admin管理员组文章数量:1530842
2024年7月23日发(作者:)
FirewareXTMv11.6.3ReleaseNotes
SupportedDevicesXTMv,XTM2,3,5,and8Series
XTM1050,XTM2050
358414fortheXTM2050(re-released12/19/2012)
FirewareXTMOSBuild
WatchGuardSystemManager
Build
RevisionDate
357868forallotherXTMmodels
358385(re-released12/19/2012)
31December2012
Introduction
NoteFirewareXTMv11.6.3wasoriginallyreleasedonDecember12,mber
19,2012,wereleasedanupdatetotheFirewareXTMsoftwarefortheXTM2050,and
anupdatetoWatchGuardSystemManager(WSM)forallplatformstoresolveanissue
avealreadydownloadedWSMv11.6.3,youdonot
needtodownloadnewWSMsoftwareunlessyoumanageanXTM2050device.
WatchGuardispleasedtoannouncethereleaseofFirewareXTMv11.6.3andWatchGuardSystemManager
installFirewareXTMOSv11.6.3onanyWatchGuardXTMdevice,including2Series,3
Series,5Series,8Series,XTM1050and2050devices,leaseintroduces
supportfortwonewfeatures:
RapidDeploy
WithRapidDeploy,networkadministratorsofdistributedenterprisescanactivateanddeployXTMdevicesin
remotelocationswithouttheneedtopreconfigurethedevicesbeforetheyareshippedout--savingtimeand
findmoreinformationaboutRapidDeployinthev11.6.3Help,includingalinktothenew
WatchGuardDeploymentCenterwebUIyoucanusetoactivate,deploy,andtrackyourXTMRapidDeploy
devices.
AutomaticFeatureKeySynchronization
Whenautomaticfeaturekeysynchronizationisenabled,anyXTMdevicecanautomaticallydownloadthe
latestfeaturekeyfromtheWatchGuardwebsitewhenanyfeatureinthefeaturekeyisexpiredoraboutto
tenabledbydefault.
Inadditiontothesenewfeatures,thisreleaseincludesalargenumberofbugfixes. Youcanfindadescription
ofthesebugfixesintheResolvedIssuessection.
FormoreinformationaboutthefeatureenhancementsincludedinFirewareXTMv11.6.3,youcan:
BeforeYouBegin
l
l
ReviewthePowerPointoverview:What'sNewinFirewareXTMv11.6.3.
ReviewthehelptopicWhat'sNewinThisReleasetofindlinksdirectlytotheproductdocumentationfor
thesenewfeatures.
BeforeYouBegin
Beforeyouinstallthisrelease,makesurethatyouhave:
l
l
l
AWatchGuardXTM2Series,3Series,5Series,8Series,XTM1050,orXTM2050device,orXTMv
(anyedition).
seWatchGuardSystem
Manager(WSM),makesureyourWSMversionisequaltoorhigherthantheversionofFirewareXTM
OSinstalledonyourXTMdeviceandtheversionofWSMinstalledonyourManagementServer.
FeaturekeyforyourXTMdevice—IfyouupgradeyourXTMdevicefromanearlierversionofFireware
XTMOS,seXTMv,yourfeaturekeymustbegenerated
withtheserialnumberyoureceivedwhenyoupurchasedXTMv.
NotethatyoucaninstallanduseWatchGuardSystemManagerv11.6.3andallWSMservercomponentswith
case,werecommendthatyouusetheproduct
documentationthatmatchesyourFirewareXTMOSversion.
IfyouhaveanewXTMphysicaldevice,makesureyouusetheinstructionsintheXTMQuickStartGuidethat
isanewXTMvinstallation,makesureyoucarefullyreviewtheXTMvSetup
Guideforimportantinstallationandsetupinstructions.
DocumentationforthisproductisavailableontheWatchGuardwebsiteat
/help/documentation.
Localization
ThisreleaseincludeslocalizedFirewareXTMv11.6.1managementuserinterfaces(WSMapplicationsuiteand
WebUI)tnewtotheFirewareXTMandWSMv11.6.3releaseremainsinEnglish.
Supportedlanguagesare:
l
l
l
l
Chinese(Simplified,PRC)
French(France)
Japanese
Spanish(LatinAmerican)
NoteInadditiontotheselanguages,weofferlocalizedWebUIsupportforKoreanand
,andallhelpfiles
anduserdocumentation,remaininEnglishforthesetwolanguages.
Nusenon-ASCII
charactersinsomeareasoftheUI,including:
l
l
l
Proxydenymessage
Wirelesshotspottitle,termsandconditions,andmessage
WatchGuardServerCenterusers,groups,androlenames
2WatchGuardTechnologies,Inc.
Localization
Anydatareturnedfromthedeviceoperatingsystem(a)onally,all
itemsintheWebUISystemStatusmenuandanysoftwarecomponentsprovidedbythird-partycompanies
remaininEnglish.
FirewareXTMWebUI
Theeofthecurrently
getoadifferentlanguage,clickthelanguagename
-downlistoflanguagesappearsandyoucanselectthelanguageyouwanttouse.
WatchGuardSystemManager
WhenyouinstallWSM,guagedisplayedin
WSmple,ifyouuse
WindowsXPandwanttouseWSMinJapanese,gotoControlPanel>RegionalandLanguageOptionsand
selectJapanesefromthelanguagelist.
LogandReportManager,CAManager,QuarantineWebUI,andWirelessHotspot
Thesewebpagesautomaticallydisplayinwhateverlanguagepreferenceyouhavesetinyourwebbrowser.
ReleaseNotes3
FirewareXTMandWSMv11.6.3OperatingSystemCompatibility
FirewareXTMandWSMv11.6.3OperatingSystem
Compatibility
RevisedJune2012
MicrosoftMicrosoft
Microsoft
Microsoft
Microsoft
WindowsWindows
Windows
WindowsMacOSXAndroid
Windows
Vista7ServerServerv10.5,v10.6,
XPSP2
(32-bit&(32-bit&2008&&v10.7higher
2003
(32-bit)
64-bit)64-bit)2008R2*
(32-bit)
WSM/
FirewareXTMComponent
WatchGuardSystem
ManagerApplication
FirewareXTMWebUI
SupportedBrowsers:
IE7and8,Firefox3.x&above
LogandReportManager
WebUI
Supportedbrowsers:Firefox
3.5&above,IE8&above,
Safari5.0& above,Chrome10
&riptrequired.
WatchGuardServers
SingleSign-OnAgent
Software
(IncludesEventLog
Monitor)
SingleSign-OnClient
Software
TerminalServicesAgent
Software**
***
Native
(Cisco)
IPSec
clientis
supported
MobileVPNwithIPSec
ClientSoftware
MobileVPNwithSSL
ClientSoftware
*MicrosoftWindowsServer200832-bitand64-bitsupport;WindowsServer2008R264-bitsupport.
**TerminalServicessupportwithmanualorSingleSign-OnauthenticationoperatesinaMicrosoftTerminal
ServicesorCitrixXenApp4.5,5.0,6.0and6.5environment.
***MicrosoftWindowsServer2003SP2required.
4WatchGuardTechnologies,Inc.
FirewareXTMandWSMv11.6.3OperatingSystemCompatibility
AuthenticationSupport
ThistablegivesyouaquickviewofthetypesofauthenticationserverssupportedbykeyfeaturesofFireware
nauthenticationservergivesyoutheabilitytoconfigureuserandgroup-basedfirewallandVPN
chtypeofthird-partyauthenticationserversupported,you
canspecifyabackupserverIPaddressforfailover.
—FullysupportedbyWatchGuard
—Notyetsupported,buttestedwithsuccessbyWatchGuardcustomers
1
MobileVPNwithIPSec/ShrewSoft
MobileVPNwithIPSecforiPhone/iPadiOS
andMacOSX
MobileVPN withIPSecforAndroiddevices
MobileVPNwithSSLforWindows
MobileVPNwithSSLforMac
MobileVPNwithPPTP
Built-inAuthenticationWebPageonPort
4100
WindowsSingleSign-OnSupport
(withorwithoutclientsoftware)
TerminalServicesManualAuthentication
TerminalServicesAuthenticationwith
SingleSign-On
CitrixManualAuthentication
1.
ActiveDirectorysupportincludesbothsingledomainandmulti-domainsupport,unlessotherwisenoted.
2.
RADIUSandSecurIDsupportincludessupportforbothone-timepassphrasesandchallenge/response
cases,SecurIDcanalsobeusedwithotherRADIUS
implementations,includingVasco.
3.
TheShrewSoftclientdoesnotsupporttwo-factorauthentication.
4.
FirewareXTMsupportsRADIUSFilterID11forgroupauthentication.
4
22
3
–
–
4
5
––N/A
––––
6
––––
5.
PIN+kencodemodeandSMSOneTimePasswordsarenot
supported.
6.
OnlysingledomainActiveDirectoryconfigurationsaresupported.
ReleaseNotes5
FirewareXTMandWSMv11.6.3OperatingSystemCompatibility
7.
ForinformationaboutthesupportedOperatingSystemcompatibilityfortheWatchGuardTOAgentand
SSO Agent,seethecurrentFirewareXTMandWSMOperatingSystemCompatibilitytable.
XTMvSystemRequirements
ToinstallanXTMvvirtualdevice,youmusthaveaVMwareESXi4.1or5.0hostinstalledonanyserver
talsoinstalltheVMwarevSphereClient4.1or5.0
refer,youcanusevCenterServerinsteadofthevSphereclient.
Thehardwarerequ
informationaboutVMwarehardwarecompatibility,seetheVMwareCompatibilityGuideat
/resources/compatibility/.
EachXTMvvirtualmachinerequires3GBofdiskspace.
RecommendedResourceAllocationSettings
SmallOfficeMediumOfficeLargeOfficeDatacenter
VirtualCPUs1
Memory1GB
2
2GB
4
4GB
8ormore
4GBormore
6WatchGuardTechnologies,Inc.
DownloadingSoftware
DownloadingSoftware
otheWatchGuardPortalandselecttheArticles&Softwaretab.
eSearchsection,cleartheArticlesandKnownIssuescheckboxesandsearchforavailable
theXTMdeviceforwhichyouwanttodownloadsoftware.
descriptionsbelowsoyouknowwhatsoftware
packagesyouwillneedforyourupgrade.
WatchGuardSystemManager
issoftwarepackageyoucan
installWSMandtheWatchGuardServerCentersoftware:
—v11.6.3.
FirewareXTMOS
eifyouwanttoinstallor
eifyouwanttoinstallorupgradetheOSusingtheFirewareXTM
etodeployanewXTMvdevice.
Ifyouhave….
XTM2050
XTM1050
XTM8Series
XTM5Series
XTM330
XTM33
XTM2Series
Models
21,22,23
XTM2Series
Models25,26
XTMv
Alleditions
SelectfromtheseFirewareXTMOSpackages
XTM_OS_XTM2050_
xtm_xtm2050_
XTM_OS_XTM1050_
xtm_xtm1050_
XTM_OS_XTM8_
xtm_xtm8_
XTM_OS_XTM5_
xtm_xtm5_
XTM_OS_XTM330_
xtm_xtm330_
XTM_OS_XTM33_
xtm_xtm33_
XTM_OS_XTM2_
xtm_xtm2_
XTM_OS_XTM2A6_
xtm_xtm2a6_
xtmv_
xtmv_
xtmv_
ReleaseNotes7
DownloadingSoftware
SingleSign-OnSoftware
TherearetwofilesavailablefordownloadifyouuseSingleSign-On.
l
WG-Authentication-Gateway_11_
(SSOAgentsoftware-requiredforSingleSign-Onand
l
includesoptionalEventLogMonitorforclientlessSSO)
WG-Authentication-Client_11_
i(SSOClientsoftware-optional)
ForinformationabouthowtoinstallandsetupSingleSign-On,seetheproductdocumentation.
TerminalServicesAuthenticationSoftware
l
l
TO_AGENT_32_11_
(32-bitsupport)
TO_AGENT_64_11_
(64-bitsupport)
MobileVPNwithSSLClientforWindowsandMac
TherearetwofilesavailablefordownloadifyouuseMobileVPNwithSSL:
l
l
WG-MVPN-SSL_11_
(ClientsoftwareforWindows)
WG-MVPN-SSL_11_
(ClientsoftwareforMac)
MobileVPN withIPSecclientforWindows
einformationaboutthe
ShrewSoft VPNclient,seethehelporvisittheShrewSoft,e.
8WatchGuardTechnologies,Inc.
11.6.3
11.6.3
ewareXTMv11.6.3,downloadandsavetheFirewareXTM
findallavailablesoftwareonthe
WatchGuardPortal,Articles&usePolicyManagerortheWebUItocompletethe
nglyrecommendthatyoubackupyourdeviceconfigurationandyourWatchGuard
tpossibletodowngradewithoutthesebackup
files.
IfyouuseWatchGuardSystemManager(WSM),makesureyourWSMversionisequaltoorhigherthanthe
versionofFirewareXTMOSinstalledonyourXTMdeviceandtheversionofWSMinstalledonyour
ManagementServer.
lier,itisimportantto
backupyourLogandReportServerdatausingtheproceduredescribedinthe
KnowledgeBasearticleLogandReportServerChangesinXTMv11.5.1. Thisis
necessarybecausetheLogandReportServerdatabasestructurechangedinWSM
uupgradetoWSMv11.5.1orhigherforthefirsttime,thetimestamps
ofe
KnowledgeBasearticlegivesyoudetailsonthisupgrade,andimportantinformation
abouttheLogandReportManager(alsonewinWSMv11.5.1).
BackupyourWatchGuardManagementServerConfiguration
FromthecomputerwhereyouinstalledtheManagementServer:
tchGuardServerCenter,selectBackup/RestoreManagementServer.
TheWatchGuardServerCenterBackup/RestoreWizardstarts
.
ext.
TheSelectanactionscreenappears.
Backupsettings.
ext.
TheSpecifyabackupfilescreenappears.
reyousavetheconfigurationfiletoa
locationyoucanaccesslatertorestoretheconfiguration.
ext.
TheWatchGuardServerCenterBackup/RestoreWizardiscompletescreenappears.
inishtoexitthewizard.
UpgradetoFirewareXTMv11.6.3fromWebUI
stem>BackupImageorusetheUSBBackupfeaturetobackupyourcurrentconfigurationfile.
managementcomputer,launchtheOSsoftwarefileyoudownloadedfromtheWatchGuard
SoftwareDownloadsCenter.
IfyouusetheWindows-basedinstaller,thisinstallationextractsanupgradefilecalled[xtmseries]_
[productcode].sysa-dlltothedefaultlocationofC:ProgramFiles(x86)Common
filesWatchGuardresourcesFirewareXTM11.6.3[model]or[model][product_code].
ttoyourXTMdevicewiththeWebUIandselectSystem>UpgradeOS.
tothelocationofthe[xtmseries]_[productcode].sysa-dlfromStep2andclickUpgrade.
ReleaseNotes9
UpgradeyourFireClustertoFirewareXTMv11.6.3
UpgradetoFirewareXTMv11.6.3fromWSM/PolicyManagerv11.x
File>BackuporusetheUSBBackupfeaturetobackupyourcurrentconfigurationfile.
managementcomputer,launchtheOSexecutablefileyoudownloadedfromtheWatchGuard
stallationextractsanupgradefilecalled[xtmseries]_[productcode].sysa-dlltothe
defaultlocationofC:ProgramFiles(x86)CommonfilesWatchGuardresourcesFirewareXTM11.6.3
[model]or[model][product_code].
ttoyourXTMdeviceandlaunchPolicy
Manager.
licyManager,selectFile>ompted,browsetoandselectthe[xtmseries]_
[productcode].sysa-dlfilefromStep2.
GeneralInformationforWatchGuardServerSoftwareUpgrades
rorclientsoftwarewhenyouupdatefromv11.0.1or
randclientsoftwareontopofyourexistinginstallation
toupgradeyourWatchGuardsoftwarecomponents.
UpgradeyourFireClustertoFirewareXTMv11.6.3
TherearetwomethodstoupgradeFirewareXTM OS hodyouusedependsonthe
versionofFirewareXTM youcurrentlyuse.
UpgradeaFireClusterfromFirewareXTM 11.5.x
UsethesestepstoupgradeaFireClusterfromFirewareXTM ewareXTM v11.6.x:
1.
2.
3.
4.
5.
OpentheclusterconfigurationfileinPolicyManager
SelectFile> Upgrade.
Typetheconfigurationpassphrase.
Typeorselectthelocationoftheupgradefile.
Tocreateabackupimage,selectYes.
Alistoftheclustermembersappears.
thecheckboxforeachdeviceyouwanttoupgrade.
Amessageappearswhentheupgradeforeachdeviceiscomplete.
Whentheupgradeiscomplete,pgradeboth
devicesintheclusteratthesametime,tomakesurethereis
notaninterruptioninnetworkaccessatthetimeoftheupgrade.
PolicyManagerupgradesthebackupmemberfirstandthenwaitsforittorebootandrejointheclusterasa
atthemaster’srolewillnotchangeuntilitreboots
timethebackuptakesoverasthemaster.
Toperformtheupgradefromaremotelocation,makesuretheFireClusterinterfaceformanagementIPaddress
isconfiguredontheexternalinterface,
moreinformation,seeAbouttheInterfaceforManagementIP Address.
10WatchGuardTechnologies,Inc.
Downgrade Instructions
UpgradeaFireClusterfromFirewareXTM v11.3.x
ToupgradeaFireClusterfromFirewareXTM ewareXTM v11.6.x,youmustperformamanual
ualupgradesteps,seetheKnowledgeBasearticleUpgradeFirewareXTM OS fora
FireCluster.
Downgrade Instructions
v11.x
arlierversionofWSM,u
uninstall,chooseYeswhenthe
theserverconfigurationanddatafilesaredeleted,youmustrestorethedataandserverconfigurationfilesyou
Next,taller
shoulddetectyourexistingserv
useaWatchGuardManagementServer,useWatchGuardServerCentertorestorethebackupManagement
thatallWatchGuardservers
arerunning.
ewareXTMv11.x
NoteYoucannotdowngradeanXTM2050,anXTM330,oranXTM33devicetoaversionof
notdowngradeanXTM5Seriesmodel
515,525,not
downgradeXTMvtoaversionofFirewareXTMOSlowerthanv11.5.4.
arlierversionofFirewareXTM,youeither:
l
l
Respletethe
downgrade;or
UsetheUSBbackupfileyoucreatedbeforetheupgradeasyourauto-restoreimage,andthenbootinto
notanoptionforXTMvusers.
TostartaWatchGuardXTM330,5Series,8Series,XTM1050,orXTM2050deviceinrecoverymode:
fftheXTMdevice.
heuparrowonthedevicefrontpanelwhileyouturnthepoweron.
ebuttondepresseduntil"RecoveryModestarting"appearsontheLCDdisplay.
TostartaWatchGuardXTM2SeriesorXTM33deviceinrecoverymode:
nectthepower.
ndholdtheResetbuttononthebackwhileyouconnectthepowertothedevice.
ebuttondepresseduntiltheAttnlightonthefrontturnssolidorange.
ReleaseNotes11
ResolvedIssues
ResolvedIssues
TheFirewareXTMv11.6.3releaseresolvesanumberofproblemsfoundinearlierFirewareXTMv11.x
releases.
General
l
l
l
l
l
l
l
AllXTM5SeriesdevicesnowcorrectlydisplaytheirdevicemodelinLCDdisplayandFireboxSystem
Manager.
[69377]
ThisreleaseresolvesanissuethatcausedsomeXTM8Seriesdevicestolockuporreboot
unexpectedly.
[69302]
AproblemthatcausedsomeXTM1050devicestocrashinsomecustomerenvironmentshasbeen
fixed.
[66670]
FibermodulesforXTM1050devicesnowoperatecorrectly.
[70118]
AproblemwasfixedthatcausedsomeXTMdevicestocrashafteraconfigurationsave.
[65288]
NewlyaddedorexpiredblockedsitesnolongercausetheXTMdevicetocrash.
[67994]
Across-sitescriptingvulnerabilitypresentintheauthenticationpage(port4100) hasbeenaddressedin
thisrelease.
[68127]
TheATTNlightonXTM2SeriesandXTM33devicesnowoperatescorrectlyduringtheresetprocess.
[67165]
l
l
l
l
SeveralXTMdevicecrashissueshavebeenresolvedinthisrelease.
[67866,69050,66809,66032]
e.
[69764]
Itisnowpossibletoscheduleanautomatedupdateofyourdevicefeaturekey.
[66997]
WatchGuardSystemManager
l
AManagementServerloginwillnolongerfailwiththeerror:"ErrorCode:Error(1102)nolockavailable".
[68491]
l
l
l
WhenaManagementServerloginfails,younowseeanerrormessagetospecifythereasonforthe
failure.
[66866]
LogfilesforWatchGuardserverarenowautomaticallyarchivedtopreventthefilesfromgrowingtoo
large.
[34363,67521]
HostWatchnolongerfailstodisplayconnectionsbecauseofinvalidXMLcharacters.
[66785]
FireboxSystemManager
l
ThisreleaseresolvesanissuethatcausedTrafficMonitortofailtodisplayanydata.
[66975]
CentralizedManagement
l
es.
[68447]
l
Youcannolongerbuildan(incorrect)ttedconfigurationfileforFireboxX e-Seriesdevices.
[68646]
l
l
ScheduledTasksthatareconfiguredforthesamedaynowprocesscorrectly.
[68329]
DevicesimportedtotheManagementServernowdisplaycorrectly.
[69539]
12WatchGuardTechnologies,Inc.
ResolvedIssues
Logging&Reporting
l
l
Theunnecessarylogmessage"block_dump:Selecttimedout"hasbeenremoved.
[66635]
Theunnecessarylogmessage"miiGetLinkStatus"nolongershowswhenanetworkbridgeisenabled.
[41811]
l
l
Thewebservicefile""isnowaccessibleforEclipsesetup.
[69869]
ReportsgeneratedwithUTF-8encodingnolongercontaincorruptedcharacters.
[66584]
ProxiesandSecurityServices
l
l
l
l
l
ThisreleaseresolvesanissuewithIPSandtheHTTPproxythatcausedNATexhaustioninsome
customerenvironments.
[66246]
AproblemthatcausedXTMdeviceinstabilitywhentheSIP ALGwasinusehasbeenresolvedinthis
release.
[68312]
AproblemthatcausedActiveFTPtofailinsomecustomerenvironmentshasbeenresolved.
[65848]
ThisissueresolvesanissuethatcausedsomeXTMdevicestocrashduringheavymailtraffic.
[66428]
XTMdevicesnolongertrytoupdateGatewayAVandIPSsignatureswhenthesefeaturesarenot
licensed.
[66415]
Authentication
l
l
SSOexceptionsaddedasanIPRangenowoperatecorrectly.
[68986]
SSOexceptionsnolongerincorrectlytriggerwhenthelastoctetofanIPaddressmatchesaconfigured
exception.
[68344]
Networking
l
AproblemthatcausedPolicy-BasedRoutingtofailwhentheinterfacewasnotdownhasbeenresolved.
[67116]
l
l
Thisreleaseresolvesanissuethatcouldcauseaninterfacetofail.
[68554]
AproblemsthatcausedsomeXTMdevicestoperiodicallyfailtopassnetworktraffichasbeenfixed.
[65179]
l
l
Staticroutesnolongerfailwhenmulti-WANandPPPoEarebothenabled.
[68090]
AninterfacedconfiguredtousePPPoEnolongerwaitsforamulti-WANfailovertooccurbeforeit
requestsanewIP address.
[68232]
Thisreleaseresolvesanissuethatcausedoutboundtraffictofailafteramulti-WANfailover.
[68183]
Multi-WANnowworkscorrectlyonXTM2050devicesconfiguredwithETH16-19asexternalinterfaces.
[68405]
l
l
FireCluster
l
l
ThisreleaseresolvessomememorymanagementissuesthatcausedFireClusterinstability.
[68026]
ThisreleaseresolvesacrashissuethatcausedaFireClustermemberfailoverinanactive/passive
FireCluster.
[66872]
VPN
l
l
BranchofficeVPN tunnelsnolongerfailwhenaPPPoEinterfacegoesdown.
[68639]
ThisreleaseresolvesseveralIKEprocesscrashesthatcausedfailureforMobileVPNwithIPSecand
BranchOfficeVPN.
[68118,69625,67961,67881,68237]
ReleaseNotes13
ResolvedIssues
l
l
l
l
BranchofficeVPNtunnelsnolongerfailwhenadynamicallyassignedexternalIP addressontheXTM
devicechanges.
[68163,68910,68188]
ThisreleaseresolvesanissuethatcausedbranchofficeVPN tunnelstofailtopasstraffic.
[69090,67819]
AlargenumberofactivebranchofficeVPNtunnelsnolongercausesaCPUspike.
[68886]
AmemoryleakthatoccurredwhenalargenumberofbranchofficeVPNtunnelswereactivehasbeen
fixed.
[66200]
ThisreleaseresolvesanissuethatcausedbranchofficeVPN tunnelstostoppassingtraffic.
[67921]
BranchofficeVPNtunnelroutesconfiguredtouse1-to-1NATnowoperatecorrectlywithMulti-WAN.
[67001]
l
l
l
ThisreleaseresolvesanissuethatcausedbranchofficeVPNstofailafteraFirewareXTMOSupgrade.
[68247]
l
TheIKEprocessnowremainsstablewhenMobileVPNwithIPSecconnectionsthatusetheSafenet
clientaredisconnected.
[66772]
XTMv
l
NetworkconnectivitynolongerfailsafteryouupgradetheFirewareXTMOSonanXTMvinstallation.
[69500]
l
XTMvapplianceswithPPPoEconfigurednolongerlosenetworkroutesafterareboot.
[69492]
14WatchGuardTechnologies,Inc.
KnownIssuesandLimitations
KnownIssuesandLimitations
vailable,we
includeawaytoworkaroundtheissue.
General
l
WhenyouconnectaUSBdrivetoanXTMdevice,thedevicedoesnotautomaticallysaveasingle
SupportSnapshottotheUSBdrive.
[64499]
Workaround
UsetheCLIcommand“usbdiagnosticenable”toenablethedevicetosaveadiagnosticsupport
ailsaboutthiscommand,seetheCommandLineInterface
ReferenceGuide.
l
l
The"Sysb"versiondisplayedintheFireboxSystemManagerStatusReportwillshowblankforXTM
models2,5,8,and1050thatweremanufacturedpriortotheXTMv11.5.1release.
11.5.1theXTMdevice
countsthecombinedtotalnumberofpingrequestsandreplies,ratherthanjustthetotalnumberofping
hedefaultthresholdforICMPFloodAttackprotectiondidnotincrease,theflood
protectioncouldtriggermorefrequentlythanitdidinearlierreleases.
[63094]
Workaround
IntheDefaultPacketHandlingsettings,increasethethresholdforDropICMPFloodAttackfrom
thedefaultvalueof1000packets/secondtoahighernumber.
l
l
l
WhentheleveloffreememoryonyourXTMdeviceislowerthan20M,savingyourXTMdevice
configurationtothedevicecancausenetworkdisruption.
[64474]
TheETH1interfaceontheXTM830Fisafiber-opticport,soyoucannotusetheWSMQuickSetup
mputerwithaFiberNIC,orconnectusinga
switchwithbothFiberandEthernetinterfaces.
[59742]
TopoweroffanXTM5Seriesdevice,youmustpressandholdtherearpowerswitchfor4–5seconds.
[42459]
l
l
l
l
ForXTM5Seriesdevices,Interface0doesnotsupportAuto-MDIXanddoesnotautomaticallysense
cablepolarity.
OnXTM2Seriesdevices,theloadaverageisalwaysdisplayedat1orhigher,evenwhenthereisno
loadonthedevice.
[63898]
AnXTM2Seriesdevicecantakeupto5minutestoreboot.
WhenyouusethePolicyManager>File>BackuporRestorefeatures,theprocesscantakealong
timebutdoescompletesuccessfully.
[35450]
YoucannotdowngradeanXTM2Seriesdevicefromv11.5.1tov11.4.1withtheUpgradeOSoptionin
theWebUI.
[63323]
FirewareXTMdoesnotsupportBGPconnectionsthroughanIPSecVPNtunneltoAmazonWeb
nelsthatdonotuseBGParesupported.
[41534]
l
l
ReleaseNotes15
KnownIssuesandLimitations
l
gsnotincludedare:
o
SecondaryinterfaceIP address
[66990]
o
o
o
ConfiguredQoSsettings
[66992]
StaticMACbindings
[66993]
IPv6configuration
[66994]
XTMv
l
XTMvdoesnotautomaticallychangetheself-signedcertificatewhenitsserialnumberchanges.
[66668]
Workaround
Anewself-signedcertificatewiththecorrectserialnumberisgeneratedifyoumanuallydeletethe
certificatefromFireboxSystemManager>View>CertificatesandthenreboottheXTMvdevice.
l
IfyouimporttheOVA fileinVMwarePlayer(whichisnotofficiallysupportedinthisrelease),youmust
usethe"Enter"keyonyourkeyboardtoaccepttheXTMvEndUserLicenseAgreement(EULA).The
OKandCancelbuttonsattheconclusionoftheEULAdonotappearinVMwarePlayer.
WatchGuardSystemManager
l
IfyouuseFireboxSystemManagertopingacrossaVPNtunnel,yougetamessagethatreads“No
BufferSpaceAvailable.”thismessageiftheVPNtunnelisnot
retheVPNtunnelisupandtryagain.
[59339]
WatchGuardSystemManagerdoesnotdisplaythecorrectIPaddressforthedefaultgatewayofan
XTMdevicethathasnoExternalinterface.
[56385]
WhenyouinstallWatchGuardSystemManageroranyserversoftwareonacomputerrunningMicrosoft
WindowsXP,compatibilitymodeshouldnotbeenabledevenifpromptedbyWindows,foranyofthe
WSMapplications,includingtheinstaller.
[56355]
RemotemanagedFireboxorXTMdevicesconfiguredinDrop-inModemaynotbeabletoconnecttoa
ManagementServerthatisbehindagatewayFireboxorXTM devicealsoconfiguredinDrop-inMode.
[33056]
l
l
l
l
IfyourestoreabackupimagetoamanagedclientdevicemanagedbyaManagementServer,itis
possiblethatthesharedsecretbecomesoutofsync.
Workaround
themanageddeviceandselectUpdate
theradiobuttonResetserverconfiguration(IPaddress/Hostname,shared
secret).
l
DuringaWSMupgrade,install,oruninstallona64-bitWindowssystems,anyrunningapplications
detectedbytheWSMinstallercanbestoppedsuccessfully,buttheinstallermaynotrecognizethat
theyhavebeenstopped.
[39078]
Workaround
-clickontheWatchGuardServerCentericononyour
realldetectedapplications
arestoppedandthenretrytheWSMinstalloruninstall.
16WatchGuardTechnologies,Inc.
KnownIssuesandLimitations
l
herinstaller(eithertheWSMclientcomponentonlyorany
selectedWSMservercomponents)onMicrosoftSBS(SmallBusinessServer)2008and2011ona
computerinstalledwitha64-bitoperatingsystem,youseeaMicrosoftWindowserror"
IssProc.x64has
stoppedworking
". Whenyouclosetheerrordialogbox,theinstallationcompletes.
[57133]
WebUI
l
eaturesinclude:
o
o
o
o
FireCluster
Certificateexport
YoucannotturnonoroffnotificationofBOVPNevents
YoucannotaddorremovestaticARPentriestothedeviceARPtable
l
l
l
l
YoucannotgettheencryptedMobileVPNwithIPSecend-userconfigurationprofile,
UIgeneratesonlyaplain-textversionoftheend-userconfigurationprofile,withfile
.
Youcannoteditthenameofapolicy,useacustomaddressinapolicy,oruseHostName(DNSlookup)
toaddanIPaddresstoapolicy.
IfyouconfigureapolicyintheWebUIwithastatusofDisabled,thenopenPolicyManagerandmakea
changetothesamepolicy,theactionassignedtothepolicywhenitdeniespacketsischangedtoSend
TCPRST.
[34118]
Youcannotcreateread-onlyMobileVPNwithIPSecconfigurationfileswiththeWebUI.
[39176]
CommandLineInterface(CLI)
l
TheCLIdoesnotsupporttheconfigurationofsomefeatures:
o
o
Youcannotaddoreditaproxyaction.
l
l
YoucannotgettheencryptedMobileVPNwithIPSecend-userconfigurationprofile,knownasthe
.generatesonlyaplain-textversionoftheend-userconfigurationprofile,withfile
.
TheCLIperformsminimalinputvalidationformanycommands.
FortheXTM2050,theoutputoftheCLIcommand“showinterface”doesnotclearlyindicatethe
“showinterface”CLIcommandshows
theinterfacenumberastheinterfacelabelonthefrontofthedevice(A0,A2…A7;B0,B1…B7;C0,
C1)followedbyadash,andthentheconsecutiveinterfacenumber(0–17),forallinterfaces.
[64147]
Workaround
Usetheconsecutiveinterfacenumberthatappearsafterthedashastheinterfacenumberto
B1-9interfaces,theinterfacenumberintheCLIcommandshouldbe
C0-1interfaces,theinterfacenumberintheCLI commandshouldbe16-17.
Proxies
l
l
ThePolicyManagerandWebUIdonotprovideanywarningthattheWebBlockerOverridemaynotwork
forHTTPS.
[67208]
HTTPSDPI(DeepPacketInspection)doesnotworkforuserswhouseIE9.0withTLS1.1and1.2
enabled,butTLS1.0andSSL3.0notenabled.
[65707]
Workaround
Useadifferentbrowser,orenableTLS1.0andSSL3.0inyourIE9.0configuration.
ReleaseNotes17
KnownIssuesandLimitations
l
l
l
TheXTMdevicecanstoreonlyoneHTTPSProxyServercertificateandcanprotectonlyoneHTTPS
websiteatatime.
[41131]
WhenanXTMdeviceisunderhighload,someproxyconnectionsmaynotterminatecorrectly.
[61925,62503]
TheabilitytouseanHTTPcachingproxyserverisnotavailableinconjunctionwiththeTCP-UDP
Proxy.
[44260]
YoucannotmakeaSIP-basedcallfromPolycomPVXsoftphonebehindaFireboxtoaPolycomPVXon
theexternalnetwork.
[38567]
Workaround
YoucanusetheH.323protocolinsteadofSIP.
l
l
WhenyoutrytostreamYouTubevideosfromanAppledevicerunningiOS,youmayseethiserror
message:"Theserverisnotcorrectlyconfigured."
Workaround
urHTTPproxypolicy.
iew/Editproxy.
theAllowrangerequeststhroughunmodifiedcheckbox.
ischangetoyourXTMdevice.
l
TheSIP-ALGdoesnotsendtheContactheadercorrectlywhentheContactheadercontainsadomain
sendsanemptystringof:Contact:<>.IftheContactheadercontainsanIPaddress,the
SIP-ALGsendstheContactheadercorrectly:Contact:
[59622]
Workaround
ConfigurethePBXtosendtheContactheaderwithanIPaddress,notadomainname.
SecuritySubscriptions
l
SomeIPSsignatureinformation,suchastheCVEnumber,isnotavailableinFireboxSystemManager.
WeprovidesearchcapabilitiesandCVEinformationforIPSsignaturesonawebsecurityportalforIPS
ontheWatchGuardwebsite,whichyoucanaccessat
/SecurityPortal/
risalreadyloggedintoSkypeandaSkype
sessionisalreadystartedwhenApplicationControlisenabled,ApplicationControlmaynotdetectthe
activity.
ForXTM2Seriesdevicesonly,ApplicationControlistemporarilydisabledduringanupgrade,backup,
eoperationiscomplete,ApplicationControlstartstoworkagain.
ItisnotpossibletoassignaroleforApplicationControlmanagementfromtheWatchGuardSystem
Managerrole-basedadministrationfeature.
[59204]
YoucannotuseaWebBlockerServerthroughabranchofficeVPNtunnel.
[56319]
l
l
l
l
Networking
l
l
lier,theToandFrom
microutingisenabled,newpolicies
willbecreatedautomaticallywhenyouupgrade.
[67721]
PolicyCheckerdoesnotworkwhenyourXTMdeviceisconfiguredinBridgemode.
[66855]
18WatchGuardTechnologies,Inc.
KnownIssuesandLimitations
l
l
l
l
AnapostropheinaDHCPreservationnamecausestheDHCPreservationtofail.
[65529]
YoucannotconfiguretrafficmanagementactionsoruseQoSmarkingonVLANs.
[56971,42093]
YoucannotbridgeawirelessinterfacetoaVLANinterface.
[41977]
TheWebSetupWizardcanfailifyourcomputerisdirectlyconnectedtoanXTM2Seriesdeviceasa
noccurbecausethecomputercannotget
anIPaddressquicklyenoughafterthedevicerebootsduringthewizard.
[42550]
Workaround
computerisdirectlyconnectedtotheXTM2SeriesdeviceduringtheWebSetup
Wizard,useastaticIPaddressonyourcomputer.
itchorhubbetweenyourcomputerandtheXTM2Seriesdevicewhenyourunthe
WebSetupWizard.
l
l
l
l
l
l
l
l
l
l
WhenasecondarynetworkisconfiguredforanXTM2SeriesdeviceconfiguredinDrop-InMode,itcan
sometimestakeafewminutesforcomputersthatconnecttothesecondarynetworktoappearinthe
ARPlistoftheXTM2Series.
[42731]
YoumustmakesurethatanydisablednetworkinterfacesdonothavethesameIPaddressasany
activenetworkinterfaceorroutingproblemscanoccur.
[37807]
IfyouenabletheMAC/IPbindingwiththeOnlyallowtrafficsentfromortotheseMAC/IPaddresses
checkbox,butdonotaddanyentriestothetable,theMAC/IPbindingfeaturedoesnotbecomeactive.
ThisistohelpmakesureadministratorsdonotaccidentallyblockthemselvesfromtheirownXTM
device.
[36934]
Anynetworkinterfacesthatarepartofabridgeconfigurationdisconnectandre-connectautomatically
whenyousaveaconfigurationfromacomputeronthebridgenetworkthatincludesconfiguration
changestoanetworkinterface.
[39474]
WhenyouchangetheIPaddressofaVLANconfiguredonanexternalinterfacefromstatictoPPPoE
andtheFireboxcannotgetaPPPoEaddress,FireboxSystemManagerandtheWebUImaycontinue
toshowthepreviouslyusedstaticIPaddress.
[39374]
WhenyouconfigureyourXTMdevicewithaMixedRoutingModeconfiguration,anybridgedinterfaces
showtheirinterfaceanddefaultgatewayIPaddressas0.0.0.0intheWebUI.
[39389]
WhenyouconfigureyourXTMdeviceinBridgeMode,theLCDdisplayonyourXTMdeviceshowsthe
IPaddressofthebridgedinterfacesas0.0.0.0.
[39324]
WhenyouconfigureyourXTMdeviceinBridgeMode,theHTTPredirectfeatureisconfigurablefromthe
userinterfacebutdoesnotworkinthisrelease.
[38870]
StaticMAC/IPaddressbindingdoesnotworkwhenyourXTMdeviceisconfiguredinBridgemode.
[36900
WhenyouchangeyourconfigurationmodefromMixedRoutingtoBridgeorfromBridgetoMixed
Routing,theCLIandWebUImaycontinuetoshowthepreviousconfigurationmode.
[38896]
ThedynamicroutingofRIPv1doesnotwork.
[40880]
WhenanIPaddressisaddedtotheTemporaryBlockedSitelistbytheadministratorthroughtheFirebox
SystemManager>BlockedSitestab,theexpirationtimeisconstantlyresetwhentrafficisreceived
fromtheIPaddress.
[42089]
l
l
Multi-WAN
l
l
Themulti-WANstickyconnectiondoesnotworkifyourdeviceisconfiguredtousethemulti-WAN
RoutingTablemode.
[62950]
Whenyouenablethemulti-WANImmediateFailbackoptionforWANfailover,sometrafficmayfailover
gradually.
[42363]
ReleaseNotes19
KnownIssuesandLimitations
Wireless
l
The5GHzWirelessbanddoesnotworkwhenyouusechannels36,40,149or165.
[65559]
Authentication
l
Citrix4.5/5/0serversinstalledinVMwaredonotworkwithTerminalServerSingleSign-On.
[66156]
Workaround
ThisfeatureworkswithCitrix6.0and6.5serversinstalledinVMware.
l
l
ClientlessSSOisnotsupportedonaTLS-EnabledActiveDirectoryenvironment.
IfyouuseTerminalServicesauthentication,noauthenticationverificationisdoneagainsttrafficofany
cludesDNS,NetBIOS,andICMPtraffic.
ItisnotpossibletousetheAutomaticallyredirectuserstotheauthenticationpageauthenticationoption
togetherwithTerminalServicesauthentication.
ToenableyourXTMdevicetocorrectlyprocesssystem-relatedtrafficfromyourTerminalorCitrix
server,theTeof
this,youmayneedtoa
canlearnmoreabouthowBackend-Serviceoperatesintheproducthelpsystem.
FortheAuthenticationRedirectfeaturetooperatecorrectly,HTTPorHTTPStrafficcannotbeallowed
throughan
AuthenticationRedirectfeatureoperatesonlywhenpoliciesforport80and443areconfiguredforuseror
usergroupauthentication.
[37241]
l
l
l
CentralizedManagement
l
l
l
l
Youcannotcreateanewuseraccountforrole-basedadministrationfromtheManagementServerthat
includesunsupportedspecialcharacters,tcreatetheuseraccount
fromWatchGuardServerCenter.
[70464]
eConfiguration
Template.
[55732]
IfyouusedCentralizedManagementwithdevicessubscribedtotemplatesinearlierversionsofWSM,
11.4orhigher,thesetemplatesareupdatedandthedevicesare
ngtemplatesareupdatedto
use“T_”intheirobjectnames(tomatchtheobjectnamesinthedevicesthatusedtosubscribetothem).
Afteryouupgrade,you’llseethetemplateupgradethatoccursduringupgradeinyourrevisionhistory.
WhenaXTMtemplateisappliedtoamanageddevice,theManagementServercreatesanew
configurationrevisionforthedeviceonlyifthenewrevisionisgoingtobedifferentfromthecurrent
salsonofeedbackaboutwhyanewconfigurationrevisionwasnotcreated.
[57934]
FireCluster
l
l
Youcannotupgradeanactive/passiveFireClusteroveraBOVPN.
[39746]
ThetimeontheFireClusterbackupmastercangetoutofsyncwiththeclustermaster,evenwhenNTP
isenabled.
[66134]
20WatchGuardTechnologies,Inc.
KnownIssuesandLimitations
Workaround
ttothecluster,launchFirebox
SystemManager,andthenselectTools>nchronizesthetimeonboth
clustermemberstothetimeonthemanagementcomputer.
l
Whenspanningtreeprotocol(STP)isenabledonsomeswitches,aFireClusterfailovercantake10
secondsorlonger.
[66180]
Workaround
DisableSTPontheswitch,configuretheswitchtouserapidSTP,oruseadifferentswitch.
l
Youmightneedtore-importtheHTTPSDPIcertificateafteryouupgradetheFirewareXTMOSfora
FireCluster.[65280]
YoucannotusethesecondaryIPaddressofanXTMdeviceinterfacetomanageaFireCluster
configuredinactive/activemode.
[64184]
Workaround
UsetheprimaryIPaddressofanXTMdeviceforallmanagementconnectionstoanactive/active
FireCluster.
l
l
l
UsersgrantedaccesstomonitorFireClusterthroughrole-basedadministrationcannotseethe
FireClusterdeviceinLogandReportManager.
[65398]
TheFireClusterbackupmastermaybecomeinactivewhenMobileVPN withSSL orPPTPisconfigured
touseanIPaddresspoolthatincludestheclusterIPaddress.
[63762]
Workaround
AvoidusinganIPaddresspoolthatconflictswiththeclusterIPaddresses.
l
l
l
IftheLogServercannotbereachedfromthemanagementIPaddresses,onlythecurrentFireCluster
noccuriftheLogServerisconnectedthroughanExternal
network,butthemanagementIPaddressesareonaTrustedorOptionalnetwork.
[64482]
IfyouchangethenetworkconfigurationofaFireClusterfromRoutedmodetoDrop-inmode,andthen
changeitbacktoRoutedmode,theIPaddressoftheclusterinterfaceisnotcorrectlyshowninthe
PolicyManagerNetwork>rectclusterinterfacesareshowninthe
FireClusterconfigurationdialogbox.
[63905]
GatewayAVupdatesinasystemthatislowonmemorymayresultinaFireClusterfailover
[62222]
Workaround
ReducethefrequencythatthesystemchecksforGatewayAVupdatestominimizethechanceof
thisoccurring.
l
IfamonitoredlinkfailsonbothFireClustermembers,thenon-mastermemberisswitchedintopassive
-WANfailovercausedbyafailed
usterfailoveroccursonly
whenthephysicalinterfaceisdownordoesnotrespond.
ReleaseNotes21
KnownIssuesandLimitations
l
EachXTMdevicehasasetofdefaultIPaddressesassignedtothedeviceinterfacesinarangestarting
ettheIP
addressofthePrimaryorBackupclusterinterfacetooneofthedefaultIPaddresses,bothdevices
restart,andthebackupmasterbecomesinactive.
[57663]
Workaround
DonotuseanyofthedefaultIPaddressesasthePrimaryorBackupclusterinterfaceIPaddress.
l
l
l
l
l
l
l
Whenyouhaveanactive/activeFireClusterandusetheWebBlockerOverridefeature,youmaybe
promptedtoenteryouroverridepasswordtwice.
[39263]
Everynetworkintet
makesurethatallenabledinterfacesarephysicallyconnectedtoanetworkdevice.
IfyouuseHPProCurveswitches,youmaynotbeabletoconfigureyourFireClusterinactive/active
modebecausetheseswitchesmaynotsupporttheadditionofstaticARPentries.
[41396]
IfyouusetheMobileVPNwithIPSecclientfromthesamenetworkastheexternalnetworkaddress
configuredonyourFireCluster,sometrafficmaynotgothroughtheVPNtunnel.
[38672]
MobileVPNwithPPTPusersdonotappearinFireboxSystemManagerwhenyouareconnectedtoa
onlyconnectedtotheactiveFireboxwhenusingan
active/passiveFireCluster.
[36467]
ItisnotpossibletouseaVLANinterfaceIPaddressforaFireClustermanagementIPaddress.[45159]
11.5.1,themanagementcomputermust
beonthesamenetworkastheFireClustermanagementIP addresses.[63278]
LoggingandReporting
l
WhenyouchangetheloglevelforyourWatchGuardLogServerandclickApply,thechangedoesnot
takeeffect.
[60088]
Workaround
hGuardServerCenter,ontheLogServerLoggingtab,changetheloglevelforlog
messagesfromtheLogServerandclickApply.
erverstree,onfirmation
message,selectYes.
-clickLogServeragainandselectStartServer.
l
l
TheDeniedPacketsSummaryreportisnotyetavailableintheLogandReportManager.
[63192]
ThePDFoutputoftheWebActivityTrendreportdoesnotincludetimelabelsonthex-axiswhenviewed
dtimeinformationisincludedinthetablebelowthereport.
[64162]
11.5.1,reportsgeneratednearthetimeofthe
upgrademaynotshowupinLogandReportManager.
[64325]
Ifadailyreportschedulenameincludesacolonorcertainothercharacters(forexample:"1:35"),the
systemreturnsanerror.
[63427]
Workaround
MakesurethatyourreportschedulenamesuseonlycharactersthatarevalidinWindowsfile
findvalidcharactersinarticlessuchas/en-
us/library/windows/desktop/aa365247%28v=vs.85%.
l
l
22WatchGuardTechnologies,Inc.
KnownIssuesandLimitations
l
l
Logcollectorwillcrashwhenitreachesthe2GBvirtualsizelimiton32-bitWindowssystems.
[64249]
usortbyDestination,the
fieldsortsbyIP addressandnotthedestinationhostname(ifavailable).WhenyousortbyDisposition,
someitemsinthe"deny"statedonotsortaccuratelywithingroups.
[62879]
Anyconfigureddailyorweekly“ArchivedReports”youhaveinyourv11.3configurationare
automaticallyconvertedtoscheduledreportsafteryouupgradetoWSMv11.4orhigher.
l
MobileVPN
l
l
YoucannotgenerateaMobileVPNwithIPSecconfigurationfilewhenthegroupnamecontainsthe
characterstheasteriskorperiodcharacters(*,.).
[66815]
IfyousetthediagnosticloglevelforMobileVPNwithSSLtrafficto“debug”level,logmessagesstop
displayinginFireboxSystemManager>TrafficManager.
[65165]
Workaround
SetthediagnosticloglevelforMobileVPNwithSSLtoanyloglevellessgranularthan“debug”.
l
l
IfyouaddanewfeaturekeythataddsMobileVPNwithSSLlicensesforyourXTMdevice,youmust
rebootyourXTMdevicetoenabletheadditionalMobileVPNwithSSLusers.
[65620]
WhenyouconnectaMobileVPNwthSSLv11.5.1clientforthefirsttimetoanXTMdeviceupgradedto
v11.5.2,theclientupgradesometimesfails.
[65635]
Workaround
InstalltheMobileVPNwithSSLclientmanually.
l
l
l
l
l
l
YoucannotestablishaMobileVPNwithSSLconnectionfromaWindows-basedcomputerwhenthe
WindowssystemaccountisChinese.
[58208]
WhenyouusethebuiltinIPSecclientfromaniPhone oriPad,theclientconnectionwilldisconnect
causedbyalimitationintheCisco
clientusedbyiPhone/treconnecttheIPSecclienttoreestablishtheVPNtunnel.
[63147]
MobileVPNwithPPTPconnectionsfromAndroidmobiledevicesdonotworkconsistentlyon3Gmobile
networks.
[63451]
ConnectionsfromtheMobileVPNwithIPSecclientcanroutethroughthewrongexternalinterfacewhen
theXTMdeviceisconfiguredformulti-WANinround-robinmode.
[64386]
YoucannotconfigureMobileVPNwithSSLtobridgenetworktraffictoabridgedinterface.
[61844]
MobileVPNwithSSL userscannotconnecttosomenetworkresourcesthroughabranchofficeVPN
tunnelthatterminatesonanactive/activeFireCluster.
[61549]
YoucannotpingtheIP addressoftheXTMdeviceinterfacetowhichaShrewSoftVPN client
pingcomputersonthatnetwork,butnottheinterfaceIP address
itself.
[60988]
ShrewSoftVPNclientconnectionscandropiftherearemultiplecilentsconnectedtoanXTMdeviceat
thesametimeissuingPhase2rekeys.
[60261
]
Phase1rekeysinitiatedbytheShrewSoftVPNclientcausetheclienttobedisconnected,ifconnected
case,werecommendthatyousettherekeyonyourXTMdeviceto23hours
--onehourcestheXTM
devicetoinitiatetherekey,andgivestheclientanotificationthatthetunnelmustbere-established.
[60260,60259]
l
l
l
ReleaseNotes23
KnownIssuesandLimitations
l
AcontinuousFTPsessionoveraMobileVPNwithIPSecconnectioncouldgetterminatedifanIPSec
rekeyoccursduringtheFTPtransfer.
[32769]
Workaround
Increasetherekeybytecount.
l
TheMobileVPN forSSL MacclientmaynotbeabletoconnecttoanXTM devicewhenthe
authenticationalgorithmissettoSHA256.
[35724]
BranchOfficeVPN
l
l
l
ManualbranchofficeVPNfailswhenthepre-sharedkeyexceeds50characters.
[65215]
DonotusethesamenameforbothaVPN GatewayandaVPN Tunnel.
[66412]
WhenyouconfigureyourXTMdeviceinmulti-WANmode,youmustselectwhichinterfacestoinclude
eareanyinterfacesthatyouchoosenottoincludeinyourmulti-
WANconfiguration(arthecheckboxforthatinterface),thesystemdoesnotcreatearoute
ncauseaproblemifyouhaveabranchofficeVPNconfiguredtoincludethat
case,theVPNtunnelcanfailtonegotiatewithitsremotepeer.
[57153]
Workaround
Ifyouusemulti-WANandhaveproblemswithyourbranchofficeVPNtunnelsfailingtonegotiate
withtheirremotepeers,youmustopenyourmulti-WANconfigurationandselectConfigure
rethattheappropriateinterfaces
areincludedinyourmulti-WANconfiguration.
l
l
l
AbranchofficeVPNtunneldoesnotpasstrafficifaninboundstaticNATpolicythatincludesIP50and
IP51protocolsexistsfortheexternalIPaddressoftheXTMdevice.[
41822]
ManagedbranchofficeVPNtunnelscannotbeestablishediftheCRLdistributionpoint(forexample,the
WatchGuardManagementServerorathird-partyCRLdistributionsiteyouuse)isoffline.
[55946]
nchofficeVPNtunnel
usesAnyfortheLocalpartofatunnelroute,FirewareXTMinterpretsthistomeannetwork0.0.0.0and
subnetmask0.0.0.0(inslashnotation,0.0.0.0/0).IftheremoteIPSecpeerdoesnotsend0.0.0.0/0as
itsPhase2ID,Phase2negotiationsfail.
[40098]
Workaround
theLocalpartofyour
eIPaddressesofcomputersbehindtheXTMdevicethatactuallyparticipate
ttheadministratoroftheremoteIPSecpeertodeterminewhatthat
deviceusesfortheRemotepartofitstunnelroute(ortheRemotepartofitsPhase2ID).
l
IfyouhavealargenumberofbranchofficeVPNtunnelsinyourconfiguration,thetunnelsmaytakea
longtimetoappearinPolicyManager.
[35919]
Workaround
FromPolicyManager,selectView>heHighlightFirewall
policiesbasedontraffictypecheckbox.
24WatchGuardTechnologies,Inc.
UsingtheCLI
UsingtheCLI
TheFirewareXTMCLI(CommandLineInterface)ormationonhow
tostartandusetheCLI,downloadtheCLIguidefromthe
documentationwebsiteat/help/documentation/avebeenno
updatestotheCLI Guideforthisrelease.
TechnicalAssistance
Fortechnicalassistance,contactWatchGuardTechnicalSupportbytelephoneorlogintotheWatchGuard
PortalontheWebat/ucontactTechnicalSupport,youmust
supplyyourregisteredProductSerialNumberorPartnerID.
PhoneNumber
rs
InternationalEndUsers
877.232.3531
+1206.613.0456
AuthorizedWatchGuardResellers206.521.8375
ReleaseNotes25
TechnicalAssistance
ReleaseNotes26
版权声明:本文标题:watchguard xtm v11.6.3 发布说明说明书 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://m.elefans.com/dianzi/1721734672a894108.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论