Whats-New Fireware v11!10!5

Whats New in Fireware v11.10.
WatchGuard Training
Copyright 2015 WatchGuard Technologies, Inc. All Rights Reserved
Whats New in v11.10.5

New Features and Enhancements
WatchGuard AP300
AP firmware availability after upgrade

Fast Handover
Band Steering
Fast Roaming
Client Limits for each radio
Wireless Scan Interval
Wireless Event Alarms
View Wireless Client Host Name and IP Address
APT Blocker Support for the POP3-proxy
Default Firebox Certificate Updates
3G/4G Modem Support
Support for Novatel U620L USB modem
Send Log Messages for Reports for Packet Filter
Allowed Traffic
WatchGuard Training
WatchGuard AP300
Features:
Concurrent 3x3 MIMO
(Multiple Input Multiple
Output) capability
Dual radios for 2.4GHz
and 5GHz
802.11ac capability on
5GHz, including
20/40/80MHz channel
widths
Auto channel selects
more diverse channels
on the 2.4GHz band
WatchGuard Training
WatchGuard AP300
Requires Fireware OS v11.10.5 or
higher
AP300 Firmware version 2.0.0.1
LED indicator behavior changes
(different than AP100, AP102,
AP200):
Power and wireless indicators
alternately flash green AP device
is powered on and ready to be
paired
Power indicator slowly flashes green
A firmware upgrade is in
progress
WatchGuard Training
AP Firmware Availability after Upgrade

If you upgrade your Firebox to Fireware OS v11.10.5 from
v11.10.3 or lower, the Firebox will not have the current AP
firmware installed and available for all AP device models
Starting in v11.10.4, AP device firmware is installed in a different
partition on the Firebox because of increasing firmware image
sizes
Because of this change, when you upgrade to Fireware
v11.10.5, you must run the upgrade process twice to correctly
install the latest AP firmware on your Firebox.
AP device firmware is also not available after a factory reset

of a Firebox. If you reset your Firebox, you must use the
process to upgrade your Firebox to Fireware v11.10.5 again.
WatchGuard Training
Fast Handover
Encourages wireless clients that are roaming between
WatchGuard AP devices to disconnect from their current AP
devices and connect to an AP device with a stronger signal
Prevents wireless clients from maintaining their current AP
device connection, even when the signal degrades as the
wireless client moves farther away
Uses the RSSI (Received Signal Strength Indicator) as a
threshold to indicate when a client should be encouraged to
move to an AP device with a stronger RSSI level
WatchGuard Training
Fast Handover
Fast Handover is only supported on WatchGuard AP300
devices
Configured on the general Access Point Settings tab
Disabled by default
WatchGuard Training
Fast Handover
Wireless clients can have very different RSSI strengths
depending on the manufacturer; you must set your RSSI
threshold accordingly
Fast Handover will disconnect a client when RSSI threshold is
reached
Check your environment to make sure APs are in range for
handover based on your thresholds
We recommend that you only enable Fast Handover for AP

devices in high-traffic density areas
Do not enable Fast Handover on adjacent AP devices that
also have the Band Steering feature enabled
Clients steered to the 5GHz band might have a drop in RSSI
strength that can result in disconnections because of the Fast
Handover RSSI threshold
WatchGuard Training
Band Steering
Encourages dual-band clients to move from 2.4GHz to 5GHz
Helps reduce congestion on the more widely-used 2.4GHz
radio spectrum
Configured on the Access Point Settings tab
Disabled
by default
WatchGuard Training
10
Band Steering
Only supported on WatchGuard AP300 devices
The same SSID and security mode must be configured on
both 2.4GHz and 5GHz radios to enable wireless clients to
switch frequency bands
Do not enable if the Fast Handover feature is enabled:
Switching to the 5GHz band can result in a loss of RSSI strength
for the client
Disconnections because of the Fast Handover RSSI threshold
can occur
WatchGuard Training
11
Band Steering
Band Steering is usually not required in an environment
where most wireless devices are newer devices that are
already optimized to choose the 5GHz band
In some cases, Band Steering can cause connectivity issues
with older, legacy wireless clients that only support 2.4GHz
For these devices, we recommend that you disable Band
Steering or have clients manually connect to the SSID
WatchGuard Training
12
Fast Roaming
Fast Roaming enables a wireless client to quickly handover
wireless communications as it moves from one WatchGuard
AP device to another
Helps provide a seamless communications transition and
improves performance and stability of streaming-intensive
applications such as VoIP and video streaming as you roam
Fast Roaming works by decreasing the re-authentication time
for WPA2-Enterprise authentication for a wireless client on an
SSID
WatchGuard Training
13
Fast Roaming
Configured in the security
settings for an SSID
Only supported on
WatchGuard AP300
devices
Disabled by default
Can only be enabled for
WPA/WPA2 Enterprise
mixed or WPA2-Enterprise
protected SSIDs
Wireless client must
support the 802.11k and
802.11r standards
WatchGuard Training
14
Client Limits Per Radio

Limit the number of
concurrently-connected
client devices for a
specific radio on AP300
devices
Applied as a global limit
for all configured SSIDs
on a radio
Default is unlimited
You can specify a limit
from 1 to 127
WatchGuard Training
15
Wireless Scan Interval

Configure the interval for
automatic wireless scans
for Wireless Deployment
Maps and Rogue Access
Point detection
Default is 1 hour
Increase the automatic
scan interval to reduce
wireless traffic and
resource usage from
scanning the wireless
network
WatchGuard Training
16
Wireless Event Alarms

Enable alarms to notify
you when these wireless
events occur:
An AP device goes
offline
Causes include:
network disruption,
power loss, and
firmware upgrades
A rogue AP is detected
Configure notifications
for alarms on the
Notifications tab
WatchGuard Training
17
View Wireless Client Hostname & IP Address

On the Dashboard > Gateway Wireless Controller >
Wireless Clients page, if the clients connected to your AP
device use the Firebox as a DHCP server, you can see the
Hostname and IP Address of the wireless clients connected
to your AP device
WatchGuard Training
18

To see more information about a wireless client, click the
IP address to view the client in FireWatch or Traffic Monitor
WatchGuard Training
19

If your Firebox is a wireless model, on the System Status >
Wireless Statistics page, if the clients connected to your
wireless Firebox use the Firebox as a DHCP server, you can
see the Hostname and IP Address of the wireless clients
connected to your Firebox
WatchGuard Training
20
Other Wireless Enhancements

Automatic AP device firmware upgrades now occur from
00:00 (midnight) to 04:00 based on the local time of the
Firebox
You can manually upgrade an AP device at any time
Default 2.4Ghz mode is now 802.11g/n
TKIP-only mode support has been removed from the SSID
security settings
TKIP is still available in mixed TKIP or AES mode
Hotspot guest account authentication is now performed over
HTTP to prevent web browser HTTPS certificate warnings
WatchGuard Training
21
APT Blocker Support for the POP3-proxy

You can now enable APT Blocker for a POP3-proxy policy
Before you can enable APT Blocker for the POP3-proxy, you
must enable Gateway AntiVirus on your Firebox
The Drop, Block, and Quarantine actions strip the attachment
before the message is delivered
WatchGuard Training
22
Default Firebox Certificate Upgrades

SHA-1 is being deprecated by many popular web browsers,
and WatchGuard recommends that you now use SHA-256
certificates
New certificate signing requests (CSR) now use SHA-256 as
the default signature hash algorithm
Newly generated default Firebox certificates use the SHA-256
algorithm with a 2048-bit key length
Default certificates are not automatically upgraded after you
install Fireware v11.10.5
To upgrade and regenerate any default Firebox certificate to use
SHA-256 and a 2048-bit key length, delete the certificate and
reboot the Firebox
You can also use the CLI to manually upgrade specific
certificates
WatchGuard Training
23
The Proxy Server certificate is used for inbound HTTPS with content inspection and
SMTP with TLS inspection. The Proxy Authority certificate is used for outbound
HTTPS with content inspection. The two certificates are linked because the default
Proxy Server certificate is signed by the default Proxy Authority certificate.
You can upgrade the default Proxy Authority and Proxy Server certificates with the
Fireware CLI.
After you upgrade, you must redistribute the new Proxy Authority certificate to
your clients.
Without the new certificate, users will receive web browser warnings when they
browse HTTPS sites, if content inspection is enabled.
There are special considerations if you use a third-party Proxy Server certificate:
The CLI command will not work unless you first delete the Proxy Authority
certificate. The CLI command will regenerate both the Proxy Server and
Proxy Authority default certificates.
If you originally used a third-party tool to create the CSR, you can simply reimport your existing third-party certificate and private key.
If you originally created your CSR from the Firebox, you must create a new
CSR to be signed, and then import a new third-party certificate.
WatchGuard Training
24

To upgrade the default Proxy Authority and Proxy Server
certificates for use with HTTPS content inspection, you can
use the CLI command: upgrade certificate proxy
To upgrade the Firebox web server certificate, use the CLI
command: upgrade certificate web
To upgrade the SSLVPN certificate, use the CLI command:
upgrade certificate sslvpn
To upgrade the 802.1x certificate, use the CLI command:
upgrade certificate 8021x
WatchGuard Training
25
3G/4G Modem Support

New 3G/4G USB modem supported for modem failover
Modem Novatel U620L modem
Carrier Verizon
WatchGuard Training
26
Log Messages for Reports

For traffic that is allowed through Packet Filter policies, you
can now enable the Firebox to send log messages that are
only used in reports
These log messages do not appear in Traffic Monitor or Log
Manager
To see log messages in Traffic Monitor or Log Manager from a
Firebox that runs Fireware OS v11.10.5 or higher, you must
also select the Send a log message check box
WatchGuard Training
27
Send Log Messages for Reports

To enable your Firebox
to send log messages
that are included in
reports:
1. Add or edit a packet
filter policy
2. Select Logging >
Send log message
for reports
WatchGuard Training
28
Thank You!
WatchGuard Training

Whats-New Fireware v11!10!5

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Whats-New Fireware v11!10!5

Transféré par

Droits d'auteur :

Formats disponibles

Whats New in Fireware v11.10.

Whats New in v11.10.5

AP firmware availability after upgrade

AP Firmware Availability after Upgrade

AP device firmware is also not available after a factory reset

We recommend that you only enable Fast Handover for AP

Client Limits Per Radio

Wireless Scan Interval

Wireless Event Alarms

View Wireless Client Hostname & IP Address

View Wireless Client Hostname & IP Address

View Wireless Client Hostname & IP Address

Other Wireless Enhancements

APT Blocker Support for the POP3-proxy

Default Firebox Certificate Upgrades

Default Firebox Certificate Upgrades

Default Firebox Certificate Upgrades

3G/4G Modem Support

Log Messages for Reports

Send Log Messages for Reports

Vous aimerez peut-être aussi