watchguard xtm v11.6.3 发布说明说明书

admin管理员组

文章数量:1530842

2024年7月23日发(作者：)

FirewareXTMv11.6.3ReleaseNotes

SupportedDevicesXTMv,XTM2,3,5,and8Series

XTM1050,XTM2050

358414fortheXTM2050(re-released12/19/2012)

FirewareXTMOSBuild

WatchGuardSystemManager

Build

RevisionDate

357868forallotherXTMmodels

358385(re-released12/19/2012)

31December2012

Introduction

NoteFirewareXTMv11.6.3wasoriginallyreleasedonDecember12,mber

19,2012,wereleasedanupdatetotheFirewareXTMsoftwarefortheXTM2050,and

anupdatetoWatchGuardSystemManager(WSM)forallplatformstoresolveanissue

avealreadydownloadedWSMv11.6.3,youdonot

needtodownloadnewWSMsoftwareunlessyoumanageanXTM2050device.

WatchGuardispleasedtoannouncethereleaseofFirewareXTMv11.6.3andWatchGuardSystemManager

installFirewareXTMOSv11.6.3onanyWatchGuardXTMdevice,including2Series,3

Series,5Series,8Series,XTM1050and2050devices,leaseintroduces

supportfortwonewfeatures:

RapidDeploy

WithRapidDeploy,networkadministratorsofdistributedenterprisescanactivateanddeployXTMdevicesin

remotelocationswithouttheneedtopreconfigurethedevicesbeforetheyareshippedout--savingtimeand

findmoreinformationaboutRapidDeployinthev11.6.3Help,includingalinktothenew

WatchGuardDeploymentCenterwebUIyoucanusetoactivate,deploy,andtrackyourXTMRapidDeploy

devices.

AutomaticFeatureKeySynchronization

Whenautomaticfeaturekeysynchronizationisenabled,anyXTMdevicecanautomaticallydownloadthe

latestfeaturekeyfromtheWatchGuardwebsitewhenanyfeatureinthefeaturekeyisexpiredoraboutto

tenabledbydefault.

Inadditiontothesenewfeatures,thisreleaseincludesalargenumberofbugfixes. Youcanfindadescription

ofthesebugfixesintheResolvedIssuessection.

FormoreinformationaboutthefeatureenhancementsincludedinFirewareXTMv11.6.3,youcan:

BeforeYouBegin

l

l

ReviewthePowerPointoverview:What'sNewinFirewareXTMv11.6.3.

ReviewthehelptopicWhat'sNewinThisReleasetofindlinksdirectlytotheproductdocumentationfor

thesenewfeatures.

BeforeYouBegin

Beforeyouinstallthisrelease,makesurethatyouhave:

l

l

l

AWatchGuardXTM2Series,3Series,5Series,8Series,XTM1050,orXTM2050device,orXTMv

(anyedition).

seWatchGuardSystem

Manager(WSM),makesureyourWSMversionisequaltoorhigherthantheversionofFirewareXTM

OSinstalledonyourXTMdeviceandtheversionofWSMinstalledonyourManagementServer.

FeaturekeyforyourXTMdevice—IfyouupgradeyourXTMdevicefromanearlierversionofFireware

XTMOS,seXTMv,yourfeaturekeymustbegenerated

withtheserialnumberyoureceivedwhenyoupurchasedXTMv.

NotethatyoucaninstallanduseWatchGuardSystemManagerv11.6.3andallWSMservercomponentswith

case,werecommendthatyouusetheproduct

documentationthatmatchesyourFirewareXTMOSversion.

IfyouhaveanewXTMphysicaldevice,makesureyouusetheinstructionsintheXTMQuickStartGuidethat

isanewXTMvinstallation,makesureyoucarefullyreviewtheXTMvSetup

Guideforimportantinstallationandsetupinstructions.

DocumentationforthisproductisavailableontheWatchGuardwebsiteat

/help/documentation.

Localization

ThisreleaseincludeslocalizedFirewareXTMv11.6.1managementuserinterfaces(WSMapplicationsuiteand

WebUI)tnewtotheFirewareXTMandWSMv11.6.3releaseremainsinEnglish.

Supportedlanguagesare:

l

l

l

l

Chinese(Simplified,PRC)

French(France)

Japanese

Spanish(LatinAmerican)

NoteInadditiontotheselanguages,weofferlocalizedWebUIsupportforKoreanand

,andallhelpfiles

anduserdocumentation,remaininEnglishforthesetwolanguages.

Nusenon-ASCII

charactersinsomeareasoftheUI,including:

l

l

l

Proxydenymessage

Wirelesshotspottitle,termsandconditions,andmessage

WatchGuardServerCenterusers,groups,androlenames

2WatchGuardTechnologies,Inc.

Localization

Anydatareturnedfromthedeviceoperatingsystem(a)onally,all

itemsintheWebUISystemStatusmenuandanysoftwarecomponentsprovidedbythird-partycompanies

remaininEnglish.

FirewareXTMWebUI

Theeofthecurrently

getoadifferentlanguage,clickthelanguagename

-downlistoflanguagesappearsandyoucanselectthelanguageyouwanttouse.

WatchGuardSystemManager

WhenyouinstallWSM,guagedisplayedin

WSmple,ifyouuse

WindowsXPandwanttouseWSMinJapanese,gotoControlPanel>RegionalandLanguageOptionsand

selectJapanesefromthelanguagelist.

LogandReportManager,CAManager,QuarantineWebUI,andWirelessHotspot

Thesewebpagesautomaticallydisplayinwhateverlanguagepreferenceyouhavesetinyourwebbrowser.

ReleaseNotes3

FirewareXTMandWSMv11.6.3OperatingSystemCompatibility

FirewareXTMandWSMv11.6.3OperatingSystem

Compatibility

RevisedJune2012

MicrosoftMicrosoft

Microsoft

Microsoft

Microsoft

WindowsWindows

Windows

WindowsMacOSXAndroid

Windows

Vista7ServerServerv10.5,v10.6,

XPSP2

(32-bit&(32-bit&2008&&v10.7higher

2003

(32-bit)

64-bit)64-bit)2008R2*

(32-bit)

WSM/

FirewareXTMComponent

WatchGuardSystem

ManagerApplication

FirewareXTMWebUI

SupportedBrowsers:

IE7and8,Firefox3.x&above

LogandReportManager

WebUI

Supportedbrowsers:Firefox

3.5&above,IE8&above,

Safari5.0& above,Chrome10

&riptrequired.

WatchGuardServers

SingleSign-OnAgent

Software

(IncludesEventLog

Monitor)

SingleSign-OnClient

Software

TerminalServicesAgent

Software**

***

Native

(Cisco)

IPSec

clientis

supported

MobileVPNwithIPSec

ClientSoftware

MobileVPNwithSSL

ClientSoftware

*MicrosoftWindowsServer200832-bitand64-bitsupport;WindowsServer2008R264-bitsupport.

**TerminalServicessupportwithmanualorSingleSign-OnauthenticationoperatesinaMicrosoftTerminal

ServicesorCitrixXenApp4.5,5.0,6.0and6.5environment.

***MicrosoftWindowsServer2003SP2required.

4WatchGuardTechnologies,Inc.

FirewareXTMandWSMv11.6.3OperatingSystemCompatibility

AuthenticationSupport

ThistablegivesyouaquickviewofthetypesofauthenticationserverssupportedbykeyfeaturesofFireware

nauthenticationservergivesyoutheabilitytoconfigureuserandgroup-basedfirewallandVPN

chtypeofthird-partyauthenticationserversupported,you

canspecifyabackupserverIPaddressforfailover.

—FullysupportedbyWatchGuard

—Notyetsupported,buttestedwithsuccessbyWatchGuardcustomers

1

MobileVPNwithIPSec/ShrewSoft

MobileVPNwithIPSecforiPhone/iPadiOS

andMacOSX

MobileVPN withIPSecforAndroiddevices

MobileVPNwithSSLforWindows

MobileVPNwithSSLforMac

MobileVPNwithPPTP

Built-inAuthenticationWebPageonPort

4100

WindowsSingleSign-OnSupport

(withorwithoutclientsoftware)

TerminalServicesManualAuthentication

TerminalServicesAuthenticationwith

SingleSign-On

CitrixManualAuthentication

1.

ActiveDirectorysupportincludesbothsingledomainandmulti-domainsupport,unlessotherwisenoted.

2.

RADIUSandSecurIDsupportincludessupportforbothone-timepassphrasesandchallenge/response

cases,SecurIDcanalsobeusedwithotherRADIUS

implementations,includingVasco.

3.

TheShrewSoftclientdoesnotsupporttwo-factorauthentication.

4.

FirewareXTMsupportsRADIUSFilterID11forgroupauthentication.

4

22

3

–

–

4

5

––N/A

––––

6

––––

5.

PIN+kencodemodeandSMSOneTimePasswordsarenot

supported.

6.

OnlysingledomainActiveDirectoryconfigurationsaresupported.

ReleaseNotes5

FirewareXTMandWSMv11.6.3OperatingSystemCompatibility

7.

ForinformationaboutthesupportedOperatingSystemcompatibilityfortheWatchGuardTOAgentand

SSO Agent,seethecurrentFirewareXTMandWSMOperatingSystemCompatibilitytable.

XTMvSystemRequirements

ToinstallanXTMvvirtualdevice,youmusthaveaVMwareESXi4.1or5.0hostinstalledonanyserver

talsoinstalltheVMwarevSphereClient4.1or5.0

refer,youcanusevCenterServerinsteadofthevSphereclient.

Thehardwarerequ

informationaboutVMwarehardwarecompatibility,seetheVMwareCompatibilityGuideat

/resources/compatibility/.

EachXTMvvirtualmachinerequires3GBofdiskspace.

RecommendedResourceAllocationSettings

SmallOfficeMediumOfficeLargeOfficeDatacenter

VirtualCPUs1

Memory1GB

2

2GB

4

4GB

8ormore

4GBormore

6WatchGuardTechnologies,Inc.

DownloadingSoftware

DownloadingSoftware

otheWatchGuardPortalandselecttheArticles&Softwaretab.

eSearchsection,cleartheArticlesandKnownIssuescheckboxesandsearchforavailable

theXTMdeviceforwhichyouwanttodownloadsoftware.

descriptionsbelowsoyouknowwhatsoftware

packagesyouwillneedforyourupgrade.

WatchGuardSystemManager

issoftwarepackageyoucan

installWSMandtheWatchGuardServerCentersoftware:

—v11.6.3.

FirewareXTMOS

eifyouwanttoinstallor

eifyouwanttoinstallorupgradetheOSusingtheFirewareXTM

etodeployanewXTMvdevice.

Ifyouhave….

XTM2050

XTM1050

XTM8Series

XTM5Series

XTM330

XTM33

XTM2Series

Models

21,22,23

XTM2Series

Models25,26

XTMv

Alleditions

SelectfromtheseFirewareXTMOSpackages

XTM_OS_XTM2050_

xtm_xtm2050_

XTM_OS_XTM1050_

xtm_xtm1050_

XTM_OS_XTM8_

xtm_xtm8_

XTM_OS_XTM5_

xtm_xtm5_

XTM_OS_XTM330_

xtm_xtm330_

XTM_OS_XTM33_

xtm_xtm33_

XTM_OS_XTM2_

xtm_xtm2_

XTM_OS_XTM2A6_

xtm_xtm2a6_

xtmv_

xtmv_

xtmv_

ReleaseNotes7

DownloadingSoftware

SingleSign-OnSoftware

TherearetwofilesavailablefordownloadifyouuseSingleSign-On.

l

WG-Authentication-Gateway_11_

(SSOAgentsoftware-requiredforSingleSign-Onand

l

includesoptionalEventLogMonitorforclientlessSSO)

WG-Authentication-Client_11_

i(SSOClientsoftware-optional)

ForinformationabouthowtoinstallandsetupSingleSign-On,seetheproductdocumentation.

TerminalServicesAuthenticationSoftware

l

l

TO_AGENT_32_11_

(32-bitsupport)

TO_AGENT_64_11_

(64-bitsupport)

MobileVPNwithSSLClientforWindowsandMac

TherearetwofilesavailablefordownloadifyouuseMobileVPNwithSSL:

l

l

WG-MVPN-SSL_11_

(ClientsoftwareforWindows)

WG-MVPN-SSL_11_

(ClientsoftwareforMac)

MobileVPN withIPSecclientforWindows

einformationaboutthe

ShrewSoft VPNclient,seethehelporvisittheShrewSoft,e.

8WatchGuardTechnologies,Inc.

11.6.3

11.6.3

ewareXTMv11.6.3,downloadandsavetheFirewareXTM

findallavailablesoftwareonthe

WatchGuardPortal,Articles&usePolicyManagerortheWebUItocompletethe

nglyrecommendthatyoubackupyourdeviceconfigurationandyourWatchGuard

tpossibletodowngradewithoutthesebackup

files.

IfyouuseWatchGuardSystemManager(WSM),makesureyourWSMversionisequaltoorhigherthanthe

versionofFirewareXTMOSinstalledonyourXTMdeviceandtheversionofWSMinstalledonyour

ManagementServer.

lier,itisimportantto

backupyourLogandReportServerdatausingtheproceduredescribedinthe

KnowledgeBasearticleLogandReportServerChangesinXTMv11.5.1. Thisis

necessarybecausetheLogandReportServerdatabasestructurechangedinWSM

uupgradetoWSMv11.5.1orhigherforthefirsttime,thetimestamps

ofe

KnowledgeBasearticlegivesyoudetailsonthisupgrade,andimportantinformation

abouttheLogandReportManager(alsonewinWSMv11.5.1).

BackupyourWatchGuardManagementServerConfiguration

FromthecomputerwhereyouinstalledtheManagementServer:

tchGuardServerCenter,selectBackup/RestoreManagementServer.

TheWatchGuardServerCenterBackup/RestoreWizardstarts

.

ext.

TheSelectanactionscreenappears.

Backupsettings.

ext.

TheSpecifyabackupfilescreenappears.

reyousavetheconfigurationfiletoa

locationyoucanaccesslatertorestoretheconfiguration.

ext.

TheWatchGuardServerCenterBackup/RestoreWizardiscompletescreenappears.

inishtoexitthewizard.

UpgradetoFirewareXTMv11.6.3fromWebUI

stem>BackupImageorusetheUSBBackupfeaturetobackupyourcurrentconfigurationfile.

managementcomputer,launchtheOSsoftwarefileyoudownloadedfromtheWatchGuard

SoftwareDownloadsCenter.

IfyouusetheWindows-basedinstaller,thisinstallationextractsanupgradefilecalled[xtmseries]_

[productcode].sysa-dlltothedefaultlocationofC:ProgramFiles(x86)Common

filesWatchGuardresourcesFirewareXTM11.6.3[model]or[model][product_code].

ttoyourXTMdevicewiththeWebUIandselectSystem>UpgradeOS.

tothelocationofthe[xtmseries]_[productcode].sysa-dlfromStep2andclickUpgrade.

ReleaseNotes9

UpgradeyourFireClustertoFirewareXTMv11.6.3

UpgradetoFirewareXTMv11.6.3fromWSM/PolicyManagerv11.x

File>BackuporusetheUSBBackupfeaturetobackupyourcurrentconfigurationfile.

managementcomputer,launchtheOSexecutablefileyoudownloadedfromtheWatchGuard

stallationextractsanupgradefilecalled[xtmseries]_[productcode].sysa-dlltothe

defaultlocationofC:ProgramFiles(x86)CommonfilesWatchGuardresourcesFirewareXTM11.6.3

[model]or[model][product_code].

ttoyourXTMdeviceandlaunchPolicy

Manager.

licyManager,selectFile>ompted,browsetoandselectthe[xtmseries]_

[productcode].sysa-dlfilefromStep2.

GeneralInformationforWatchGuardServerSoftwareUpgrades

rorclientsoftwarewhenyouupdatefromv11.0.1or

randclientsoftwareontopofyourexistinginstallation

toupgradeyourWatchGuardsoftwarecomponents.

UpgradeyourFireClustertoFirewareXTMv11.6.3

TherearetwomethodstoupgradeFirewareXTM OS hodyouusedependsonthe

versionofFirewareXTM youcurrentlyuse.

UpgradeaFireClusterfromFirewareXTM 11.5.x

UsethesestepstoupgradeaFireClusterfromFirewareXTM ewareXTM v11.6.x:

1.

2.

3.

4.

5.

OpentheclusterconfigurationfileinPolicyManager

SelectFile> Upgrade.

Typetheconfigurationpassphrase.

Typeorselectthelocationoftheupgradefile.

Tocreateabackupimage,selectYes.

Alistoftheclustermembersappears.

thecheckboxforeachdeviceyouwanttoupgrade.

Amessageappearswhentheupgradeforeachdeviceiscomplete.

Whentheupgradeiscomplete,pgradeboth

devicesintheclusteratthesametime,tomakesurethereis

notaninterruptioninnetworkaccessatthetimeoftheupgrade.

PolicyManagerupgradesthebackupmemberfirstandthenwaitsforittorebootandrejointheclusterasa

atthemaster’srolewillnotchangeuntilitreboots

timethebackuptakesoverasthemaster.

Toperformtheupgradefromaremotelocation,makesuretheFireClusterinterfaceformanagementIPaddress

isconfiguredontheexternalinterface,

moreinformation,seeAbouttheInterfaceforManagementIP Address.

10WatchGuardTechnologies,Inc.

Downgrade Instructions

UpgradeaFireClusterfromFirewareXTM v11.3.x

ToupgradeaFireClusterfromFirewareXTM ewareXTM v11.6.x,youmustperformamanual

ualupgradesteps,seetheKnowledgeBasearticleUpgradeFirewareXTM OS fora

FireCluster.

Downgrade Instructions

v11.x

arlierversionofWSM,u

uninstall,chooseYeswhenthe

theserverconfigurationanddatafilesaredeleted,youmustrestorethedataandserverconfigurationfilesyou

Next,taller

shoulddetectyourexistingserv

useaWatchGuardManagementServer,useWatchGuardServerCentertorestorethebackupManagement

thatallWatchGuardservers

arerunning.

ewareXTMv11.x

NoteYoucannotdowngradeanXTM2050,anXTM330,oranXTM33devicetoaversionof

notdowngradeanXTM5Seriesmodel

515,525,not

downgradeXTMvtoaversionofFirewareXTMOSlowerthanv11.5.4.

arlierversionofFirewareXTM,youeither:

l

l

Respletethe

downgrade;or

UsetheUSBbackupfileyoucreatedbeforetheupgradeasyourauto-restoreimage,andthenbootinto

notanoptionforXTMvusers.

TostartaWatchGuardXTM330,5Series,8Series,XTM1050,orXTM2050deviceinrecoverymode:

fftheXTMdevice.

heuparrowonthedevicefrontpanelwhileyouturnthepoweron.

ebuttondepresseduntil"RecoveryModestarting"appearsontheLCDdisplay.

TostartaWatchGuardXTM2SeriesorXTM33deviceinrecoverymode:

nectthepower.

ndholdtheResetbuttononthebackwhileyouconnectthepowertothedevice.

ebuttondepresseduntiltheAttnlightonthefrontturnssolidorange.

ReleaseNotes11

ResolvedIssues

ResolvedIssues

TheFirewareXTMv11.6.3releaseresolvesanumberofproblemsfoundinearlierFirewareXTMv11.x

releases.

General

l

l

l

l

l

l

l

AllXTM5SeriesdevicesnowcorrectlydisplaytheirdevicemodelinLCDdisplayandFireboxSystem

Manager.

[69377]

ThisreleaseresolvesanissuethatcausedsomeXTM8Seriesdevicestolockuporreboot

unexpectedly.

[69302]

AproblemthatcausedsomeXTM1050devicestocrashinsomecustomerenvironmentshasbeen

fixed.

[66670]

FibermodulesforXTM1050devicesnowoperatecorrectly.

[70118]

AproblemwasfixedthatcausedsomeXTMdevicestocrashafteraconfigurationsave.

[65288]

NewlyaddedorexpiredblockedsitesnolongercausetheXTMdevicetocrash.

[67994]

Across-sitescriptingvulnerabilitypresentintheauthenticationpage(port4100) hasbeenaddressedin

thisrelease.

[68127]

TheATTNlightonXTM2SeriesandXTM33devicesnowoperatescorrectlyduringtheresetprocess.

[67165]

l

l

l

l

SeveralXTMdevicecrashissueshavebeenresolvedinthisrelease.

[67866,69050,66809,66032]

e.

[69764]

Itisnowpossibletoscheduleanautomatedupdateofyourdevicefeaturekey.

[66997]

WatchGuardSystemManager

l

AManagementServerloginwillnolongerfailwiththeerror:"ErrorCode:Error(1102)nolockavailable".

[68491]

l

l

l

WhenaManagementServerloginfails,younowseeanerrormessagetospecifythereasonforthe

failure.

[66866]

LogfilesforWatchGuardserverarenowautomaticallyarchivedtopreventthefilesfromgrowingtoo

large.

[34363,67521]

HostWatchnolongerfailstodisplayconnectionsbecauseofinvalidXMLcharacters.

[66785]

FireboxSystemManager

l

ThisreleaseresolvesanissuethatcausedTrafficMonitortofailtodisplayanydata.

[66975]

CentralizedManagement

l

es.

[68447]

l

Youcannolongerbuildan(incorrect)ttedconfigurationfileforFireboxX e-Seriesdevices.

[68646]

l

l

ScheduledTasksthatareconfiguredforthesamedaynowprocesscorrectly.

[68329]

DevicesimportedtotheManagementServernowdisplaycorrectly.

[69539]

12WatchGuardTechnologies,Inc.

ResolvedIssues

Logging&Reporting

l

l

Theunnecessarylogmessage"block_dump:Selecttimedout"hasbeenremoved.

[66635]

Theunnecessarylogmessage"miiGetLinkStatus"nolongershowswhenanetworkbridgeisenabled.

[41811]

l

l

Thewebservicefile""isnowaccessibleforEclipsesetup.

[69869]

ReportsgeneratedwithUTF-8encodingnolongercontaincorruptedcharacters.

[66584]

ProxiesandSecurityServices

l

l

l

l

l

ThisreleaseresolvesanissuewithIPSandtheHTTPproxythatcausedNATexhaustioninsome

customerenvironments.

[66246]

AproblemthatcausedXTMdeviceinstabilitywhentheSIP ALGwasinusehasbeenresolvedinthis

release.

[68312]

AproblemthatcausedActiveFTPtofailinsomecustomerenvironmentshasbeenresolved.

[65848]

ThisissueresolvesanissuethatcausedsomeXTMdevicestocrashduringheavymailtraffic.

[66428]

XTMdevicesnolongertrytoupdateGatewayAVandIPSsignatureswhenthesefeaturesarenot

licensed.

[66415]

Authentication

l

l

SSOexceptionsaddedasanIPRangenowoperatecorrectly.

[68986]

SSOexceptionsnolongerincorrectlytriggerwhenthelastoctetofanIPaddressmatchesaconfigured

exception.

[68344]

Networking

l

AproblemthatcausedPolicy-BasedRoutingtofailwhentheinterfacewasnotdownhasbeenresolved.

[67116]

l

l

Thisreleaseresolvesanissuethatcouldcauseaninterfacetofail.

[68554]

AproblemsthatcausedsomeXTMdevicestoperiodicallyfailtopassnetworktraffichasbeenfixed.

[65179]

l

l

Staticroutesnolongerfailwhenmulti-WANandPPPoEarebothenabled.

[68090]

AninterfacedconfiguredtousePPPoEnolongerwaitsforamulti-WANfailovertooccurbeforeit

requestsanewIP address.

[68232]

Thisreleaseresolvesanissuethatcausedoutboundtraffictofailafteramulti-WANfailover.

[68183]

Multi-WANnowworkscorrectlyonXTM2050devicesconfiguredwithETH16-19asexternalinterfaces.

[68405]

l

l

FireCluster

l

l

ThisreleaseresolvessomememorymanagementissuesthatcausedFireClusterinstability.

[68026]

ThisreleaseresolvesacrashissuethatcausedaFireClustermemberfailoverinanactive/passive

FireCluster.

[66872]

VPN

l

l

BranchofficeVPN tunnelsnolongerfailwhenaPPPoEinterfacegoesdown.

[68639]

ThisreleaseresolvesseveralIKEprocesscrashesthatcausedfailureforMobileVPNwithIPSecand

BranchOfficeVPN.

[68118,69625,67961,67881,68237]

ReleaseNotes13

ResolvedIssues

l

l

l

l

BranchofficeVPNtunnelsnolongerfailwhenadynamicallyassignedexternalIP addressontheXTM

devicechanges.

[68163,68910,68188]

ThisreleaseresolvesanissuethatcausedbranchofficeVPN tunnelstofailtopasstraffic.

[69090,67819]

AlargenumberofactivebranchofficeVPNtunnelsnolongercausesaCPUspike.

[68886]

AmemoryleakthatoccurredwhenalargenumberofbranchofficeVPNtunnelswereactivehasbeen

fixed.

[66200]

ThisreleaseresolvesanissuethatcausedbranchofficeVPN tunnelstostoppassingtraffic.

[67921]

BranchofficeVPNtunnelroutesconfiguredtouse1-to-1NATnowoperatecorrectlywithMulti-WAN.

[67001]

l

l

l

ThisreleaseresolvesanissuethatcausedbranchofficeVPNstofailafteraFirewareXTMOSupgrade.

[68247]

l

TheIKEprocessnowremainsstablewhenMobileVPNwithIPSecconnectionsthatusetheSafenet

clientaredisconnected.

[66772]

XTMv

l

NetworkconnectivitynolongerfailsafteryouupgradetheFirewareXTMOSonanXTMvinstallation.

[69500]

l

XTMvapplianceswithPPPoEconfigurednolongerlosenetworkroutesafterareboot.

[69492]

14WatchGuardTechnologies,Inc.

KnownIssuesandLimitations

KnownIssuesandLimitations

vailable,we

includeawaytoworkaroundtheissue.

General

l

WhenyouconnectaUSBdrivetoanXTMdevice,thedevicedoesnotautomaticallysaveasingle

SupportSnapshottotheUSBdrive.

[64499]

Workaround

UsetheCLIcommand“usbdiagnosticenable”toenablethedevicetosaveadiagnosticsupport

ailsaboutthiscommand,seetheCommandLineInterface

ReferenceGuide.

l

l

The"Sysb"versiondisplayedintheFireboxSystemManagerStatusReportwillshowblankforXTM

models2,5,8,and1050thatweremanufacturedpriortotheXTMv11.5.1release.

11.5.1theXTMdevice

countsthecombinedtotalnumberofpingrequestsandreplies,ratherthanjustthetotalnumberofping

hedefaultthresholdforICMPFloodAttackprotectiondidnotincrease,theflood

protectioncouldtriggermorefrequentlythanitdidinearlierreleases.

[63094]

Workaround

IntheDefaultPacketHandlingsettings,increasethethresholdforDropICMPFloodAttackfrom

thedefaultvalueof1000packets/secondtoahighernumber.

l

l

l

WhentheleveloffreememoryonyourXTMdeviceislowerthan20M,savingyourXTMdevice

configurationtothedevicecancausenetworkdisruption.

[64474]

TheETH1interfaceontheXTM830Fisafiber-opticport,soyoucannotusetheWSMQuickSetup

mputerwithaFiberNIC,orconnectusinga

switchwithbothFiberandEthernetinterfaces.

[59742]

TopoweroffanXTM5Seriesdevice,youmustpressandholdtherearpowerswitchfor4–5seconds.

[42459]

l

l

l

l

ForXTM5Seriesdevices,Interface0doesnotsupportAuto-MDIXanddoesnotautomaticallysense

cablepolarity.

OnXTM2Seriesdevices,theloadaverageisalwaysdisplayedat1orhigher,evenwhenthereisno

loadonthedevice.

[63898]

AnXTM2Seriesdevicecantakeupto5minutestoreboot.

WhenyouusethePolicyManager>File>BackuporRestorefeatures,theprocesscantakealong

timebutdoescompletesuccessfully.

[35450]

YoucannotdowngradeanXTM2Seriesdevicefromv11.5.1tov11.4.1withtheUpgradeOSoptionin

theWebUI.

[63323]

FirewareXTMdoesnotsupportBGPconnectionsthroughanIPSecVPNtunneltoAmazonWeb

nelsthatdonotuseBGParesupported.

[41534]

l

l

ReleaseNotes15

KnownIssuesandLimitations

l

gsnotincludedare:

o

SecondaryinterfaceIP address

[66990]

o

o

o

ConfiguredQoSsettings

[66992]

StaticMACbindings

[66993]

IPv6configuration

[66994]

XTMv

l

XTMvdoesnotautomaticallychangetheself-signedcertificatewhenitsserialnumberchanges.

[66668]

Workaround

Anewself-signedcertificatewiththecorrectserialnumberisgeneratedifyoumanuallydeletethe

certificatefromFireboxSystemManager>View>CertificatesandthenreboottheXTMvdevice.

l

IfyouimporttheOVA fileinVMwarePlayer(whichisnotofficiallysupportedinthisrelease),youmust

usethe"Enter"keyonyourkeyboardtoaccepttheXTMvEndUserLicenseAgreement(EULA).The

OKandCancelbuttonsattheconclusionoftheEULAdonotappearinVMwarePlayer.

WatchGuardSystemManager

l

IfyouuseFireboxSystemManagertopingacrossaVPNtunnel,yougetamessagethatreads“No

BufferSpaceAvailable.”thismessageiftheVPNtunnelisnot

retheVPNtunnelisupandtryagain.

[59339]

WatchGuardSystemManagerdoesnotdisplaythecorrectIPaddressforthedefaultgatewayofan

XTMdevicethathasnoExternalinterface.

[56385]

WhenyouinstallWatchGuardSystemManageroranyserversoftwareonacomputerrunningMicrosoft

WindowsXP,compatibilitymodeshouldnotbeenabledevenifpromptedbyWindows,foranyofthe

WSMapplications,includingtheinstaller.

[56355]

RemotemanagedFireboxorXTMdevicesconfiguredinDrop-inModemaynotbeabletoconnecttoa

ManagementServerthatisbehindagatewayFireboxorXTM devicealsoconfiguredinDrop-inMode.

[33056]

l

l

l

l

IfyourestoreabackupimagetoamanagedclientdevicemanagedbyaManagementServer,itis

possiblethatthesharedsecretbecomesoutofsync.

Workaround

themanageddeviceandselectUpdate

theradiobuttonResetserverconfiguration(IPaddress/Hostname,shared

secret).

l

DuringaWSMupgrade,install,oruninstallona64-bitWindowssystems,anyrunningapplications

detectedbytheWSMinstallercanbestoppedsuccessfully,buttheinstallermaynotrecognizethat

theyhavebeenstopped.

[39078]

Workaround

-clickontheWatchGuardServerCentericononyour

realldetectedapplications

arestoppedandthenretrytheWSMinstalloruninstall.

16WatchGuardTechnologies,Inc.

KnownIssuesandLimitations

l

herinstaller(eithertheWSMclientcomponentonlyorany

selectedWSMservercomponents)onMicrosoftSBS(SmallBusinessServer)2008and2011ona

computerinstalledwitha64-bitoperatingsystem,youseeaMicrosoftWindowserror"

IssProc.x64has

stoppedworking

". Whenyouclosetheerrordialogbox,theinstallationcompletes.

[57133]

WebUI

l

eaturesinclude:

o

o

o

o

FireCluster

Certificateexport

YoucannotturnonoroffnotificationofBOVPNevents

YoucannotaddorremovestaticARPentriestothedeviceARPtable

l

l

l

l

YoucannotgettheencryptedMobileVPNwithIPSecend-userconfigurationprofile,

UIgeneratesonlyaplain-textversionoftheend-userconfigurationprofile,withfile

.

Youcannoteditthenameofapolicy,useacustomaddressinapolicy,oruseHostName(DNSlookup)

toaddanIPaddresstoapolicy.

IfyouconfigureapolicyintheWebUIwithastatusofDisabled,thenopenPolicyManagerandmakea

changetothesamepolicy,theactionassignedtothepolicywhenitdeniespacketsischangedtoSend

TCPRST.

[34118]

Youcannotcreateread-onlyMobileVPNwithIPSecconfigurationfileswiththeWebUI.

[39176]

CommandLineInterface(CLI)

l

TheCLIdoesnotsupporttheconfigurationofsomefeatures:

o

o

Youcannotaddoreditaproxyaction.

l

l

YoucannotgettheencryptedMobileVPNwithIPSecend-userconfigurationprofile,knownasthe

.generatesonlyaplain-textversionoftheend-userconfigurationprofile,withfile

.

TheCLIperformsminimalinputvalidationformanycommands.

FortheXTM2050,theoutputoftheCLIcommand“showinterface”doesnotclearlyindicatethe

“showinterface”CLIcommandshows

theinterfacenumberastheinterfacelabelonthefrontofthedevice(A0,A2…A7;B0,B1…B7;C0,

C1)followedbyadash,andthentheconsecutiveinterfacenumber(0–17),forallinterfaces.

[64147]

Workaround

Usetheconsecutiveinterfacenumberthatappearsafterthedashastheinterfacenumberto

B1-9interfaces,theinterfacenumberintheCLIcommandshouldbe

C0-1interfaces,theinterfacenumberintheCLI commandshouldbe16-17.

Proxies

l

l

ThePolicyManagerandWebUIdonotprovideanywarningthattheWebBlockerOverridemaynotwork

forHTTPS.

[67208]

HTTPSDPI(DeepPacketInspection)doesnotworkforuserswhouseIE9.0withTLS1.1and1.2

enabled,butTLS1.0andSSL3.0notenabled.

[65707]

Workaround

Useadifferentbrowser,orenableTLS1.0andSSL3.0inyourIE9.0configuration.

ReleaseNotes17

KnownIssuesandLimitations

l

l

l

TheXTMdevicecanstoreonlyoneHTTPSProxyServercertificateandcanprotectonlyoneHTTPS

websiteatatime.

[41131]

WhenanXTMdeviceisunderhighload,someproxyconnectionsmaynotterminatecorrectly.

[61925,62503]

TheabilitytouseanHTTPcachingproxyserverisnotavailableinconjunctionwiththeTCP-UDP

Proxy.

[44260]

YoucannotmakeaSIP-basedcallfromPolycomPVXsoftphonebehindaFireboxtoaPolycomPVXon

theexternalnetwork.

[38567]

Workaround

YoucanusetheH.323protocolinsteadofSIP.

l

l

WhenyoutrytostreamYouTubevideosfromanAppledevicerunningiOS,youmayseethiserror

message:"Theserverisnotcorrectlyconfigured."

Workaround

urHTTPproxypolicy.

iew/Editproxy.

theAllowrangerequeststhroughunmodifiedcheckbox.

ischangetoyourXTMdevice.

l

TheSIP-ALGdoesnotsendtheContactheadercorrectlywhentheContactheadercontainsadomain

sendsanemptystringof:Contact:<>.IftheContactheadercontainsanIPaddress,the

SIP-ALGsendstheContactheadercorrectly:Contact:.

[59622]

Workaround

ConfigurethePBXtosendtheContactheaderwithanIPaddress,notadomainname.

SecuritySubscriptions

l

SomeIPSsignatureinformation,suchastheCVEnumber,isnotavailableinFireboxSystemManager.

WeprovidesearchcapabilitiesandCVEinformationforIPSsignaturesonawebsecurityportalforIPS

ontheWatchGuardwebsite,whichyoucanaccessat

/SecurityPortal/

risalreadyloggedintoSkypeandaSkype

sessionisalreadystartedwhenApplicationControlisenabled,ApplicationControlmaynotdetectthe

activity.

ForXTM2Seriesdevicesonly,ApplicationControlistemporarilydisabledduringanupgrade,backup,

eoperationiscomplete,ApplicationControlstartstoworkagain.

ItisnotpossibletoassignaroleforApplicationControlmanagementfromtheWatchGuardSystem

Managerrole-basedadministrationfeature.

[59204]

YoucannotuseaWebBlockerServerthroughabranchofficeVPNtunnel.

[56319]

l

l

l

l

Networking

l

l

lier,theToandFrom

microutingisenabled,newpolicies

willbecreatedautomaticallywhenyouupgrade.

[67721]

PolicyCheckerdoesnotworkwhenyourXTMdeviceisconfiguredinBridgemode.

[66855]

18WatchGuardTechnologies,Inc.

KnownIssuesandLimitations

l

l

l

l

AnapostropheinaDHCPreservationnamecausestheDHCPreservationtofail.

[65529]

YoucannotconfiguretrafficmanagementactionsoruseQoSmarkingonVLANs.

[56971,42093]

YoucannotbridgeawirelessinterfacetoaVLANinterface.

[41977]

TheWebSetupWizardcanfailifyourcomputerisdirectlyconnectedtoanXTM2Seriesdeviceasa

noccurbecausethecomputercannotget

anIPaddressquicklyenoughafterthedevicerebootsduringthewizard.

[42550]

Workaround

computerisdirectlyconnectedtotheXTM2SeriesdeviceduringtheWebSetup

Wizard,useastaticIPaddressonyourcomputer.

itchorhubbetweenyourcomputerandtheXTM2Seriesdevicewhenyourunthe

WebSetupWizard.

l

l

l

l

l

l

l

l

l

l

WhenasecondarynetworkisconfiguredforanXTM2SeriesdeviceconfiguredinDrop-InMode,itcan

sometimestakeafewminutesforcomputersthatconnecttothesecondarynetworktoappearinthe

ARPlistoftheXTM2Series.

[42731]

YoumustmakesurethatanydisablednetworkinterfacesdonothavethesameIPaddressasany

activenetworkinterfaceorroutingproblemscanoccur.

[37807]

IfyouenabletheMAC/IPbindingwiththeOnlyallowtrafficsentfromortotheseMAC/IPaddresses

checkbox,butdonotaddanyentriestothetable,theMAC/IPbindingfeaturedoesnotbecomeactive.

ThisistohelpmakesureadministratorsdonotaccidentallyblockthemselvesfromtheirownXTM

device.

[36934]

Anynetworkinterfacesthatarepartofabridgeconfigurationdisconnectandre-connectautomatically

whenyousaveaconfigurationfromacomputeronthebridgenetworkthatincludesconfiguration

changestoanetworkinterface.

[39474]

WhenyouchangetheIPaddressofaVLANconfiguredonanexternalinterfacefromstatictoPPPoE

andtheFireboxcannotgetaPPPoEaddress,FireboxSystemManagerandtheWebUImaycontinue

toshowthepreviouslyusedstaticIPaddress.

[39374]

WhenyouconfigureyourXTMdevicewithaMixedRoutingModeconfiguration,anybridgedinterfaces

showtheirinterfaceanddefaultgatewayIPaddressas0.0.0.0intheWebUI.

[39389]

WhenyouconfigureyourXTMdeviceinBridgeMode,theLCDdisplayonyourXTMdeviceshowsthe

IPaddressofthebridgedinterfacesas0.0.0.0.

[39324]

WhenyouconfigureyourXTMdeviceinBridgeMode,theHTTPredirectfeatureisconfigurablefromthe

userinterfacebutdoesnotworkinthisrelease.

[38870]

StaticMAC/IPaddressbindingdoesnotworkwhenyourXTMdeviceisconfiguredinBridgemode.

[36900

WhenyouchangeyourconfigurationmodefromMixedRoutingtoBridgeorfromBridgetoMixed

Routing,theCLIandWebUImaycontinuetoshowthepreviousconfigurationmode.

[38896]

ThedynamicroutingofRIPv1doesnotwork.

[40880]

WhenanIPaddressisaddedtotheTemporaryBlockedSitelistbytheadministratorthroughtheFirebox

SystemManager>BlockedSitestab,theexpirationtimeisconstantlyresetwhentrafficisreceived

fromtheIPaddress.

[42089]

l

l

Multi-WAN

l

l

Themulti-WANstickyconnectiondoesnotworkifyourdeviceisconfiguredtousethemulti-WAN

RoutingTablemode.

[62950]

Whenyouenablethemulti-WANImmediateFailbackoptionforWANfailover,sometrafficmayfailover

gradually.

[42363]

ReleaseNotes19

KnownIssuesandLimitations

Wireless

l

The5GHzWirelessbanddoesnotworkwhenyouusechannels36,40,149or165.

[65559]

Authentication

l

Citrix4.5/5/0serversinstalledinVMwaredonotworkwithTerminalServerSingleSign-On.

[66156]

Workaround

ThisfeatureworkswithCitrix6.0and6.5serversinstalledinVMware.

l

l

ClientlessSSOisnotsupportedonaTLS-EnabledActiveDirectoryenvironment.

IfyouuseTerminalServicesauthentication,noauthenticationverificationisdoneagainsttrafficofany

cludesDNS,NetBIOS,andICMPtraffic.

ItisnotpossibletousetheAutomaticallyredirectuserstotheauthenticationpageauthenticationoption

togetherwithTerminalServicesauthentication.

ToenableyourXTMdevicetocorrectlyprocesssystem-relatedtrafficfromyourTerminalorCitrix

server,theTeof

this,youmayneedtoa

canlearnmoreabouthowBackend-Serviceoperatesintheproducthelpsystem.

FortheAuthenticationRedirectfeaturetooperatecorrectly,HTTPorHTTPStrafficcannotbeallowed

throughan

AuthenticationRedirectfeatureoperatesonlywhenpoliciesforport80and443areconfiguredforuseror

usergroupauthentication.

[37241]

l

l

l

CentralizedManagement

l

l

l

l

Youcannotcreateanewuseraccountforrole-basedadministrationfromtheManagementServerthat

includesunsupportedspecialcharacters,tcreatetheuseraccount

fromWatchGuardServerCenter.

[70464]

eConfiguration

Template.

[55732]

IfyouusedCentralizedManagementwithdevicessubscribedtotemplatesinearlierversionsofWSM,

11.4orhigher,thesetemplatesareupdatedandthedevicesare

ngtemplatesareupdatedto

use“T_”intheirobjectnames(tomatchtheobjectnamesinthedevicesthatusedtosubscribetothem).

Afteryouupgrade,you’llseethetemplateupgradethatoccursduringupgradeinyourrevisionhistory.

WhenaXTMtemplateisappliedtoamanageddevice,theManagementServercreatesanew

configurationrevisionforthedeviceonlyifthenewrevisionisgoingtobedifferentfromthecurrent

salsonofeedbackaboutwhyanewconfigurationrevisionwasnotcreated.

[57934]

FireCluster

l

l

Youcannotupgradeanactive/passiveFireClusteroveraBOVPN.

[39746]

ThetimeontheFireClusterbackupmastercangetoutofsyncwiththeclustermaster,evenwhenNTP

isenabled.

[66134]

20WatchGuardTechnologies,Inc.

KnownIssuesandLimitations

Workaround

ttothecluster,launchFirebox

SystemManager,andthenselectTools>nchronizesthetimeonboth

clustermemberstothetimeonthemanagementcomputer.

l

Whenspanningtreeprotocol(STP)isenabledonsomeswitches,aFireClusterfailovercantake10

secondsorlonger.

[66180]

Workaround

DisableSTPontheswitch,configuretheswitchtouserapidSTP,oruseadifferentswitch.

l

Youmightneedtore-importtheHTTPSDPIcertificateafteryouupgradetheFirewareXTMOSfora

FireCluster.[65280]

YoucannotusethesecondaryIPaddressofanXTMdeviceinterfacetomanageaFireCluster

configuredinactive/activemode.

[64184]

Workaround

UsetheprimaryIPaddressofanXTMdeviceforallmanagementconnectionstoanactive/active

FireCluster.

l

l

l

UsersgrantedaccesstomonitorFireClusterthroughrole-basedadministrationcannotseethe

FireClusterdeviceinLogandReportManager.

[65398]

TheFireClusterbackupmastermaybecomeinactivewhenMobileVPN withSSL orPPTPisconfigured

touseanIPaddresspoolthatincludestheclusterIPaddress.

[63762]

Workaround

AvoidusinganIPaddresspoolthatconflictswiththeclusterIPaddresses.

l

l

l

IftheLogServercannotbereachedfromthemanagementIPaddresses,onlythecurrentFireCluster

noccuriftheLogServerisconnectedthroughanExternal

network,butthemanagementIPaddressesareonaTrustedorOptionalnetwork.

[64482]

IfyouchangethenetworkconfigurationofaFireClusterfromRoutedmodetoDrop-inmode,andthen

changeitbacktoRoutedmode,theIPaddressoftheclusterinterfaceisnotcorrectlyshowninthe

PolicyManagerNetwork>rectclusterinterfacesareshowninthe

FireClusterconfigurationdialogbox.

[63905]

GatewayAVupdatesinasystemthatislowonmemorymayresultinaFireClusterfailover

[62222]

Workaround

ReducethefrequencythatthesystemchecksforGatewayAVupdatestominimizethechanceof

thisoccurring.

l

IfamonitoredlinkfailsonbothFireClustermembers,thenon-mastermemberisswitchedintopassive

-WANfailovercausedbyafailed

usterfailoveroccursonly

whenthephysicalinterfaceisdownordoesnotrespond.

ReleaseNotes21

KnownIssuesandLimitations

l

EachXTMdevicehasasetofdefaultIPaddressesassignedtothedeviceinterfacesinarangestarting

ettheIP

addressofthePrimaryorBackupclusterinterfacetooneofthedefaultIPaddresses,bothdevices

restart,andthebackupmasterbecomesinactive.

[57663]

Workaround

DonotuseanyofthedefaultIPaddressesasthePrimaryorBackupclusterinterfaceIPaddress.

l

l

l

l

l

l

l

Whenyouhaveanactive/activeFireClusterandusetheWebBlockerOverridefeature,youmaybe

promptedtoenteryouroverridepasswordtwice.

[39263]

Everynetworkintet

makesurethatallenabledinterfacesarephysicallyconnectedtoanetworkdevice.

IfyouuseHPProCurveswitches,youmaynotbeabletoconfigureyourFireClusterinactive/active

modebecausetheseswitchesmaynotsupporttheadditionofstaticARPentries.

[41396]

IfyouusetheMobileVPNwithIPSecclientfromthesamenetworkastheexternalnetworkaddress

configuredonyourFireCluster,sometrafficmaynotgothroughtheVPNtunnel.

[38672]

MobileVPNwithPPTPusersdonotappearinFireboxSystemManagerwhenyouareconnectedtoa

onlyconnectedtotheactiveFireboxwhenusingan

active/passiveFireCluster.

[36467]

ItisnotpossibletouseaVLANinterfaceIPaddressforaFireClustermanagementIPaddress.[45159]

11.5.1,themanagementcomputermust

beonthesamenetworkastheFireClustermanagementIP addresses.[63278]

LoggingandReporting

l

WhenyouchangetheloglevelforyourWatchGuardLogServerandclickApply,thechangedoesnot

takeeffect.

[60088]

Workaround

hGuardServerCenter,ontheLogServerLoggingtab,changetheloglevelforlog

messagesfromtheLogServerandclickApply.

erverstree,onfirmation

message,selectYes.

-clickLogServeragainandselectStartServer.

l

l

TheDeniedPacketsSummaryreportisnotyetavailableintheLogandReportManager.

[63192]

ThePDFoutputoftheWebActivityTrendreportdoesnotincludetimelabelsonthex-axiswhenviewed

dtimeinformationisincludedinthetablebelowthereport.

[64162]

11.5.1,reportsgeneratednearthetimeofthe

upgrademaynotshowupinLogandReportManager.

[64325]

Ifadailyreportschedulenameincludesacolonorcertainothercharacters(forexample:"1:35"),the

systemreturnsanerror.

[63427]

Workaround

MakesurethatyourreportschedulenamesuseonlycharactersthatarevalidinWindowsfile

findvalidcharactersinarticlessuchas/en-

us/library/windows/desktop/aa365247%28v=vs.85%.

l

l

22WatchGuardTechnologies,Inc.

KnownIssuesandLimitations

l

l

Logcollectorwillcrashwhenitreachesthe2GBvirtualsizelimiton32-bitWindowssystems.

[64249]

usortbyDestination,the

fieldsortsbyIP addressandnotthedestinationhostname(ifavailable).WhenyousortbyDisposition,

someitemsinthe"deny"statedonotsortaccuratelywithingroups.

[62879]

Anyconfigureddailyorweekly“ArchivedReports”youhaveinyourv11.3configurationare

automaticallyconvertedtoscheduledreportsafteryouupgradetoWSMv11.4orhigher.

l

MobileVPN

l

l

YoucannotgenerateaMobileVPNwithIPSecconfigurationfilewhenthegroupnamecontainsthe

characterstheasteriskorperiodcharacters(*,.).

[66815]

IfyousetthediagnosticloglevelforMobileVPNwithSSLtrafficto“debug”level,logmessagesstop

displayinginFireboxSystemManager>TrafficManager.

[65165]

Workaround

SetthediagnosticloglevelforMobileVPNwithSSLtoanyloglevellessgranularthan“debug”.

l

l

IfyouaddanewfeaturekeythataddsMobileVPNwithSSLlicensesforyourXTMdevice,youmust

rebootyourXTMdevicetoenabletheadditionalMobileVPNwithSSLusers.

[65620]

WhenyouconnectaMobileVPNwthSSLv11.5.1clientforthefirsttimetoanXTMdeviceupgradedto

v11.5.2,theclientupgradesometimesfails.

[65635]

Workaround

InstalltheMobileVPNwithSSLclientmanually.

l

l

l

l

l

l

YoucannotestablishaMobileVPNwithSSLconnectionfromaWindows-basedcomputerwhenthe

WindowssystemaccountisChinese.

[58208]

WhenyouusethebuiltinIPSecclientfromaniPhone oriPad,theclientconnectionwilldisconnect

causedbyalimitationintheCisco

clientusedbyiPhone/treconnecttheIPSecclienttoreestablishtheVPNtunnel.

[63147]

MobileVPNwithPPTPconnectionsfromAndroidmobiledevicesdonotworkconsistentlyon3Gmobile

networks.

[63451]

ConnectionsfromtheMobileVPNwithIPSecclientcanroutethroughthewrongexternalinterfacewhen

theXTMdeviceisconfiguredformulti-WANinround-robinmode.

[64386]

YoucannotconfigureMobileVPNwithSSLtobridgenetworktraffictoabridgedinterface.

[61844]

MobileVPNwithSSL userscannotconnecttosomenetworkresourcesthroughabranchofficeVPN

tunnelthatterminatesonanactive/activeFireCluster.

[61549]

YoucannotpingtheIP addressoftheXTMdeviceinterfacetowhichaShrewSoftVPN client

pingcomputersonthatnetwork,butnottheinterfaceIP address

itself.

[60988]

ShrewSoftVPNclientconnectionscandropiftherearemultiplecilentsconnectedtoanXTMdeviceat

thesametimeissuingPhase2rekeys.

[60261

]

Phase1rekeysinitiatedbytheShrewSoftVPNclientcausetheclienttobedisconnected,ifconnected

case,werecommendthatyousettherekeyonyourXTMdeviceto23hours

--onehourcestheXTM

devicetoinitiatetherekey,andgivestheclientanotificationthatthetunnelmustbere-established.

[60260,60259]

l

l

l

ReleaseNotes23

KnownIssuesandLimitations

l

AcontinuousFTPsessionoveraMobileVPNwithIPSecconnectioncouldgetterminatedifanIPSec

rekeyoccursduringtheFTPtransfer.

[32769]

Workaround

Increasetherekeybytecount.

l

TheMobileVPN forSSL MacclientmaynotbeabletoconnecttoanXTM devicewhenthe

authenticationalgorithmissettoSHA256.

[35724]

BranchOfficeVPN

l

l

l

ManualbranchofficeVPNfailswhenthepre-sharedkeyexceeds50characters.

[65215]

DonotusethesamenameforbothaVPN GatewayandaVPN Tunnel.

[66412]

WhenyouconfigureyourXTMdeviceinmulti-WANmode,youmustselectwhichinterfacestoinclude

eareanyinterfacesthatyouchoosenottoincludeinyourmulti-

WANconfiguration(arthecheckboxforthatinterface),thesystemdoesnotcreatearoute

ncauseaproblemifyouhaveabranchofficeVPNconfiguredtoincludethat

case,theVPNtunnelcanfailtonegotiatewithitsremotepeer.

[57153]

Workaround

Ifyouusemulti-WANandhaveproblemswithyourbranchofficeVPNtunnelsfailingtonegotiate

withtheirremotepeers,youmustopenyourmulti-WANconfigurationandselectConfigure

rethattheappropriateinterfaces

areincludedinyourmulti-WANconfiguration.

l

l

l

AbranchofficeVPNtunneldoesnotpasstrafficifaninboundstaticNATpolicythatincludesIP50and

IP51protocolsexistsfortheexternalIPaddressoftheXTMdevice.[

41822]

ManagedbranchofficeVPNtunnelscannotbeestablishediftheCRLdistributionpoint(forexample,the

WatchGuardManagementServerorathird-partyCRLdistributionsiteyouuse)isoffline.

[55946]

nchofficeVPNtunnel

usesAnyfortheLocalpartofatunnelroute,FirewareXTMinterpretsthistomeannetwork0.0.0.0and

subnetmask0.0.0.0(inslashnotation,0.0.0.0/0).IftheremoteIPSecpeerdoesnotsend0.0.0.0/0as

itsPhase2ID,Phase2negotiationsfail.

[40098]

Workaround

theLocalpartofyour

eIPaddressesofcomputersbehindtheXTMdevicethatactuallyparticipate

ttheadministratoroftheremoteIPSecpeertodeterminewhatthat

deviceusesfortheRemotepartofitstunnelroute(ortheRemotepartofitsPhase2ID).

l

IfyouhavealargenumberofbranchofficeVPNtunnelsinyourconfiguration,thetunnelsmaytakea

longtimetoappearinPolicyManager.

[35919]

Workaround

FromPolicyManager,selectView>heHighlightFirewall

policiesbasedontraffictypecheckbox.

24WatchGuardTechnologies,Inc.

UsingtheCLI

UsingtheCLI

TheFirewareXTMCLI(CommandLineInterface)ormationonhow

tostartandusetheCLI,downloadtheCLIguidefromthe

documentationwebsiteat/help/documentation/avebeenno

updatestotheCLI Guideforthisrelease.

TechnicalAssistance

Fortechnicalassistance,contactWatchGuardTechnicalSupportbytelephoneorlogintotheWatchGuard

PortalontheWebat/ucontactTechnicalSupport,youmust

supplyyourregisteredProductSerialNumberorPartnerID.

PhoneNumber

rs

InternationalEndUsers

877.232.3531

+1206.613.0456

AuthorizedWatchGuardResellers206.521.8375

ReleaseNotes25

TechnicalAssistance

ReleaseNotes26

本文标签： 说明书说明发布