In addition to new features introduced in Fireware v11.12, v11.12.1, and v11.12.2, there were other changes that affect the functionality of several existing features in ways that you need to understand before you upgrade to v11.12 or higher. In this section, we review the impact of some of these changes. For more information, see the What's New presentation for each release or Fireware Help.
Fireware v11.12.2 includes updates to the Gateway Wireless Controller to improve AP device security. Some of these changes require that you take action after you upgrade so that all AP devices are trusted and use secure passphrases.
Gateway Wireless Controller now creates trust records for each AP device
Beginning with Fireware v11.12.2, to help prevent potential security issues from the use of factory reset, unauthorized, or compromised AP devices in your deployment, the Gateway Wireless Controller now creates trust records for each AP device. The Gateway Wireless Controller will not communicate with an AP device that has no trust record. Wireless data functions will continue to work for a previously configured AP device , but the Gateway Wireless Controller will not manage or monitor an AP device with no trust record.
After the upgrade to Fireware v11.12.2, existing AP120, AP320, and AP322 devices in your deployment will be automatically trusted.
After you upgrade to Fireware v11.12.2 you must manually trust any current AP100/102, AP200, and AP300 devices in your deployment.
You must always trust your AP devices again if they are reset to factory default settings or if you reset the trust store.
Secure Global AP Passphrase
Beginning with Fireware v11.12.2, the minimum length for the global AP passphrase is 8 characters. In addition, the previous default AP passphrases (wgwap and watchguard) are no longer valid.
After you upgrade to Fireware v11.12.2, your previous global AP passphrase is maintained. If your existing configuration uses the default passphrases or if the global AP passphrase is shorter than 8 characters, you must choose a new global AP passphrase, or use the new automatic AP passphrase security feature before you can save the Gateway Wireless Controller configuration.
Automatic AP Passphrase Management
To increase security and improve passphrase management, the Gateway Wireless Controller can now automatically create unique random passphrases for each AP device. This feature is disabled by default. If you want to enable automatic AP passphrase management, you must disable the manual global AP passphrase.
When you upgrade the Firebox to Fireware v11.12.2 or higher, FQDNs for WatchGuard servers are automatically added to the Blocked Sites Exceptions list in the configuration on the Firebox.
If you use Policy Manager to upgrade the Firebox, you must manually reload the configuration from the Firebox in Policy Manager after the upgrade completes. This is to make sure that the configuration in Policy Manager includes the Blocked Sites Exceptions that were added to the Firebox as part of the upgrade.
If you use Policy Manager to open a configuration file that was created before the Firebox was upgraded to v11.12.2, and then save that configuration file to the Firebox, the old blocked sites configuration overwrites the configuration on the Firebox, and FQDNs for WatchGuard servers are no longer on the Blocked Sites Exceptions List.
Beginning with Fireware v11.12, TCP port 4100 is used only for firewall user authentication. In earlier versions, a WatchGuard Authentication policy was automatically added to your configuration file when you enabled Mobile VPN with SSL. This policy allowed traffic over port 4100 and included the alias Any-External in the policy From list. In Fireware v11.12, when you enable Mobile VPN with SSL, this policy is no longer created.
When you upgrade to Fireware v11.12, the External alias will be removed from your WatchGuard Authentication policy in the configuration on the Firebox, even if you had manually added the alias previously and regardless of whether Mobile VPN with SSL is enabled.
If you use Policy Manager to upgrade the Firebox, you must manually reload the configuration from the Firebox in Policy Manager after the upgrade completes to avoid adding the alias back with a subsequent configuration save (since Policy Manager is an offline configuration tool).
The Mobile VPN with SSL authentication and software download pages are no longer accessible at port 4100. See Fireware Help for more information.
You use the Web Setup Wizard or WSM Quick Setup Wizard to set up a Firebox with a basic configuration. Beginning with Fireware v11.12, the setup wizards configure policies and enable most Subscription Services to provide better security by default.
In Fireware v11.12 and higher, the setup wizards:
The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox, and on whether the Firebox feature key includes a license for subscription services. If your new Firebox was manufactured with Fireware v11.11.x or lower, the setup wizards do not enable subscription services, even if they are licensed in the feature key. To enable the security services and proxy policies with recommended settings, upgrade the Firebox to Fireware v11.12 or higher, reset it to factory-default settings, and then run the setup wizard again.