Introduction

Fireware v12.4 is a significant release for Firebox T Series, Firebox M Series, FireboxV, and Firebox Cloud
appliances. This release offers major enhancements, feature improvements, and resolves numerous bugs.
Some of the key features included in this release are:

SD-WAN for VPN and Private Lines

This release extends SD-WAN benefits to more than just external WAN connections, enabling
organizations to cut back on expensive MPLS connections. You can now measure loss/latency/jitter on
Virtual Interface VPNs and internal interfaces and fail over when values do not meet the defined
threshold for acceptable line quality.

Warn option in WebBlocker

The Warn option provides flexibility to Firebox administrators to enforce acceptable use policies.
Organizations can generate employee awareness in cases where “Deny” is too strict.

DNSWatch in Bridge Mode

You can now apply full DNS security, even when the Firebox is not the network gateway.

BOVPN over IPv6

Your Firebox can now create VPN tunnels directly between two IPv6 IP addresses. Your IPv6 VPNs no
longer need to tunnel over IPv4.

Syslog Export to Two Servers

Your Firebox can now simultaneously send log messages to two different syslog servers. This enables
export to third party SIEM while continuing to log to a local syslog server for log retention.

TLS 1.3 Support

You can now configure the Firebox for full inspection of connections with TLS 1.3. The Firebox also now
supports TLS 1.3 for all web servers hosted by the Firebox.

Resolved Issues in Fireware and WSM 12.4 Update 2

General

l The Fireware Web UI Front Panel now loads correctly for all users. [FBX-15555]
l This release resolves an appliance kernel lockup issue. [FBX-15247]

Networking

l The Firebox now consistently adds default routes to VLAN external interfaces. [FBX-16358]
l This release resolves an issue that caused the Firebox to fail to save a Management Server Policy
Template with configured FQDNs. [FBX-16237]
l Policy Manager now correctly handles the configuration of BOVPN Virtual Interface settings in preFireware v12.0 configurations. [FBX-16291]

Proxies and Services

l This release resolves an issue that caused websites to fail to load through the HTTPS Proxy when
messages are split over multiple TLS records. [FBX-16195]
l The pxyassist process no longer crashes when PDF files are analyzed. [FBX-16197]
l This release adds additional PFS grade ciphers for better compatibility with HTTPS web servers with
content inspection in the HTTPS Proxy. [FBX-16227]
l The HTTPS Proxy can now Inspect uncategorized sites when you also use an On-Premise WebBlocker
Server. [FBX-15847]
l Proxy traffic for 1-to-1 NAT hosts now use the correct NAT Base IP address. [FBX-16234]
l When content inspection is disabled, the HTTPS Proxy can now correctly handle Client Authentication
during the SSL handshake. [FBX-15916]
l This release resolves several issues that caused websites to fail with the HTTPS Proxy with content
inspection disabled. [FBX-16143, FBX-16203]

Enhancements and Resolved Issues in Fireware and
WSM 12.4

General

l You can now configure the Firebox to automatically retrieve a new feature key after upgrade to a new
Fireware OS version. [FBX-12257]
l You can now use Command Line Interface and Web UI to add Blocked Sites entries that overlap
existing entries. [FBX-3608]
l Firebox M5600 devices no longer incorrectly send Warning:’VBat’ is out of valid range log
messages. [FBX-3399]
l The Web UI Front Panel now loads correctly. [FBX-14174]
l You can now modify a policy with Web UI after you press return in a comment you add to that policy with
Policy Manager. [FBX-12328]
l Policy Manager now consistently launches dialog boxes on the same monitor as the parent window.
[FBX-15291]
l This release resolves an issue that caused the retrieval of the support diagnostic file to time out. [FBX14026]
l This release reduces the occurrence of log messages that include netlink: 64 bytes leftover
after parsing attributes. [FBX-15556]
l The Firebox can now send log messages to two syslog servers. [FBX-9401]
l This release resolves multiple crash issues:
o An S0 fault on XTMv and FireboxV virtual platforms. [FBX-9758]
o A Firebox kernel driver crash issue. [FBX-14267]
o A crash that resulted in a kernel panic scheduling while atomic message. [FBX-15114, FBX7483]
o An issue that caused Firebox M440 devices to crash because of low available memory. [FBX11497]
o An issue that caused Firebox M200 devices to crash. [FBX-14455]

SD-WAN and Multi-WAN

l You can now configure SD-WAN for traffic to leave any Firebox interface. [FBX-3849]
l Policy Manager and Web UI now show the same interface status for Link Monitor. [FBX-14702]
l You can now configure Link Monitor when the Firebox has only one external interface. [FBX-4325]
l This release resolves an issue that caused the Firebox to incorrectly send TCP reset log messages
when SD-WAN is configured. [FBX-14982]
l Probing both TCP and ICMP no longer marks the interface down when the upstream link is down. [FBX2413]
l You can now configure a Virtual Interface as a failover option in Multi-WAN and SD-WAN. [FBX-4395]
l This release resolves an issue that changed the order of interfaces in SD-WAN when you renamed a
participating interface. [FBX-15093]
l You can now modify the SD-WAN configuration after you change the name of a participating interface.
[FBX-15092]
l Policy Manager now consistently displays the configured Link Monitoring setting. [FBX-15026]

Networking

l This release resolves an issue with Firebox Cloud for AWS in which multiple public or local IP
addresses on an interface would break configured Static NATs. [FBX-14983]
l You can now configure OSPF and BGP in Policy Manager on Firebox T15 devices. [FBX-15523]
l This release improves the ability of the Firebox fqdnd process to handle DNS reply packets. [FBX15213, FBX-15200]
l You can now configure domains that begin with an underscore in DNS forwarding. [FBX-14233]
l This release resolves an issue that caused the Firebox to drop Inter-VLAN traffic as spoofing when a
different device handles the routing. [FBX-14837]
l In this release, the FQDN limit is raised to 2048 for Firebox M200, M270, M300, M370, M400, M440,
M470, M500, M570, M670, M4600, M5600, T55, T70, FireboxV, and Firebox Cloud. [FBX-14836]
l You can now configure a Static NAT with more than 47 characters in a destination FQDN. [FBX-13502]
l The Firebox no longer removes 1-to-1 NAT entries as duplicate because the interface names are too
similar. [FBX-7601]
l Web UI no longer shows double values in Interface Bandwidth Graphs. [FBX-3108]
l This release resolves an issue that caused BGP to fail to advertise a network that includes a route map.
[FBX-15436]
l Policy Manager no longer incorrectly changes the Firebox default gateway metric to 20 when you modify
the network configuration. [FBX-15687]
l This release resolves an issue that caused slow VLAN throughput on Firebox M200/M300 devices.
[FBX-15461]
l This release resolves a compatibility issue in which the network monitoring system NetXMS does not
receive interface information over SNMP. [FBX-10159]
l Dynamic Routing no longer adds all learned routes with metric 20. [FBX-15085]
l This release resolves a ripd process crash issue. [FBX-15199]

Authentication

l RADIUS SSO configuration now supports shared secret values up to 64 characters in length. [FBX13991]
l RADIUS server configuration now supports shared secret values up to 64 characters in length. [FBX13523]
l The Firebox now uses the correct source IP address for connections when it switches between the
primary and backup RADIUS servers. [FBX-14092]

VPN

l This release resolves an issue that caused non-VPN traffic to use the wrong interface when a zero-route
BOVPN over TLS is configured. [FBX-14835, FBX-14547]
l The Firebox no longer disconnects Mobile VPN with SSL connections from users that share the same
external IP address. [FBX-14628]
l This release resolves several IKE process crashes. [FBX-14780, FBX-15359]
l This release resolves a file descriptor leak issue in the iked process. [FBX-14679]
l You can now successfully use a group name created with Mobile VPN IPSec in Mobile SSLVPN with
Web UI. [FBX-13933]
l You can now reconfigure L2TP from PSK to Certificate from Web UI. [FBX-3267]
l This release resolves an issue that caused the Mobile VPN with SSL client to fail to retrieve the client
profile on connection. [FBX-15432]

Proxies and Services

l You can now add Geolocation exceptions that overlap with existing exceptions. [FBX-10187]
l The HTTPS proxy can now inspect connections with TLS v1.3 [FBX-11152]
l The Access Portal now supports TLS v1.2 encryption for RDP. [FBX-13084]
l The SMTP proxy now replies to non-STARTTLS connections with a 530 error code when STARTTLS
Sender Encryption is required. [FBX-15067]
l The Explicit proxy now correctly handles and forwards URLs that include a port number, such as
http://www.example.com:80. [FBX-15209]
l This release resolves an issue that caused IPS/Application Control to fail in environments with high
traffic volume. [FBX-14649]
l This release resolves an issue that caused the IKE process to become stuck and fail to respond. [FBX15491]
l This release improves IMAP proxy message handling to allow correct email retrieval instead of blank
emails. [FBX-11892]
l This release resolves an issue that caused RDP sessions to freeze in the Access Portal for Chrome
users. [FBX-14843]
l The OS Compatibility option in Policy Manager correctly removes legacy OCSP settings from HTTPS
server proxy actions. [FBX-14602]
l Users no longer need to re-authenticate when they resize the Access Portal RDP browser window.
[FBX-10106]
l All necessary domains are now added to the WatchGuard Threat Detection and Response policy when
you enable first enable TDR. [FBX-7319]
l The Firebox TDR configuration no longer accepts invalid UUID values. [FBX-12202]
l The spamBlocker statistics Total messages processed value now includes the Messages on
white/black list value. [FBX-14847]
l The HTTPS proxy can now correctly override the global Geolocation settings with Content Inspection
enabled. [FBX-14152]
l Configuration options for RED are now cloned correctly for HTTP proxy actions. [FBX-14767]
l Gateway AV and Intelligent AV can now correctly scan files larger than 10MB in size. [FBX-15215]

 

Centralized Management

l You can now configure SD-WAN actions in a policy template. [FBX-14772]
l Policy templates now include QoS options in the advanced tab. [FBX-3894]
l You can now download the IKEv2 profile from Management Server with no invalid password error. [FBX15218]
l You can now save a configuration with Policy Manager for a device that has a configured Dimension
Command VPN tunnel. [FBX-15138]

Certificates

l This release resolves a crash issue with Web Server certificate imports. [FBX-15281]
l This release removes the cn=Root Agency certificate from the Trusted CA for Proxies store. [FBX15437]
l A change to the Trusted CA for Proxies Certificate store no longer requires a reboot to take effect. [FBX15537]
l Log messages for HTTPS Proxy no longer have negative values in the rcvd_byte field. [FBX-15190]

Firebox Integrations

l Autotask can now display company names that include non-US ASCII characters. [FBX-14979]
l The Firebox now includes a required client identifier in all ConnectWise requests. [FBX-15527]
Gateway Wireless Controller and WatchGuard APs
l Gateway Wireless Controller now displays the full wireless clients list. [FBX-15430]
l With the release of AP firmware 8.6.0-646 (AP120, AP320, AP322, AP325, AP420) and 8.6.0-644.3
(AP125), your AP no longer reserves an IP address for each VLAN on each SSID. An IP address is
reserved for the management VLAN. [AP-396]

To get started, email us at info@agdatacom.com

Source: https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_4/Fireware_Release-Notes_v12_4.pdf