Enhancements and Resolved Issues in Fireware v11.12 Update 1
- This release resolves a vulnerability that could allow an attacker to hijack an existing management session. [EPA-1354]
- This release reduces the Firebox memory storage data partition size to 1.2GB or less to prevent an issue that caused some Firebox M400 and M500 devices to fail. [92556]
- Support.tgz snapshots no longer include the BOVPN shared secret file in plain text in the ikemsg.log file. [92661]
- The release patches the Firebox kernel to address the Dirty COW vulnerability (CVE-2016-5195). [92517]
- BOVPN tunnel status for XTMv devices now displays correctly in Firebox System Manager and Fireware Web UI. [92479]
- This release resolves a kernel crash that affected some Firebox M440 devices. [92609]
- This release resolves an issue that caused Mobile VPN with PPTP to fail when your Firebox was configured with multiple external interfaces. [92528]
- The Firebox now correctly blocks traffic from hosts that have been manually configured to be blocked using Firebox System Manager or Traffic Monitor. [92569]
- YouTube SafeSearch is now correctly enforced for users that are logged in to Google accounts when the HTTPS proxy is configured with Content Inspection enabled. [80639]
- Users can no longer evade YouTube SafeSearch by refreshing the web page when the HTTPS proxy is configured with Content Inspection enabled. [92159]
Enhancements and Resolved Issues in Fireware v11.12
General
- The number of blocked sites you can enter has been increased from 1000 to 8192 for Firebox models that have 1GB of memory or more. [92149]
- The wgagent process no longer crashes when you run the Configuration Report from Fireware Web UI. [92451]
- An issue that caused the oss-daemon process to crash has been resolved in this release. [92166]
- An issue that caused SFP interfaces on Firebox M400 and M500 devices to hang has been resolved. [92047]
- OpenSSL has been updated to version 1.0.2j to address several critical security vulnerabilities. [92161, 92178]
- DNS traffic from clients behind the Firebox now uses a random source port, and is no longer vulnerable to CVE-2008-1447. [91517]
- The Linux kernel has been patched to address a bug in the handling of TCP challenge ACK segments that could allow a remote attacker to hijack TCP sessions (CVE-2016-5696). [91902]
- The behavior of Policy Manager in a dual-monitor environment has been improved. [92188]
- Feature key auto-update functionality has been improved so the Firebox checks more frequently for feature key updates for services that are set to expire in a week or less. [92328]
- Firebox System Manager no longer truncates the list of interface IP addresses on the Status Report tab when a large number of secondary IP addresses are configured. [81234]
- Feature key expirations now take effect at the end of the specified day, instead of at the beginning of the day. [91590]
- The Firebox no longer provides any response on port 9032 unless configured to do so. [91575]
- This release resolves an issue that caused the Firebox to automatically block the source of unhandled packets after an upgrade. [92373]
Proxies and Security Subscriptions
- With the new Geolocation service, you can now configure the Firebox to deny connections to or from a particular country. [35643, 73433]
- This release provides an improvement to the behavior of the HTTP proxy when it receives a response from an HTTP server that does not include an HTTP response header. [91900]
- You can now use all Firebox proxy actions and signature services with connections over IPv6. [65040]
- The maximum file size for Advanced Persistent Threat scan has been increased from 8 megabytes to 10. [91993]
- WebBlocker with WebSense can now perform lookups through an external proxy server. [72847]
- The Firebox Status Report now contains the current number of connections for each type of proxy, such as HTTP, HTTPS, and DNS. [63913]
- Gateway AV will now classify Potentially Unwanted Programs (PUPs) as malware. [92014]
- The default non-allowed characters rule in the SMTP proxy action now allows email addresses with all RFC-standard characters. [91005]
- This release resolves an issue that caused the Firebox to fail to import intermediate certificates as Trusted CA for proxies. [81517, 82401]
- A rare issue that prevented the Proxy Authority Certificate from regenerating after it was deleted has been resolved in this release. [92467]
- This release resolves an issue that caused the Firebox to incorrectly create the Certificate Portal policy when you configure an SMTP policy with Content Inspection for TLS. [92270]
- This release resolves an issue that caused the Quarantine Server to fail to send scheduled notifications when the admin passphrase contained the percent (%) character. [91869]
Networking
- An issue that caused the ETH6/ETH7 interface to bounce on Firebox M400/M500 devices has been resolved. [92243]
- The Firebox now supports failover to the Huawei E3372 USB LTE Modem Variant (E3372s-153; VID: 12d1 PID:14dc) [90185]
- This release resolves an issue where VLAN IDs would persist after being changed or removed from the configuration. [92319]
- When you configure policies that use Policy-Based Routing using Fireware Web UI, the Firebox now correctly drops connections when all selected external interfaces are down. [92280]
Authentication
- The Active Directory server configuration no longer allows you to input unnecessary Searching User information when using the sAMAccountName Login attribute. [90546]
- You can now configure exceptions for the forced redirect for External Guest Authentication Hotspot. Connections to these exceptions will not be redirected. [79129]
- Users authenticated by Firebox Hotspot Guest Services are now synchronized between FireCluster members. [83130]
- Custom logos used for the Firebox Hotspot Page now correctly appear when you uploaded the logos with Fireware Web UI and when the Hotspot is removed from an interface. [92121, 91139]
- You can now configure a domain name or IP address as the authentication URL for an external guest authentication hotspot. [82974]
- This release resolves an issue that slowed web browsing performance when using the TO Agent. [92069]
Logging
- A log message is now generated when Firebox connections to the Log Server fail. [61456]
- The Firebox now correctly validates the server certificate of a WatchGuard Log Server or Dimension when it initiates a connection to send log data. [84177]
- Quarantine Server now creates a log message for the success or failure of attempts to send email with the configured SMTP server. [91922]
VPN
- You can now configure a Branch Office VPN to Microsoft Azure with IKEv2 and a dynamic tunnel configuration. [89072]
- The Firebox now supports Branch Office VPNs that connect to a Cisco Virtual Tunnel Interface, or VTI. [88140]
- You can now successfully build a VPN tunnel initiated from AWS Cloud. [92196]
- The maximum length of Pre-Shared Keys has been increased from 63 characters to 79 characters. [92275]
- An issue that resulted in a memory allocation error that caused low memory and tunnel traffic to fail has been resolved. [92374]
- The cookies used to store user credentials for the Mobile VPN with SSL and manual user authentication portal now correctly set the HTTPONLY and Secure attributes. [88687]
- Mobile VPN with SSL now uses SHA-1 for authentication and AES-256 for encryption by default. [91506]
- The Mobile VPN with IPSec UI now prevents unnecessary tunnel routes from being added when you use the Force All Traffic Through Tunnel option. [90530]
- The Firebox no longer automatically adds Any-External to the WatchGuard Authentication policy when you enable Mobile VPN with SSL. [67543]
- When you allow access to the Authentication Portal for Mobile VPN with SSL, external hosts are no longer automatically able to also access the Firebox Authentication Portal. [67545]
- When you use the Mobile VPN with IPSec NCP client, Policy Manager now generates the client profile with the configured value for the Phase 1 lifetime instead of it always being set to 8 hours. [91678]
FireCluster
- You can now configure a FireCluster external interface as DHCP. [41637]
- An issue that caused the systemd process to crash when using FireCluster has been resolved. [92115]
- Policy Manager now reports status more accurately during the FireCluster OS upgrade process. [91971]
Centralized Management
- WatchGuard Server Center now requires text in the comment field when you save a Policy Template change. [92078]
WatchGuard AP Devices and Gateway Wireless Controller
- The Gateway Wireless Controller can now automatically change the channel assignments for your AP devices to reduce channel conflicts with nearby devices. [84570]
- You can now remotely manage AP devices using Mobile VPN with SSL. [84692]
- When the operating region of an AP device is not known, the Gateway Wireless Controller configuration will display Unknown instead of World. [92249]
- For manual channel selection, the Preferred Channel list now displays all channels.[87679]