GAV Outage for 11.10.5 and earlier software versions

AV Signatures in 11.x releases

With the release of 12.0, WatchGuard introduced a new GAV engine to take advantage of new AV industry technology and would discontinue support for older AVG engines in Fireware 11.x by January 2018. GAV signature support for 11.10.7 and above will remain in place until April 2018.

As of December 31, 2017, appliances running 11.10.5 and earlier Fireware versions may be experiencing scan errors and observing the following messaging in the log files:

01-02 13:41:58 scand license init failed(The license has expired.)       Debug

2018-01-02 13:41:58 scand Instance_Create failed.              Debug

The licensing error is in relation to the license key expiration of the AV scanning engine provided by AVG and not the appliance’s feature key.  The licensing of AVG’s scanning engine has been extended until April 2018 in 11.10.7 and later Fireware versions. We recommend that you have your customers upgrade to our latest software build 12.1 to resolve this issue.  If that is not currently an option, please upgrade to at least 11.10.7 to resolve this GAV licensing/scanning issue. 

Please note that when upgrading to 12.x software versions, signature updates may take up to 20 minutes to complete.  During this time, you may experience scanning issues but these will resolve once the signatures have completed the update process. For more detailed information, see the release notes for 12.0.

To stay up to date on this issue, please subscribe to receive updates from our Product and Support News blog.

Thank you for all that you do as a loyal WatchGuard customer.


Source: WatchGuard

WatchGuard Dimension 2.1.1 Update 2 now available

We are pleased to announce the availability of WatchGuard Dimension 2.1.1 Update 2. This maintenance release is now available from the Software Downloads Center, together with release notes and update instructions. WatchGuard Dimension 2.1.1 Update 2 addresses several frequently reported issues and introduces some security enhancements, including:

  • APT content names with reserved characters would cause PDF reports to fail

  • Log Collector issue that caused incorrect logging status to be displayed for devices

  • Log Collector process unexpectedly restarts due to large number of simultaneous connections

  • Backup locations are now clearly indicated using sftp:// URLs instead of local mount points

  • Dimension SSH service now correctly rejects weak ciphers

 

Does this release pertain to me?

This release applies to all users of the WatchGuard Dimension network security visibility solution.  We highly recommend that any administrators using WatchGuard Dimension upgrade their solution to 2.1.1 Update 2 to take advantage of the security improvements available in the release. 

 

Software Download Center

Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.

 

Contact

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.


Source: WatchGuard

Customer Support Access Changes

As a loyal WatchGuard customer, I’m sure that you’re aware that WatchGuard is growing!  To address your future needs, WatchGuard Customer Support is changing the way our technicians connect to your WatchGuard appliance while working on a support case.

New Option to Enable Support Access

Over the years, you have used a list of IP addresses in a WatchGuard policy to grant our technicians access to a Firebox or XTM appliance to troubleshoot issues.  For added security and ease of granting WatchGuard Support access, we have added an additional Support Access feature to Fireware v12.0.1 

The Support Access option enables WatchGuard Support to connect to your Firebox with read-only permission. It adds a temporary user account with read-only permission and a temporary hidden policy that allows connections to the Firebox from ts.watchguard.com. You can automatically generate credentials or specify a user name and password to provide to your WatchGuard support representative.

You can also define an expiration for the temporary Support Access account.  Options for support access account expiration include:

  • None (no expiration)
  • 3 months
  • 1 month
  • 1 week
  • 1 day

 

New Connection IP Network Address

Appliances that run Fireware v12.0 or earlier will continue to use the WatchGuard policy configuration process, which involves adding specific IP addresses and ranges to the WatchGuard policy.  WatchGuard Support is migrating to a new public subnet as part of an IT infrastructure change. For instructions on updating or setting up your WatchGuard policy configuration please see the knowledge base article #10426:  Allow WatchGuard Support to connect to your Firebox.

As you migrate to Fireware v12.0.1 and higher software versions, please begin using the more secure and easy-to-use Support Access process to provide read-only access to your Firebox when working on support cases. For more detailed information on the Support Access feature, please see the online documentation.

Wishing all our loyal WatchGuard customers a wonderful holiday season.


Source: WatchGuard

Fireware 12.1 Now Available

We are pleased to announce the new release of Fireware 12.1 and WSM 12.1! These significant new releases are now available for download from the software download center. The highlight of Fireware 12.1 is the Access Portal, a clientless application portal that is available for SSO integration for cloud assets and internal resources via RDP and SSH. With the rate and notoriety of recent cybersecurity incidents involving compromised personal information, the marketplace for web-based authentication solutions continues to grow at a Compound Annual Growth Rate upwards of 10%.1 The Access Portal is uniquely positioned to integrate into existing authentication markets to provide a clientless experience while encouraging strong authentication with existing SSO vendors or even providing MFA access (i.e. Google Authenticator, etc.) to the portal itself.

The release of Fireware 12.1 adds a bevy of networking, VPN and proxy improvements that allow the network administrator to focus on the network without compromising security:

  • BoVPN over TLS provides an alternative to IPSec for site to site VPNs;
  • Mobile VPN w/ IKEv2 enables support for native VPNs on mobile operating systems including Mac, Windows, iOS, and Android
  • USB modem interface enabled to deliver physical interface features such as Multi-WAN enablement, traffic management
  • New IMAPS proxy, HTTPS domain software exclusion list, and WebBlocker UI improvements
  • Gateway Wireless Controller developed with band steering capability and additional passphrase protections

 

Does this release pertain to me?

The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life.

Software Download Center

Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.

Contact

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

 

1https://www.forrester.com/report/Forrester+Data+Identity+And+Access+Management+Software+Forecast+2016+To+2021+Global/-/E-RES137200


Source: WatchGuard

Wi-Fi Maintenance Update

Hello WatchGuard Wi-Fi Cloud Users,

We are planning a brief maintenance on Friday December 8, 2017 between 7:00PM and 8:00PM Pacific Time to deploy improvements to the Wi-Fi Cloud.

During the maintenance window, access to the Wi-Fi Cloud Dashboard will be down for maintenance (approximately 15 minutes). Your access points and splash pages will continue to pass client traffic and will not be interrupted. 

If you have any questions regarding the update, please visit www.watchguard.com/support

Regards,

WatchGuard Wi-Fi Cloud Team


Source: WatchGuard

Fireware 12.0.2 is now available

Fireware 12.0.2 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0.2 and WSM 12.0.2 today. These releases, which are now available at the software download center, resolve several issues that had been reported from the field. Since these are maintenance releases, there are no new features included. Please review the Release Notes for a comprehenisve list of issues that are addressed. Notable highlights include: 

  • A fix for an issue that caused some websites to fail to load correctly when using Microsoft Internet Explorer 11 or Edge browser.
  • An option to mitigate the KRACK WPA2 vulnerability for client connections to wireless Fireboxes. 

WatchGuard partners and customers should review the Release Notes and What’s New presentations prior to upgrading. 

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life.

AV Signatures in 11.x releases
WatchGuard will discontinue support for AV signatures for the older AVG engine in Fireware 11.x by April 2018. Customers with active Gateway Antivirus subscriptions should update to a 12.x release before then. 

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center. 

Contact
For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.


Source: WatchGuard

Access Point Support Subscriptions

WatchGuard access points provide secure, reliable wireless connectivity to businesses around the world. At WatchGuard, we are passionate about mobility and security and are dedicated to keeping wireless environments updated with the latest software features to keep people safe and their businesses running smoothly. For example, at the time of our public announcement of the WPA/WPA2 key reinstallation (KRACK) vulnerability, corrective software was already available online. Additional details about KRACK and software updates for WatchGuard products can be found in this knowledge base article.

Support Subscriptions for Access Points

Standard Support for access points is included in our Wi-Fi service subscriptions: Basic, Secure, and Total Wi-Fi. See this FAQ for more information on the Wi-Fi SKUs. Maintaining active support subscriptions for your access points is recommended to continue to receive important software updates, RMA replacement, and support.

Basic, Secure, and Total Wi-Fi Subscriptions include Standard Support:

  • 24×7 support
  • Unlimited number of support cases per annual subscription
  • Targeted response times:
    • 4 Hour – Critical, High
    • 8 Hours – Medium
    • 24 Hours – Low
  • Web-based support
  • Phone-based support
  • Software updates and patches for:
    • Gateway Wireless Controller
    • Access point firmware
    • Wi-Fi Cloud
  • Advanced hardware replacement
  • Product documentation and guides
  • Technical Training Materials
  • Moderated Customer Forum

At this time, premium four hour RMA is not available for access points.  Please remember to maintain an active Basic, Secure, or Total Wi-Fi subscription with each access point in order to maintain support.

Total Wi-Fi Program Chart

Sincerely,

Ryan Orsi
Director, Product Management, Secure Wi-Fi
WatchGuard Technologies


Source: WatchGuard

WatchGuard Integrates with Autotask PSA to Simplify Managed Security Services

Available with Fireware 12.0.1, WatchGuard has introduced a leading integration with Autotask to simplify managed security services for our global base of mutual Channel Partners. Managed security service providers (MSSPs) using WatchGuard and Autotask can now benefit from closed-looped service ticketing and synchronization of their customers’ asset Information.

Key Features

Integrated, Closed-Loop Service Ticketing — Track Issues with Service Ticketing Made Easy

  • Enable Autotask service tickets for WatchGuard security solutions.
  • Configure event thresholds on a wide range of parameters identified per device, including: security services, device statistics, and subscription statuses. Event thresholds automatically trigger the creation and closure of service tickets, closing tickets when issues are resolved, and reducing the number of false alarms.
  • Eliminate ticket flooding and provide trending visibility into customer security, because the same ticket reopens if the issue returns, rather than creating multiple tickets.

Auto Synchronization of Asset Information — Know a Customers’ Security

  • Automatically register and update customer security asset information.
  • Gain visibility into customer security through automated synchronization with WatchGuard security appliances, including subscription start and end dates, device serial numbers, OS versions, and more.
  • Avoid a managed network going unprotected because of incorrect security service subscription end dates.

Learn more about this integration by visiting our Autotask Integration page, which includes links to an integration guide, demo video, and a solution brief. To view all of our available Technology Partner integrations, visit our Technology Integrations page.


Source: WatchGuard

Fireware 12.0.1 is now available

Fireware 12.0.1 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0.1 and WSM 12.0.1 today, along with updates for the Access Point firmware. These releases provide fixes for many reported issues and include some significant security updates. Key highlights: 

  • Patches previously announced in the blog post on KRACK WiFi vulnerabilities, including a new feature to mitigate against the vulnerability in unpatched clients. 
  • Streamlined some UI options for Gateway Antivirus to reflect the new capabilities of the new AV engine that we included in the 12.0 release in September. 
  • A new simple option to enable Support access to the appliance, which will cut down on the time required for support calls, and lead to a smoother experience when customers need to work with support. 

WatchGuard partners and customers should review the Release Notes and What’s New presentations prior to upgrading. 

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, which are now End of Life (EOL), and XTM 505, 510, 520, and 530 which are EOL in December of this year.

AV Signatures in 11.x releases
Previously WatchGuard had announced that we would discontinue support for AV signatures for the older AVG engine in Fireware 11.x by January 2018. This support will now be extended until April 2018.

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center. 

Contact
For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

 


Source: WatchGuard

Wi-Fi Key Reinstallation Attack “KRACK” Update: Protecting Unpatched Devices

Summary
On October 16, 2017, security researchers announced several vulnerabilities in the WPA/WPA2 encryption protocol that affect countless Wi-Fi enabled devices worldwide. As a result of KRACK, Wi-Fi data streams, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. This security flaw means that, for vulnerable clients and access points, WPA- and WPA2-encrypted Wi-Fi traffic is potentially exposed until certain steps are taken to remediate the issue.

Presently, there are 10 known vulnerabilities that comprise KRACK. WatchGuard is providing patches for all of our affected products. For non-WatchGuard devices, users should refer to their vendor’s website and security advisories to determine if they are affected, and if updates are available. Even though most companies will provide patches, it’s likely that unpatched devices will interact with your network and expose you to risk. WatchGuard offers additional methods to protect unpatched client devices from KRACK.

How to Mitigate KRACK
The steps below describe recommended actions to protect your network from KRACK vulnerabilities in various scenarios, including from unpatched client devices.

  1. Update your access point (AP) firmware (10/30/17)
    • WatchGuard will provide patches for all supported APs and tabletop appliances with embedded wireless APs.
  2.  

  3. Enable “Mitigate WPA/WPA2 key reinstallation vulnerability in clients” feature. The AP can compensate for the unpatched clients with this setting enabled. Mitigation is recommended only until all clients are patched.
    • AP managed by GWC: Available for the AP120, AP320, AP322, and AP420 with the upcoming 10/30/17 patch.
    • AP managed by Wi-Fi Cloud (link to WatchGuard Knowledge Base article is below).
    • Firebox with built-in Wi-Fi: Available on the T-10W, T-10W, and T-50W with TBD firmware update.
    • In a small percent of cases, mitigation may exacerbate client connectivity issues in environments already suffering from weak signal coverage or high interference.
  4.  

  5. Enable “AP MAC Spoofing Prevention” setting in Wi-Fi Cloud WIPS policy.
    • AP managed by GWC: manage your APs with a Wi-Fi Cloud license and acquire dedicated WIPS sensors for your environment.
    • AP managed by Wi-Fi Cloud: enable setting in the management interface.

 

Additional Information


Source: WatchGuard