Enhancements and Resolved Issues in Fireware 12.1.1

General

• Firebox log messages no longer reference policy 0. [FBX-8734]
• Firebox M440 appliances now correctly return information for eth0-eth3 for SNMP. [FBX-9918]
• This release resolves a Firebox M370 crash issue that would cause a reboot with the message: BUG: work queue leaked lock or atomic... [FBX-9848]
• You can now edit Custom Policy templates in Policy Manager. [FBX-10089]
• This release resolves a Firewalld process crash. [FBX-10011]
• The Firebox web server now correctly continues to use the 3rd Party certificate after a Firebox reboot. [FBX-9523]
• An issue that caused Policy Manager to fail to display Policy Properties has been fixed. [FBX-8591]
• The Allow SSLVPN Policy is no longer moved to the bottom of the list in Web UI when Manual Order mode is used. [FBX-7625]
• This release resolves an issue in which Management Server client Fireboxes unexpectedly change status to Heartbeat (Unavailable). [FBX-9748]
• This release resolves a wgagent daemon crash issue. [FBX-6831]
• This release allows small devices, such as Firebox T10 devices, to free enough memory to perform system backups. [FBX-2373]
• The WLAN light on wireless Fireboxes now lights consistently and as expected. [FBX-2993]
• This release resolves an issue in which Management Server Policy Templates fail to apply, resulting in the Firebox log message: trace-type': [facet 'maxInclusive'] The value '52' is greater than the maximum value allowed ('49'). [FBX-10330]
• Fully Managed Firebox Policy Manager is now correctly locked when you try to open Policy Manager from Firebox System Manager when more than one RBAC user is connected to the Firebox. [FBX-9223]
• This release resolves a memory leak that occurs when you use SNMP. [FBX-9313]
• Firebox NTP server no longer unexpectedly stops responding. [FBX-9026]
• This release resolves an issue in which Autotask event monitoring fails when FireCluster failover monitoring is enabled. [FBX-9660]

FireCluster

• This release resolves a connection count discrepancy in Firebox System Manager for an active/active FireCluster. [FBX-9392]
• Access Portal users no longer unexpectedly disconnect in a FireCluster environment because of idle timeout sync errors. [FBX-10186]
• This release resolves a soft lockup error in which one FireCluster member would go offline and require a reboot to correct. [FBX-9782]

Proxies and Services

• POP3 proxy log message now correctly includes the recipient email address when a Thunderbird client retrieves email. [FBX-7749]
• This release resolves an issue in which some websites fail to load through the HTTP and HTTPS proxies. [FBX-10265]
• DLP can now correctly match violations in web-based email services, such as Office365, that use HTTP-POST [73266, 88158, FBX-2470, FBX-7853]
• This release resolves an issue that impacted HTTP and HTTPS proxy performance in very large deployments with WebBlocker enabled. [FBX-5248]
• Policy Manager now correctly displays the Google Apps Allowed Domain settings in the HTTPS proxy configuration [FBX-9550]
• The Firebox can now smoothly detect new IP addresses for TDR cloud. [FBX-11042]
• This release introduces DNSWatch.
• Configuration of Content Inspection for HTTPS is now located in TLS profiles. [FBX-9077]
• This release resolves an issue that caused email messages to fail with Firebox log messages that include: Destination unreachable (Fragmentation needed). [FBX-9898]
• The HTTPS proxy can better handle connections which use TLS 1.3 and apply WebBlocker categorization. [FBX-11166]
• The HTTPS proxy no longer denies TLS 1.3 protocol draft 28 connections when you enforce TLS compliance. [FBX-11151]

Networking

• This release resolves a connection stability issue with the Verizon USB730L modem. [FBX-9450]
• Blocked Sites traffic log messages now show the original reason an IP address has been blocked. [FBX-9544]
• Connections that use multi-WAN Round Robin in an active/active FireCluster now use the correct NAT IP address. [FBX-9986]
• This release resolves an issue that caused Policy Manager to display an incorrect error message when you configure IPv6 default gateway. [FBX-3218]
• Firebox System Manager and Web UI now correctly displays bandwidth for each client for Per client Traffic Management actions. [FBX-9320]
• The IP Spoofing feature now correctly drops traffic when the defined network range and VLAN ID tag do not match. [FBX-9843]
• Modem failover now works consistently with the Verizon U620L modem. [FBX-7841]
• This release resolves an issue that caused Policy Manager to fail to edit Modem Failover with an Operation failed message. [FBX-9851]
• Firebox System Manager and Web UI display of DHCP leases now include DHCP reservations. [RFE84740, FBX-3787]
• This release adds a selection of new Dynamic DNS providers. [FBX-11077]
• You can now connect a USB modem to the Firebox without the need for a reboot. [FBX-9504]
• You can now configure DHCP relay servers separately on a per-interface basis. [FBX-9785]
• When you configure an External VLAN interface, the Apply firewall policies to intra-VLAN traffic option is now enabled by default. [FBX-9016]
• This release resolves an issue in which the Per IP Address Traffic Management rules degraded throughput. [FBX-8995]
• Bandwidth quotas are no longer reset when a user logs in with different capitalization in their user name. [FBX-5234]

VPN

• The IKED process no longer restarts when a Branch Office VPN uses the Modem failover interface. [FBX-9852]
• WatchGuard System Manager now correctly displays the rekey option when you right-click a tunnel. [FBX-9847]
• This release resolves an issue that caused DHCP relay to fail over BOVPN virtual interfaces using the Cloud VPN or Third-Party Gateway Remote Endpoint Type. [FBX-9746]
• IKEv2 Mobile Clients can now successfully establish a VPN connection to a firewall enabled in FIPS Mode. [FBX-10491]
• You can now use all Firebox user interfaces, including Policy Manager, to configure Branch Office VPN over TLS. [FBX-9810, FBX-9641]
• This release resolves an IKEd process crash which occurs on the Backup Master device in FireCluster. [FBX-9729]
• The IKEd process no longer leaks memory when the Firebox recieves IKEv2 IKE SA_INIT requests for a non-configured gateway. [FBX-11078]

Wireless

• This release resolves a packet loss issue for iOS devices connected to wireless Fireboxes. [FBX-9530]
• This release improves Gateway Wireless Controller management and interface performance on Fireboxes with a large number of DHCP clients. [FBX-9414]
• You can now manually disconnect Firebox wireless clients. [FBX-2712]
• This release eliminates the ability to save a Firebox configuration with the insecure WEP Shared Key option for Firebox wireless. [FBX-8974, FBX-8975, FBX-8976]

Resolved Issues in Mobile VPN with IPSec for Windows v12.13

• The product and status icon now changes colors to reflect the connection status, with a line underneath that changes appearance based on the client firewall status.
• The NDIS driver has been optimized to correct problems during connection setup after leaving sleep mode.
• This release changes the network driver to a Virtual Adapter, and Windows Connection Manager no longer disconnects the interface when the Wi-Fi adapter is connected.
• You can now connect after client installation without the need for a reboot.
• This release resolves an issue in which the client would see a blue-screen error when the client system left hibernation mode with the Wi-Fi Manager active.
• This release resolves an issue in which the client license sometimes deactivates when the client system restarts.
• The client now provides the installed version number of Internet Explorer during Hotspot Logon to avoid logon problems.
• The installation wizard no longer prompts users to install the Windows Pre-Logon Credential Provider. You can still enable or disable this feature after installation.
• You can now select a default certificate for the user or computer in the client configuration menu below Certificates.
• The client firewall now includes a Home Zone option that allows users to access local network resources without specific configuration by the administrator.
• The client firewall now includes a VPN Bypass option to allow the administrator to define applications that can communicate directly over the internet even though split-tunneling is disabled in the mobile VPN.
• The client no longer fails to connect after an abrupt change of internet connection type, such as unplugging the LAN cable.
• Windows can now show the status of the client firewall in the Security and Maintenance control panel.
• This release resolves some issues with the Credential Provider for Pre-Connect Login with user names over 20 characters in length.

Resolved Issues in AP Firmware 1.2.9.15

AP Firmware Update for AP100, AP102, AP200

• Unused local system account is disabled. [AP-242]
• The AP back end no longer allows direct authentication with a user-supplied user name and password. [AP-243]
• The local web UI is disabled and no longer supported. [AP-244]
• The AP back end now correctly restricts file uploads to a temporary directory. [AP-245]

Resolved Issues in AP Firmware 2.0.0.10

AP Firmware Update for AP300

• Unused local system account is disabled. [AP-242]
• The AP back end no longer allows direct authentication with a user-supplied user name and password. [AP-243]
• The local web UI is disabled and no longer supported. [AP-244]
• The AP back end now correctly restricts file uploads to a temporary directory. [AP-245]

Resolved Issues in AP Firmware 8.5.0-646

AP Firmware Update for AP120, AP320, AP322, AP325, and AP420

• APs no longer remain in the "authenticating" state If you upgrade a Gateway Wireless Controller-managed AP that is configured with a static IP address. [FBX-9704]
• MAC Access Control is now correctly disabled when you disable this feature on an SSID. [AP-150]
• This release adds support for AP325 local management with a Gateway Wireless Controller. [FBX-6688]
• SSH login credentials now work correctly for technical support access to an AP. [FBX-9776]

After you update an AP325 or AP420 managed locally by a Gateway Wireless Controller to firmware 8.5.0-646, you cannot downgrade the AP to an earlier version of firmware from the Gateway Wireless Controller. If you experience issues with the 8.5.0-646 AP firmware and want to downgrade back to the previous version, you must contact WatchGuard technical support.