Watchguard Firebox T30, Firebox M200, Firebox M400, Firebox M300, Firebox M500 Release Note

Fireware v11.12.1 Release Notes

Supported Devices

Firebox T10, T30, T50, T70, M200, M300, M400,
M440, M500, M4600, M5600
XTM 3, 5, 8, 800, 1500, and 2500 Series
XTM 25, XTM 26, XTM 1050, XTM 2050
FireboxV, XTMv, Firebox Cloud, WatchGuard AP

Release Date:

22 February 2017

Release Notes Revision: 15 March 2017

Fireware OS Build

522519

WatchGuard System Manager Build 521585

WatchGuard APDevice Firmware

For AP100, 102, 200: Build 1.2.9.11
For AP300: Build 2.0.0.6
For AP120: Build 8.0.564
For AP320: Build 8.0.564

Introduction

WatchGuard is pleased to announce the release of Fireware v11.12.1 and WatchGuard System Manager
v11.12.1. This maintenance release reflects an ongoing commitment to product quality, resolving numerous
outstanding bugs and providing several minor feature enhancements. For more information on the bug fixes and
enhancements in this release, see the Enhancements and Resolved Issues section.

With this release, we're also proud to announce support for:

FireboxV

FireboxV is a new family of virtual Fireboxes for VMware and Hyper-V.

Firebox Cloud for AWS

Firebox Cloud is a Firebox for the Amazon Web Services (AWS) computing platform, with features and
services tailored to the AWS environment. The Firebox Cloud BYOL version is available now in the
Amazon marketplace. For more information about how to get started with Firebox Cloud, see the Firebox

Cloud Deployment Guide.

This release also includes support for the AP322, a new outdoor wireless AP device that will be released soon.

For more detailed information about the feature enhancements and functionality changes included in Fireware
v11.12.1, see Fireware Help or review What's New in Fireware v11.12.1.

Important Information about Firebox Certificates

Important Information about Firebox Certificates

SHA-1 is being deprecated by many popular web browsers, and WatchGuard recommends that you now use
SHA-256 certificates. Because of this, we have upgraded our default Firebox certificates. Starting with
Fireware v11.10.4, all newly generated default Firebox certificates use a 2048-bit key length. In addition, newly
generated default Proxy Server and Proxy Authority certificates use SHA-256 for their signature hash
algorithm. Starting with Fireware v11.10.5, all newly generated default Firebox certificates use SHA-256 for
their signature hash algorithm. New CSRs created from the Firebox also use SHA-256 for their signature hash
algorithm.

Default certificates are not automatically upgraded after you install Fireware v11.10.5 or later releases.

To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use the CLIcommands described in the next section.
Before you regenerate the Proxy Server or Proxy Authority certification, there are some important things to
know.

The Proxy Server certificate is used for inbound HTTPS with content inspection and SMTP with TLS
inspection. The Proxy Authority certificate is used for outbound HTTPS with content inspection. The two
certificates are linked because the default Proxy Server certificate is signed by the default Proxy Authority
certificate. If you use the CLI to regenerate these certificates, after you upgrade, you must redistribute the new
Proxy Authority certificate to your clients or users will receive web browser warnings when they browse
HTTPS sites, if content inspection is enabled.

Also, if you use a third-party Proxy Server or Proxy Authority certificate:

l The CLI command will not work unless you first delete either the Proxy Server or Proxy Authority

certificate. The CLI command will regenerate both the Proxy Server and Proxy Authority default
certificates.

l If you originally used a third-party tool to create the CSR, you can simply re-import your existing third-

party certificate and private key.

l If you originally created your CSR from the Firebox, you must create a new CSR to be signed, and then

import a new third-party certificate.

CLICommands to Regenerate Default Firebox Certificates

To regenerate any default Firebox certificates, delete the certificate and reboot the Firebox. If you want to
regenerate default certificates without a reboot, you can use these CLIcommands:

l To upgrade the default Proxy Authority and Proxy Server certificates for use with HTTPS content

inspection, you can use the CLI command: upgrade certificate proxy

l To upgrade the Firebox web server certificate, use the CLI command: upgrade certificate web
l To upgrade the SSLVPN certificate, use the CLI command: upgrade certificate sslvpn
l To upgrade the 802.1x certificate, use the CLI command: upgrade certificate 8021x

For more information about the CLI, see the Command Line Interface Reference.

2 WatchGuard Technologies, Inc.

Before You Begin

Before You Begin

Before you install this release, make sure that you have:

l A supported WatchGuard Firebox or XTM device. This device can be a WatchGuard Firebox T10, T30,

T50, T70, XTM 2 Series (models 25 and 26 only), 3 Series, 5 Series, 8 Series, 800 Series, XTM 1050,
XTM 1500 Series, XTM 2050 device, XTM 2500 Series, Firebox M200, M300, M400, M500, M440,
M4600, M5600. You can also use this version of Fireware on FireboxV or XTMv (any edition), and
Firebox Cloud for AWS.

l The required hardware and software components as shown below. If you use WatchGuard System

Manager (WSM), make sure your WSM version is equal to or higher than the version of Fireware OS
installed on your Firebox or XTM device and the version of WSM installed on your Management Server.

l Feature key for your Firebox or XTM device — If you upgrade your device from an earlier version of

Fireware OS, you can use your existing feature key. If you do not have a feature key for your device, you
can log in to the WatchGuard website to download it.

Note that you can install and use WatchGuard System Manager v11.12 and all WSM server components with
devices running earlier versions of Fireware v11.x. In this case, we recommend that you use the product
documentation that matches your Fireware OS version.

If you have a new Firebox or XTM physical device, make sure you use the instructions in the Quick Start Guide
that shipped with your device. If this is a new FireboxV or XTMv installation, make sure you carefully review

Fireware Help for important installation and setup instructions. We also recommend that you review the
Hardware Guide for your Firebox or XTM device model. The Hardware Guide contains useful information about

your device interfaces, as well as information on resetting your device to factory default settings, if necessary.

Product documentation for all WatchGuard products is available on the WatchGuard web site at

http://www.watchguard.com/wgrd-help/documentation/overview.

Release Notes 3

Localization

Localization

This release includes localized management user interfaces (WSM application suite and Web UI) current as of
Fireware v11.11. UI changes introduced since v11.11 may remain in English. Supported languages are:

l French (France)
l Japanese
l Spanish (Latin American)

Note that most data input must still be made using standard ASCII characters. You can use non-ASCII
characters in some areas of the UI, including:

l Proxy deny message
l Wireless hotspot title, terms and conditions, and message
l WatchGuard Server Center users, groups, and role names

Any data returned from the device operating system (e.g. log data) is displayed in English only. Additionally, all
items in the Web UI System Status menu and any software components provided by third-party companies
remain in English.

Fireware Web UI

The Web UI will launch in the language you have set in your web browser by default.

WatchGuard System Manager

When you install WSM, you can choose what language packs you want to install. The language displayed in
WSM will match the language you select in your Microsoft Windows environment. For example, if you use
Windows 7 and want to use WSM in Japanese, go to Control Panel > Regions and Languages and select
Japanese on the Keyboards and Languages tab as your Display Language.

Dimension, WebCenter, Quarantine Web UI, and Wireless Hotspot

These web pages automatically display in whatever language preference you have set in your web browser.

Documentation

Localization updates are also available for Fireware Help, available on the WatchGuard website or as context-
sensitive Help from the localized user interfaces.

4 WatchGuard Technologies, Inc.

Fireware and WSM v11.12.1 Operating System Compatibility

WSM/
FirewareComponent

Microsoft

Windows

7, 8,8.1,

10

(32-bit&

64-bit)

Microsoft

Windows

Server

2012&

2012R2

(64-bit)

Microsoft
Windows

Server

2016

(64-bit)

Mac

OS X

v10.9,

v10.10,

v10.11

&

v10.12

Android

4.x

&5.x

iOS

v7, v8,

v9, &

v10

WatchGuard System
Manager

WatchGuard Servers

For information on
WatchGuard Dimension,
see the Dimension Release

Notes.

Single Sign-On
Agent

(Includes Event Log

Monitor)

Single Sign-On
Client

Single Sign-On
Exchange Monitor

1

Terminal Services
Agent

2

Mobile VPN with
IPSec

3 3

Mobile VPN with
SSL

Fireware and WSM v11.12.1 Operating System Compatibility

Last revised: 15 February 2017

Notes about Microsoft Windows support:

l Windows 8.x support does not include Windows RT.
l Windows Exchange Server 2013 is supported if you install Windows Sever 2012 or 2012 R2 and .Net

The following browsers are supported for both Fireware Web UIand WebCenter (Javascript required):

l IE 11 and later
l Microsoft Edge
l Firefox v22 and later
l Safari 6 and later

framework 3.5.

Release Notes 5

Fireware and WSM v11.12.1 Operating System Compatibility

l Safari iOS 6 and later
l Chrome v29 and later

1

Microsoft Exchange Server 2007, 2010, and 2013 are supported.

2

Terminal Services support with manual or Single Sign-On authentication operates in a Microsoft Terminal

Services or Citrix XenApp 4.5, 5.0, 6.0, 6.5 and 7.6 environment.

3

Native (Cisco) IPSec client and OpenVPN are supported for Mac OS and iOS. For Mac OS X 10.8 -10.12, we

also support the WatchGuard IPSec Mobile VPN Client for Mac, powered by NCP.

Authentication Support

This table gives you a quick view of the types of authentication servers supported by key features of Fireware.
Using an authentication server gives you the ability to configure user and group-based firewall and VPN policies
in your Firebox or XTMdevice configuration. With each type of third-party authentication server supported, you
can specify a backup server IP address for failover.

Fully supported by WatchGuard Not yet supported, but tested with success by WatchGuard

customers

6 WatchGuard Technologies, Inc.

Active

Directory1LDAP

RADIUS2SecurID

2

Firebox

(Firebox-DB)

Local

Authentication

Mobile VPN with IPSec/Shrew Soft

3

–

Mobile VPNwith
IPSec/WatchGuardclient (NCP)

Mobile VPN with IPSec for iOS and Mac
OS X native VPN client

Mobile VPNwith IPSec for Android
devices

–

Mobile VPN with SSL for Windows

4 4

Mobile VPN with SSL for Mac

Mobile VPNwith SSLfor iOS and
Android devices

Mobile VPNwith L2TP

6

– –

Mobile VPN with PPTP – – N/A

Built-in Authentication Web Page on
Port 4100

Single Sign-On Support (with or without

client software)

– – –

Terminal Services Manual
Authentication

Terminal Services Authentication with
Single Sign-On

5

– – – –

Citrix Manual Authentication

Citrix Manual Authentication with Single
Sign-On

5

– – – –

Fireware and WSM v11.12.1 Operating System Compatibility

Release Notes 7

If you have WatchGuard System
Manager client software only
installed

If you install WatchGuard System
Manager and WatchGuard Server
software

Minimum CPU Intel Core or Xeon

2GHz

Intel Core or Xeon

2GHz

Minimum Memory 1 GB 2 GB

Minimum Available
Disk Space

250 MB 1 GB

Minimum
Recommended
Screen Resolution

1024x768 1024x768

FireboxV Model vCPUs (maximum) Memory (recommended)

Small 2 1024 MB

Medium 4 2048 MB

Large 8 4096 MB

Extra Large 16 4096 MB

Fireware and WSM v11.12.1 Operating System Compatibility

1.

Active Directory support includes both single domain and multi-domain support, unless otherwise noted.

2.

RADIUS and SecurID support includes support for both one-time passphrases and challenge/response
authentication integrated with RADIUS. In many cases, SecurID can also be used with other RADIUS
implementations, including Vasco.

3.

The Shrew Soft client does not support two-factor authentication.

4.

Fireware supports RADIUS Filter ID 11 for group authentication.

5.

Both single and multiple domain Active Directory configurations are supported. For information about the
supported Operating System compatibility for the WatchGuard TO Agent and SSOAgent, see the current
Fireware and WSM Operating System Compatibility table.

6.

Active Directory authentication methods are supported only through a RADIUSserver.

System Requirements

FireboxV System Requirements

With support for installation in both a VMware and a Hyper-V environment, a WatchGuard FireboxV virtual
machine can run on a VMware ESXi 5.5, 6.0, or 6.5 host, or on Windows Server 2012 R2 or 2016, or Hyper-V
Server 2012 R2 or 2016.

The hardware requirements for FireboxV are the same as for the hypervisor environment it runs in.

Each FireboxV virtual machine requires 5 GB of disk space. CPUand memory requirements vary by model:

System requirements for XTMv are included in Fireware Help.

8 WatchGuard Technologies, Inc.