ability to view certificate details, delete, install, and export certificates, import CRLs, and create certificate signing requests. [79898]
- You can now update the CA certificate on your Firebox or XTM device from the Firebox System Manager > Certificates dialog box. [64308]
- Your Firebox or XTM device can get new versions of the trusted CA certificates stored on the device and automatically install the new certificates from new settings on the Firebox System Manager > Certificates dialog box. [64308]
Networking Updates
- You can now add up to three DHCP servers for IPv4 DHCP Relay. [43897]
- The Firebox DHCP server no longer provides 4.2.2.2 as the DNS server when no DNS server is configured for DHCP. [56364]
- Firebox System Manager > Status Report now has just two route tables, IPv4 Routes and IPv6 Routes.You can filter the results to show the routing table by protocol, route type, interface and destination on both Web UI (System Status -> Routes) and CLI (show [v6] ip route). Only the first 100 entries will be shown for the filtered results. The previously available CLI command 'show route' is now obsolete. [79076]
- In the IPv6 settings for an external interface, you can now enable DHCPv6 Client Prefix Delegation on an external interface, and add a DHCPv6 prefix pool or a reserved prefix on an internal interface. With this change, we support both client and server for DHCPv6 Prefix Delegation. [76623]
- This release resolves an issue in which an external interface secondary IP address that also is used as the configured NAT Base IP address for a 1-to-1 NAT rule fails to pass traffic for IPSec passthrough. [66806]
VPN
- VPN diagnostic messages now appear below the branch office VPN gateway in WatchGuard System Manager, Firebox System Manager, and in the VPN Statistics page in the Fireware Web UI. The VPN diagnostic messages include information about why a VPN tunnel failed, and suggest an action to take to resolve the error. [81287]
- The VPN Diagnostic Report now shows the policy checker results for policies that apply to each tunnel route. [81575]
- The VPN Diagnostic report now performs more checks to identify the most common VPN issues and includes a new Conclusion section that summarizes errors and suggests actions to take to resolve the error. The VPN Diagnostic report is also available in the VPN Statistics page in the Fireware Web UI. [81286]
- SSL Management tunnels now display correctly in Firebox System Manager and WatchGuard System Manager when connected to a FireCluster. [79696]
- The VPN Diagnostic Report now shows the address pairs configured for the tunnel. [79705]
- This release resolves a crash in the IKED process. [83089]
- This release resolves an issue that caused inbound ESP packets for a branch office VPN to be forwarded by a static NAT rule for an IPSec or ANY policy, instead of being accepted by the VPN process on the device. [41822]
- The Mobile VPN with SSL client has been updated with a new tap driver to improve compatibility with Windows 8.1 and other new Windows operating systems. [79060, 81204]
- Users that authenticate to the Firebox at /sslvpn.html with 2-factor authentication are now correctly redirected to the SSL VPN client download page. [82394]
Wireless
- The Gateway Wireless Controller can detect rogue AP devices operating on your wireless network. You can enable rogue AP detection for each SSID, and view rogue AP devices in the Gateway Wireless Controller Wireless Maps feature. [77186]
- You can select multiple AP devices in the Gateway Wireless Controller dashboard page and Firebox System Manager Gateway Wireless Controller monitor page and perform specific actions (reboot, restart wireless, firmware upgrades) on multiple AP devices at the same time. [77815]
- In the Gateway Wireless Controller configuration, you can activate SSIDs for specific time periods. [71806]
- In the Gateway Wireless Controller configuration, you can enable wireless traffic shaping for each SSID. [71611]
- The Wireless Access Point configuration now includes the option to prohibit client-to-client connections. [83309]
- When you reboot an AP device, the configuration is automatically refreshed from the Gateway Wireless Controller to make sure the AP device has the latest configuration. [71825]
- In the Gateway Wireless Controller global settings, you can restart wireless services or reboot all of your AP devices at scheduled times on a daily or weekly basis. [75225]
- You can now view the signal strength of wireless clients in the Gateway Wireless Controller Dashboard page and Firebox System Manager Gateway Wireless Controller monitor page. [81793]
- Several new events from the Gateway Wireless Controller are now tracked in the logs, including AP device reboots, firmware upgrades, configuration updates, online/offline status, pairing status, and client connection events. [79212]
- You can now find access points that are not part of your network, and include only rogue access points in the Foreign BSSIDs list. [77186]
- This release resolves an issue that prevented configuration saves to Firebox or XTM wireless devices after an upgrade to Fireware v11.9.1. [83417]
- This release includes an update for WatchGuard AP device firmware that resolves several issues:
- Configuration saves to the AP device no longer take an unacceptably long time with large configuration files. [84746]
- An issue that prevented new client connections from establishing over time has been resolved. [83128]
- A crash issue that occurred during configuration change or reboot has been resolved. [84638]
- Automatic channel selection for the 5GHz band has been improved. [84915]
- All LED lights now operate correctly. [84998]
Logging, Reporting, and Monitoring
- You can now send log messages to two WatchGuard or Dimension Log Servers. [81208]
- Log messages for unhandled internal or external packets no longer display the Firebox as the destination interface instead of the actual destination. [83555]
- FireWatch now supports full-screen mode. [83474]