Whats New in WSM 10 and Fireware 10

What’s New in WSM 10 and Fireware 10 Presenter Date

What’s New in WSM/Fireware 10 WSM 10 Overview New in WSM 10 • New SQL-based logging and reporting architecture • Watch. Guard Management Server enhancements • Firebox System Manager enhancements • New help system with search and Table of Contents 2

What’s New in WSM/Fireware 10 Overview New in Fireware 10 • Mobile VPN with SSL • New proxies for Vo. IP support • New TCP/UDP proxy for multiple protocol detection • Enhancements to security subscriptions • Single Sign-On • More integration with Live. Security • BOVPN and Mobile VPN with IPSec enhancements • New notifications • Networking enhancements 3

New in WSM 10 4

New Logging and Reporting Architecture 5

New Logging and Reporting Architecture Overview The new logging and reporting architecture includes: • New SQL-based Log Server • Totally redesigned Log. Viewer application • New Report Server • New Report Manager (replaces Historical Reports) One change to the Watch. Guard Toolbar: New Report Server icon 6

New Logging and Reporting Architecture About the SQL Database Uses Postgre. SQL • Postgres is installed during either: • Log Server Setup Wizard • Report Server Setup Wizard • The server you set up first (Report Server or Log Server) installs Postgres • Because Postgres does not install over an RDP session, do not run the Log Server or Report Server Setup Wizard over RDP • Postgre. SQL installation creates the data directory and its structure • There is no UI option to change the location of the data directory after Postgres is installed • Installs a non-admin user account watchguard_pg_user • Do not alter this account; it is for the Postgres service • In this release, you must use command line for: • Importing old XML log files into the database • Restoring a backup of the database 7

New Log Server SQL-based Advantages to using SQL database for logs • Much more scalable • Logs from multiple appliances now stored in one database • No more discrete XML log files • Faster and more powerful log file search • Faster report generation • Report can be run on data stored in different Log Servers Automatic maintenance jobs are user-configurable: • Automatic daily deletion of old logs • Automatic daily backup 8

New Log Server Setup Wizard Click once on the Log Server icon to start the Log Server Setup Wizard 9

New Log Server Setup Wizard Postgre. SQL is installed and the database directory is created when you run either: • The Log Server Setup Wizard or • The Report Server Setup Wizard 10

New Log Server Setup Wizard Pay close attention to this screen of the Setup Wizard • To change the log data directory after Postgre. SQL is installed, you must run the Setup Wizard again. 11

New Log Server - Admin User Interface Configure the Log Server To configure the Log Server, left-click once on the Log Server icon in the Watch. Guard toolbar. Or, right-click and select Configure 12

New Log Server Settings Tab Log Server Configuration The Log Server can send notifications about itself to this address. Firebox Event Notifications also go to this address 13

New Log Server - Log Server Configuration Expiration Settings Tab Automatically purge old logs Automatically back up logs Send appliance notifications 14

New Log Server - Log Server Configuration Logging/Monitoring Settings tab All Firebox appliances that send logs show here Send log messages about the Log Server itself to: • The Windows Event Viewer • A text file 15

New Log. Viewer Total Redesign for Maximum Usability All-new enhanced Log. Viewer gives powerful new features 16

New Log. Viewer Launch and Connect to a Log Server Start Log. Viewer from the Watch. Guard System Manager. Then, connect to a Log Server. 17

New Log Viewer Select the appliance or server to view logs Select one or more devices to see their logs All devices logging to this Log Server (including other servers) show here Report Server and Management Server can also send logs to Log Server! 18

New Log. Viewer Arrange the windows for the different devices’ logs Cascade the windows Or tile them 19

New Log Viewer Category View: • All logs • Only traffic logs • Only alarms • Only events • Only debug logs • Only bandwidth statistics messages 20

New Log. Viewer Date Range View Select a preconfigured range 21 Or make a custom time filter

New Log. Viewer – String Search Simple string search is very useful Search for: • An IP address • Blocked sites / blocked ports • All messages with a key word, for example: • IKE • Type of email or HTTP header • A username 22

New Log Viewer – Search Put context to the message When Search finds an interesting log message, you can show the log messages before and after it. Right-click the message and select Show Log Excerpt Or press F 5 You see 50 messages before and after the target log message 23

New Log. Viewer Preferences Store general preferences • Your primary Log Server • How many messages before and after the target in Log Excerpt • How many searches to remember 24

New Log. Viewer Preferences Store viewing preferences • Default log type • Font size • Which columns to display for the different log types 25

New Log. Viewer Search Manager Tools Search Manager Create powerful searches and save them for later use Advanced Search shows why a SQL database is better 26

New Log. Viewer Multiple export options Export logs as: • CSV (comma- separated value) file • HTML page • PDF • XML file Instantly email logs as: • CSV file • PDF Select and copy as plain text 27

New Report Server What it does Overview Collects and presents log data • Periodic collection from Log Server • Periodic generation of reports • Provides reports to Report Manager via XMLRPC • Reports are immediately viewable and automatically refresh 28

New Report Server What It Does Overview Log Data Log Server Consolidated Log Data Reports 29

New Report Server – Expiration Settings tab Server Settings tab is identical to same tab in Log Server Expiration Settings tab: • Automatically delete old reports • Turn on notification of events about the Report Server itself 30 Configuration

New Report Server – Report Generation tab Tell the Report Server where to get data This is the server management passphrase, not the log encryption key! 31 Configuration

New Report Manager Overview Report Manager is the client application that connects to the Report Server Replaces old Historical Reports The left-hand pane shows the available reports The right-hand pane is a browser (based on Internet Explorer) showing the selected report 32

New Report Manager Launch and Connect to a Report Server Start Report Manager from WSM. Then, connect to a Report Server. 33

Report Server Available Reports carried forward from earlier Historical Reports: • Denied Packet Summary • Denied Packet Detail • Incoming • Outgoing • SMTP Summary • SMTP Server Summary • SMTP Detail • SPAM Summary • Firebox Statistics • POP 3 Summary • POP 3 Detail • Alarms • Packet Filter Host Summary • Proxy Host Summary 34 • HTTP Most Popular Domain • HTTP Summary • HTTP URL Detail • IPS Packet • IPS Summary and its detail subreports: • Protocol • Severity • Source • Signature • AV Summary and its detail subreports: • Protocol • Host • Virus • Sender • Web. Blocker Detail

Report Server Available Reports New Reports in 10: • HTTP Most Active Client • Web Surfing • External Interface Bandwidth Report • Management Server Audit Trail Detail • Management Server Authentication • BUM “Boxes Under Management” 35

Management Server Enhancements 36

What’s New in WSM/Fireware 10 Management Server Enhancements - Overview Multi-user support Record locking Configuration passphrase caching Force comments on Config Change Folders with lockout Notification enhancements Live. Security Alerts 37

Management Server Enhancements Multi-user support Add users on new Users tab of Management Server Configuration 38

Management Server Enhancements Multi-user support Management Server user accounts: • Admin privileges • Can create new user accounts on the Management Server • Can administer all devices under management with WSM connection to Management Server • Read-Write privileges • Can administer all devices under management with WSM connection to Management Server • Read-Only privileges • Can view all devices under management • This user connects to the Management Server in Monitoring Mode 39

Management Server Enhancements Multi-user support Users must now provide username and passphrase when connecting • Provides audit trail in Management Server report Default account is admin • This account uses the server management passphrase • This is the same password you used before to connect to your Management Server from WSM 40

Management Server Enhancements Record locking and caching passphrases When you bring up Policy Manager for a managed device: • WSM prevents others from using Policy Manager for that device when they connect to the Management Server • Reduces the chance that conflicting edits are made at the same time by different users • Policy Manager automatically enters the device’s configuration passphrase when you save the configuration back to the Firebox • No need to remember the configuration passphrases for all your managed devices • No need to share managed devices’ configuration passphrases with others For this to work: • Firebox you manage must be running Fireware 10 • You must launch Policy Manager via a connection to the Management Server (not a connection to the device itself) 41

Management Server Enhancements Record locking Connect to Management Server using WSM Launch Policy Manager for an appliance • The device record is locked When a different user connects to the Management Server at the same time: • A “Maintenance Alert” shows for that device • Policy Manager is not available for that device 42

Management Server Enhancements Configuration passphrase caching When you use that instance of Policy Manager to save the configuration, Policy Manager automatically puts the appliance’s configuration passphrase into the entry field When you close Policy Manager (or use it to File > Open a different Firebox) the lock is released 43

Management Server Enhancements Force comments on config change • Turn this on in Management Server Configuration 44 Users must add comment when saving config via a connection to Management Server

Management Server Enhancements Folders with lockout Right-click Management Server and select Add New Folder 45

Management Server Enhancements Folders with lockout You can make a VPN between two devices inside the same locked folder You cannot make a VPN tunnel between a device in a locked folder and a device not in the same locked folder • Prevent “mistake” VPNs • Those can cost the managed security provider $$ and reputation Locked folder has a padlock on the folder’s icon 46

Management Server Enhancements Notification enhancements Get notified if a managed device does not contact the Management Server when its DVCP lease expires From: mgt-server@your. business Subject: Notice from Management Server Host: dc 01 Time: Fri Feb 08 09: 15: 34 2008 Process: 3848: 3900 Message: Information (8249), no contact from device with name Miami_X 6500 e, id 50. 50. 254, and IP address 50. 50. 254 47

Management Server Enhancements Live. Security Alerts WSM displays Live. Security broadcasts when you select the Management Server Alerts that will appear: • New software updates available • Watch. Guard vulnerabilities 48

Quarantine Server Enhancements 49

Quarantine Server Enhancements Quarantine email based on virus classification You can now send SMTP mail to the Quarantine Server based on whether Gateway Anti. Virus detected a virus 50

Quarantine Server Enhancements Quarantine mail based on virus classification You can send SMTP mail to the Quarantine Server based on whether spam. Blocker’s Virus Outbreak Detection detected a virus 51

Firebox System Manager Enhancements 52

What’s New in WSM/Fireware 10 Firebox System Manager Enhancements - Overview Front Panel tab updated for Mobile VPN with SSL Search Traffic Monitor Display logs by type of message Multiple-line select (ctrl-click or shift-click) and copy Select notifications from entire event catalog Service Watch graph by bandwidth 53

Firebox System Manager Enhancements Front Panel Tab Mobile VPN with SSL sessions displayed on Front Panel tab 54

Firebox System Manager Enhancements Front Panel Tab Log off remote users from Front Panel tab 55

Firebox System Manager Enhancements Traffic Monitor Tab Search Traffic Monitor 56

Firebox System Manager Enhancements Traffic Monitor Tab View: • All logs • Only traffic logs • Only alarms • Only events • Only debug logs • Only bandwidth statistics messages 57

Firebox System Manager Enhancements Traffic Monitor Tab Multiple-line select (ctrl-click or shift-click) and copy 58

Firebox System Manager Enhancements Traffic Monitor Tab Select Notifications from Event Catalog Right-click an event in Traffic Monitor • Instantly set up notification for the next time that event happens 59

Firebox System Manager Enhancements Service Watch Tab Use Service Watch to: • Graph the traffic going through each policy by bandwidth • See the number of sessions going through each policy 60

New Help System 61

New Help System Searchable, with Table of Contents 62

New in Fireware 10 63

Mobile VPN with SSL 64

Mobile VPN with SSL Overview PC and Mac compatible – one download page for both 65

Mobile VPN with SSL URL for users to get the software URL to authenticate and get the client software: • https: //[firebox. ip. address]: 4100/sslvpn. html • Note the /sslvpn. html at the end URL to authenticate only remains the same • https: //[firebox. ip. address]: 4100 66

Mobile VPN with SSL Configuration in Policy Manager Simple straightforward configuration • Policy Manager: VPN Mobile VPN SSL • Use any authentication server • Specify which WAN users connect to first and second (failover) • Allow granular access or access to all connected networks 67

New Proxies for Vo. IP Support 68

New Proxies for Vo. IP H. 323 and SIP These proxies work to allow some Vo. IP/Videoconferencing through the Firebox: • SIP Proxy • H. 323 Proxy H. 323 proxy supports NAT-traversal for voice and video traffic • H. 323 Gatekeeper (“PBX” hosting/trunking) and T. 120 multimedia support not in this release. • H. 323 support is limited to point-to-point connections SIP proxy supports NAT-traversal for voice and video traffic • Does not provide the PBX registration capabilities of a typical standalone SIP Registrar-Proxy • Must have your own Registrar-Proxy server to route these connections • SIP proxy has only been tested with PBX’s located on the external segment of the Firebox (hosted scenario, no trunking). 69

New Proxies for Vo. IP H. 323 and SIP Simple to configure H 323 70 SIP

New Proxies for Vo. IP TFTP Trivial File Transfer Protocol • For more than just Vo. IP Typically for: • Sending updates to Vo. IP devices under management • Sending configuration files • Sending ROM images or firmware updates TFTP Proxy lets you allow or deny content by matching file name patterns for: • Downloads • Uploads 71

New TCP-UDP Proxy Multiple Protocol Detection TCP-UDP Proxy detects what protocol the traffic is: • HTTPS • SIP • FTP 72

New HTTPS Proxy What it can do HTTPS Proxy Block objectionable HTTPS sites using Web. Blocker Allow or deny access to web sites based on Domain Names • Fireware matches Domain Name patterns against the Subject field in the web site’s SSL certificate 73

Enhancements to Security Subscriptions 74

What’s New in WSM/Fireware 10 Enhancements to Security Subscriptions Intrusion Prevention (IPS) Enhancements • New signature set • Broader range of signatures • Botnet protection for servers • Updated signature scanning engine • Approximately 40% increase in IPS performance • Simpler IPS Configuration • P 2 P and IM now integral part of Fireware (no IPS license required) Web. Blocker Enhancements • Expanded Category List • Web. Blocker for HTTPS spam. Blocker Enhancements • Virus Outbreak Detection 75

Web. Blocker Enhancements 40 Category to 54 Category Mapping 40 -Category List name 54 -Category List name Arts & Entertainment Arts Entertainment Drugs, Alcohol, Tobacco Illegal Drugs Alcohol & Tobacco Violence Tasteless & Offensive Hacking Spyware Computing & Internet Downloads Criminal Skills Criminal Activity Phishing & Fraud Glamour & Intimate Apparel & Swimwear Fashion & Beauty Government & Politics Government Politics Lifestyle & Culture Society & Culture Philanthropic & Professional Organizations Remote Proxies & Translators Peer-to-Peer NOT REPRESENTED Spam URLs NOT REPRESENTED Infrastructure NOT REPRESENTED Business 76 Ringtones / Mobile Phone Downloads

Single Sign-On 77

Single Sign-On Requirements Only for Active Directory domains • Install Watch. Guard Authentication Gateway software on a domain computer • This computer called the SSO Agent • The domain account under which the agent software runs must: • Have “Log on as a service” permission granted (for the service to run automatically) • Be a member of Domain Admins group (to query PCs running Vista) • All domain PCs must allow connections over 139 and 445 • Add exceptions to Windows Firewall for File and Printer Sharing, or turn off Windows Firewall 78

Single Sign-On Settings Policy Manager: Setup Authentication Settings • IP address of the PC running Watch. Guard Authentication Gateway software (the SSO agent) • How long the SSO agent should cache responses it gets from PCs it queries • IP addresses that the Firebox will not ask about 79

Single Sign-On How it works 1 • Firebox sees traffic come from a trusted or optional or VLAN interface • SSO does not work for traffic coming from an external interface • Firebox sends query to SSO agent (PC running Watch. Guard Authentication Gateway software) • This is a port 4114 connection. Command is get user <ip. address> • SSO agent checks its cache. • If it has an entry for this IP address, it returns an answer to the Firebox • If not in cache, SSO agent queries that IP address • Uses Windows Net. Wksta. User. Enum() call • Windows Networking connection over port 139 and/or 445 • If SSO agent PC gets no reply, send error message to Firebox • The IP address is not added to authentication list 80

Single Sign-On How it works 2 • PC returns answer to SSO agent. There can be more than one answer • SSO agent uses only the first answer it gets from the PC • SSO agent sends query to Active Directory server to find what groups the user is a member of • Active Directory returns all values of member. Of attribute tied to that user object • SSO agent PC returns answer to Firebox • User name logged in to that PC and groups of which the user is a member • Firebox puts <IP address>, <user name>, and <groups of which the user is a member> in its internal list of authenticated users • Authentication List tab of Firebox System Manager displays the IP address and user name of authenticated users 81

Single Sign-On How it works 3 Use user names and Active Directory groups in your policies to restrict access 82

BOVPN and Mobile VPN with IPSec Enhancements 83

What’s New in WSM/Fireware 10 VPN Enhancements Selective Auto-start of BOVPN Tunnels Dead Peer Detection Mobile VPN with IPSec Policies More Configurable Notification of BOVPN Events 84

VPN Enhancements Selective auto-start of BOVPN tunnels At the bottom of the General Settings tab of the Gateway 85

VPN Enhancements Mobile VPN with IPSec more configurable You can now edit the Mobile VPN/IPSec policy to change the allowed access. The policy is no longer tied to the “allowed resources” assigned to the Mobile VPN/IPSec Group 86

VPN Enhancements Dead Peer Detection On the Phase 1 Settings tab of the Gateway 87

VPN Enhancements Notification of BOVPN events VPN > VPN Settings > BOVPN Notification button 88

New Notification Options 89

New Logging and Reporting Architecture Notification enhancements SNMPv 3 Support New Web. Blocker Alarm Options The Firebox can now send notifications for: • Multi-WAN Events • BOVPN Down • Lost contact with Web. Blocker Server 90

Networking Enhancements 91

What’s New in WSM/Fireware 10 Networking Enhancements Static MAC/IP Address Binding • Edit an interface Advanced tab • Select Only allow traffic sent from or to these MAC/IP Addresses to lock out all other traffic on this interface • Keep the box cleared to add only Static ARP entries 92

More Integration with Live. Security® 93

What’s New in WSM/Fireware 10 Live. Security Integration Quick Setup Wizard pulls feature key from Live. Security • Appliance must be registered before you can use the QSW to get the Feature Key • If the appliance is not registered, you can get to the Internet during the Quick Setup Wizard to register it • You can skip this step of the Wizard if you have not registered the device yet • If there is no Feature Key, one user can get to the Internet after it is configured 94

What’s New in WSM/Fireware 10 Live. Security Integration New Updated feature key display • Easier to understand • Easier to see when features expire Old 95

Thank You! 96