Enhancements and Resolved Issues in Fireware v11.12 Update 1

• This release resolves a vulnerability that could allow an attacker to hijack an existing management session. [EPA-1354]
• This release reduces the Firebox memory storage data partition size to 1.2GB or less to prevent an issue that caused some Firebox M400 and M500 devices to fail. [92556]
• Support.tgz snapshots no longer include the BOVPN shared secret file in plain text in the ikemsg.log file. [92661]
• The release patches the Firebox kernel to address the Dirty COW vulnerability (CVE-2016-5195). [92517]
• BOVPN tunnel status for XTMv devices now displays correctly in Firebox System Manager and Fireware Web UI. [92479]
• This release resolves a kernel crash that affected some Firebox M440 devices. [92609]
• This release resolves an issue that caused Mobile VPN with PPTP to fail when your Firebox was configured with multiple external interfaces. [92528]
• The Firebox now correctly blocks traffic from hosts that have been manually configured to be blocked using Firebox System Manager or Traffic Monitor. [92569]
• YouTube SafeSearch is now correctly enforced for users that are logged in to Google accounts when the HTTPS proxy is configured with Content Inspection enabled. [80639]
• Users can no longer evade YouTube SafeSearch by refreshing the web page when the HTTPS proxy is configured with Content Inspection enabled. [92159]

Enhancements and Resolved Issues in Fireware v11.12

General

• The number of blocked sites you can enter has been increased from 1000 to 8192 for Firebox models that have 1GB of memory or more. [92149]
• The wgagent process no longer crashes when you run the Configuration Report from Fireware Web UI. [92451]
• An issue that caused the oss-daemon process to crash has been resolved in this release. [92166]
• An issue that caused SFP interfaces on Firebox M400 and M500 devices to hang has been resolved. [92047]
• OpenSSL has been updated to version 1.0.2j to address several critical security vulnerabilities. [92161, 92178]
• DNS traffic from clients behind the Firebox now uses a random source port, and is no longer vulnerable to CVE-2008-1447. [91517]
• The Linux kernel has been patched to address a bug in the handling of TCP challenge ACK segments that could allow a remote attacker to hijack TCP sessions (CVE-2016-5696). [91902]
• The behavior of Policy Manager in a dual-monitor environment has been improved. [92188]
• Feature key auto-update functionality has been improved so the Firebox checks more frequently for feature key updates for services that are set to expire in a week or less. [92328]
• Firebox System Manager no longer truncates the list of interface IP addresses on the Status Report tab when a large number of secondary IP addresses are configured. [81234]
• Feature key expirations now take effect at the end of the specified day, instead of at the beginning of the day. [91590]
• The Firebox no longer provides any response on port 9032 unless configured to do so. [91575]
• This release resolves an issue that caused the Firebox to automatically block the source of unhandled packets after an upgrade. [92373]

Proxies and Security Subscriptions

• With the new Geolocation service, you can now configure the Firebox to deny connections to or from a particular country. [35643, 73433]
• This release provides an improvement to the behavior of the HTTP proxy when it receives a response from an HTTP server that does not include an HTTP response header. [91900]
• You can now use all Firebox proxy actions and signature services with connections over IPv6. [65040]
• The maximum file size for Advanced Persistent Threat scan has been increased from 8 megabytes to 10. [91993]
• WebBlocker with WebSense can now perform lookups through an external proxy server. [72847]
• The Firebox Status Report now contains the current number of connections for each type of proxy, such as HTTP, HTTPS, and DNS. [63913]
• Gateway AV will now classify Potentially Unwanted Programs (PUPs) as malware. [92014]
• The default non-allowed characters rule in the SMTP proxy action now allows email addresses with all RFC-standard characters. [91005]
• This release resolves an issue that caused the Firebox to fail to import intermediate certificates as Trusted CA for proxies. [81517, 82401]
• A rare issue that prevented the Proxy Authority Certificate from regenerating after it was deleted has been resolved in this release. [92467]
• This release resolves an issue that caused the Firebox to incorrectly create the Certificate Portal policy when you configure an SMTP policy with Content Inspection for TLS. [92270]
• This release resolves an issue that caused the Quarantine Server to fail to send scheduled notifications when the admin passphrase contained the percent (%) character. [91869]

Networking

• An issue that caused the ETH6/ETH7 interface to bounce on Firebox M400/M500 devices has been resolved. [92243]
• The Firebox now supports failover to the Huawei E3372 USB LTE Modem Variant (E3372s-153; VID: 12d1 PID:14dc) [90185]
• This release resolves an issue where VLAN IDs would persist after being changed or removed from the configuration. [92319]
• When you configure policies that use Policy-Based Routing using Fireware Web UI, the Firebox now correctly drops connections when all selected external interfaces are down. [92280]

Authentication

• The Active Directory server configuration no longer allows you to input unnecessary Searching User information when using the sAMAccountName Login attribute. [90546]
• You can now configure exceptions for the forced redirect for External Guest Authentication Hotspot. Connections to these exceptions will not be redirected. [79129]
• Users authenticated by Firebox Hotspot Guest Services are now synchronized between FireCluster members. [83130]
• Custom logos used for the Firebox Hotspot Page now correctly appear when you uploaded the logos with Fireware Web UI and when the Hotspot is removed from an interface. [92121, 91139]
• You can now configure a domain name or IP address as the authentication URL for an external guest authentication hotspot. [82974]
• This release resolves an issue that slowed web browsing performance when using the TO Agent. [92069]

Logging

• A log message is now generated when Firebox connections to the Log Server fail. [61456]
• The Firebox now correctly validates the server certificate of a WatchGuard Log Server or Dimension when it initiates a connection to send log data. [84177]
• Quarantine Server now creates a log message for the success or failure of attempts to send email with the configured SMTP server. [91922]

VPN

• You can now configure a Branch Office VPN to Microsoft Azure with IKEv2 and a dynamic tunnel configuration. [89072]
• The Firebox now supports Branch Office VPNs that connect to a Cisco Virtual Tunnel Interface, or VTI. [88140]
• You can now successfully build a VPN tunnel initiated from AWS Cloud. [92196]
• The maximum length of Pre-Shared Keys has been increased from 63 characters to 79 characters. [92275]
• An issue that resulted in a memory allocation error that caused low memory and tunnel traffic to fail has been resolved. [92374]
• The cookies used to store user credentials for the Mobile VPN with SSL and manual user authentication portal now correctly set the HTTPONLY and Secure attributes. [88687]
• Mobile VPN with SSL now uses SHA-1 for authentication and AES-256 for encryption by default. [91506]
• The Mobile VPN with IPSec UI now prevents unnecessary tunnel routes from being added when you use the Force All Traffic Through Tunnel option. [90530]
• The Firebox no longer automatically adds Any-External to the WatchGuard Authentication policy when you enable Mobile VPN with SSL. [67543]
• When you allow access to the Authentication Portal for Mobile VPN with SSL, external hosts are no longer automatically able to also access the Firebox Authentication Portal. [67545]
• When you use the Mobile VPN with IPSec NCP client, Policy Manager now generates the client profile with the configured value for the Phase 1 lifetime instead of it always being set to 8 hours. [91678]

FireCluster

• You can now configure a FireCluster external interface as DHCP. [41637]
• An issue that caused the systemd process to crash when using FireCluster has been resolved. [92115]
• Policy Manager now reports status more accurately during the FireCluster OS upgrade process. [91971]

Centralized Management

• WatchGuard Server Center now requires text in the comment field when you save a Policy Template change. [92078]

WatchGuard AP Devices and Gateway Wireless Controller

• The Gateway Wireless Controller can now automatically change the channel assignments for your AP devices to reduce channel conflicts with nearby devices. [84570]
• You can now remotely manage AP devices using Mobile VPN with SSL. [84692]
• When the operating region of an AP device is not known, the Gateway Wireless Controller configuration will display Unknown instead of World. [92249]
• For manual channel selection, the Preferred Channel list now displays all channels.[87679]

Give us feedback  •   All product documentation  •   Technical Search

© 2016 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.